Analysis
-
max time kernel
137s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2024 09:19
Static task
static1
Behavioral task
behavioral1
Sample
FTE98767800000.exe
Resource
win7-20240729-en
General
-
Target
FTE98767800000.exe
-
Size
1.4MB
-
MD5
e418c8ddea38739c5fa4e6ee469ffd47
-
SHA1
52ee59d5c7d3768056ac7809aea362e8adbeaa74
-
SHA256
8fcca28a02a116ed9c02bfdcbe3bfb47206592110805aaeda4ad5c55aba82a74
-
SHA512
3879b2ff0821511222cd9de8dc369037df52f655c2be937c4499cd9006049ed3a671c6ccd33f0adfa499aec935e14e388449574b5f282e6f5a230993b9192128
-
SSDEEP
12288:0EOm/U97V194bWub1V5jdJislsmq/aWPNUEFkWsnFvM1XcCDB6iCuIgWPm3A5kIo:m9B19g5V5nxsmqaWPaEXsnfCPu6BH
Malware Config
Extracted
remcos
RemoteHost
192.210.150.26:8787
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-Q4NYK2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FTE98767800000.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\FTE98767800000.exe = "0" FTE98767800000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths FTE98767800000.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions FTE98767800000.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3988 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools FTE98767800000.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion FTE98767800000.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion FTE98767800000.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation FTE98767800000.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths FTE98767800000.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions FTE98767800000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\FTE98767800000.exe = "0" FTE98767800000.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA FTE98767800000.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FTE98767800000.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum FTE98767800000.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 FTE98767800000.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 448 set thread context of 3200 448 FTE98767800000.exe 90 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4488 3200 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3988 powershell.exe 3988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3988 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 448 wrote to memory of 3988 448 FTE98767800000.exe 89 PID 448 wrote to memory of 3988 448 FTE98767800000.exe 89 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 3200 448 FTE98767800000.exe 90 PID 448 wrote to memory of 1532 448 FTE98767800000.exe 92 PID 448 wrote to memory of 1532 448 FTE98767800000.exe 92 PID 448 wrote to memory of 1532 448 FTE98767800000.exe 92 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" FTE98767800000.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FTE98767800000.exe"C:\Users\Admin\AppData\Local\Temp\FTE98767800000.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FTE98767800000.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3988
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵PID:3200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 243⤵
- Program crash
PID:4488
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"2⤵PID:1532
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3200 -ip 32001⤵PID:3336
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82