Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-08-2024 04:06
Static task
static1
Behavioral task
behavioral1
Sample
FTE98767800000.bat.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
FTE98767800000.bat.exe
Resource
win10v2004-20240802-en
General
-
Target
FTE98767800000.bat.exe
-
Size
1.4MB
-
MD5
e418c8ddea38739c5fa4e6ee469ffd47
-
SHA1
52ee59d5c7d3768056ac7809aea362e8adbeaa74
-
SHA256
8fcca28a02a116ed9c02bfdcbe3bfb47206592110805aaeda4ad5c55aba82a74
-
SHA512
3879b2ff0821511222cd9de8dc369037df52f655c2be937c4499cd9006049ed3a671c6ccd33f0adfa499aec935e14e388449574b5f282e6f5a230993b9192128
-
SSDEEP
12288:0EOm/U97V194bWub1V5jdJislsmq/aWPNUEFkWsnFvM1XcCDB6iCuIgWPm3A5kIo:m9B19g5V5nxsmqaWPaEXsnfCPu6BH
Malware Config
Extracted
remcos
RemoteHost
192.210.150.26:8787
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-Q4NYK2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FTE98767800000.bat.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths FTE98767800000.bat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\FTE98767800000.bat.exe = "0" FTE98767800000.bat.exe -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/1500-44-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4144-43-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2816-45-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions FTE98767800000.bat.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1500-44-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2816-45-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4980 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools FTE98767800000.bat.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FTE98767800000.bat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FTE98767800000.bat.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FTE98767800000.bat.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths FTE98767800000.bat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions FTE98767800000.bat.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\FTE98767800000.bat.exe = "0" FTE98767800000.bat.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts csc.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FTE98767800000.bat.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FTE98767800000.bat.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum FTE98767800000.bat.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 FTE98767800000.bat.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2784 set thread context of 4864 2784 FTE98767800000.bat.exe 89 PID 4864 set thread context of 2816 4864 csc.exe 98 PID 4864 set thread context of 1500 4864 csc.exe 99 PID 4864 set thread context of 4144 4864 csc.exe 100 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4980 powershell.exe 4980 powershell.exe 4144 csc.exe 4144 csc.exe 2816 csc.exe 2816 csc.exe 2816 csc.exe 2816 csc.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4864 csc.exe 4864 csc.exe 4864 csc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4980 powershell.exe Token: SeDebugPrivilege 4144 csc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4864 csc.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2784 wrote to memory of 4980 2784 FTE98767800000.bat.exe 88 PID 2784 wrote to memory of 4980 2784 FTE98767800000.bat.exe 88 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 4864 2784 FTE98767800000.bat.exe 89 PID 2784 wrote to memory of 2196 2784 FTE98767800000.bat.exe 91 PID 2784 wrote to memory of 2196 2784 FTE98767800000.bat.exe 91 PID 2784 wrote to memory of 2196 2784 FTE98767800000.bat.exe 91 PID 4864 wrote to memory of 2816 4864 csc.exe 98 PID 4864 wrote to memory of 2816 4864 csc.exe 98 PID 4864 wrote to memory of 2816 4864 csc.exe 98 PID 4864 wrote to memory of 2816 4864 csc.exe 98 PID 4864 wrote to memory of 1500 4864 csc.exe 99 PID 4864 wrote to memory of 1500 4864 csc.exe 99 PID 4864 wrote to memory of 1500 4864 csc.exe 99 PID 4864 wrote to memory of 1500 4864 csc.exe 99 PID 4864 wrote to memory of 4144 4864 csc.exe 100 PID 4864 wrote to memory of 4144 4864 csc.exe 100 PID 4864 wrote to memory of 4144 4864 csc.exe 100 PID 4864 wrote to memory of 4144 4864 csc.exe 100 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FTE98767800000.bat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FTE98767800000.bat.exe"C:\Users\Admin\AppData\Local\Temp\FTE98767800000.bat.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2784 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FTE98767800000.bat.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\oclvtahzolezzjvcx"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\ywqousasctwdcprggnvsp"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /stext "C:\Users\Admin\AppData\Local\Temp\ayvynlluqcoqmwfkxyqlsorm"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4144
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵PID:2196
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5bb0adab5629c444c7b72b8a6af556be7
SHA1080c68a9c92485e1983f1999667355ba56a0905c
SHA256d750675613f95484290a35cc019b9d959a981b512ad1fb7d182a7f4462190700
SHA51292edfacda360e79f1b7117c7502ce34dbf44ae5e059851fb0b2f1989c2c85276f9264f3c395ffc89d6a4f9637cc286a9bc9e732633a7aa739f6ed495c1318aef
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5a7e181f6aa185be0ab0ca68b30406fe6
SHA158c86162658dc609615b8b6400f85c92506dfdc8
SHA256c3071dc55b94db225d9c0f2c1b21c7e8f27dbfd168b85b7d618d8d19950e7ff2
SHA51249969eb10e0bf7925940eb7374451f811658ef9ccfb83b86fb337c4d06c3ba17eb0181f598d9e0ec9ca25bfaf644209ac47b73d62ac924e73d03a4dcf8f8dd0f