Analysis
-
max time kernel
1050s -
max time network
1034s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2024 13:11
Behavioral task
behavioral1
Sample
jhl_service.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
jhl_service.exe
Resource
win10v2004-20240802-en
General
-
Target
jhl_service.exe
-
Size
3.5MB
-
MD5
2e5655f2cfebe6357e6388e678f3c073
-
SHA1
f1d6b68d73a8da906368837c1cde74a26a900858
-
SHA256
3c74031a1ddcfbff9691d2992ecd540eb82c4b781bda9ffc5125d40ec712589d
-
SHA512
13477f0bc9a73809e7b069dc441c7fb0023178811f4fe3f39ccbc4b4c412516b612439d8025b0c79c33201c791b343cdcf7dec4a3fe7eabcd3e28b1cf520747f
-
SSDEEP
98304:cUROmKjJqajychmAfNKcA+hv5r61JD4XEdGic/7FW:TsqzcEAfhrr0D4UdGb/hW
Malware Config
Extracted
remcos
RemoteHost
192.3.101.172:9674
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Log
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
Rmc-54ZTI0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral2/memory/2976-57-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/3276-56-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2400-60-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ jhl_service.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2976-57-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2400-60-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion jhl_service.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion jhl_service.exe -
Loads dropped DLL 1 IoCs
pid Process 4652 jhl_service.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/4652-28-0x0000000000A30000-0x0000000001392000-memory.dmp themida behavioral2/memory/4652-29-0x0000000000A30000-0x0000000001392000-memory.dmp themida behavioral2/memory/3276-64-0x0000000000A30000-0x0000000001392000-memory.dmp themida -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts jhl_service.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyApp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jhl_service.exe" jhl_service.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jhl_service.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4652 jhl_service.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4652 set thread context of 2400 4652 jhl_service.exe 94 PID 4652 set thread context of 2976 4652 jhl_service.exe 95 PID 4652 set thread context of 3276 4652 jhl_service.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhl_service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhl_service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhl_service.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jhl_service.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3276 jhl_service.exe 3276 jhl_service.exe 2400 jhl_service.exe 2400 jhl_service.exe 2400 jhl_service.exe 2400 jhl_service.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4652 jhl_service.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 4652 jhl_service.exe 4652 jhl_service.exe 4652 jhl_service.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3276 jhl_service.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4652 jhl_service.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4652 wrote to memory of 2400 4652 jhl_service.exe 94 PID 4652 wrote to memory of 2400 4652 jhl_service.exe 94 PID 4652 wrote to memory of 2400 4652 jhl_service.exe 94 PID 4652 wrote to memory of 2400 4652 jhl_service.exe 94 PID 4652 wrote to memory of 2976 4652 jhl_service.exe 95 PID 4652 wrote to memory of 2976 4652 jhl_service.exe 95 PID 4652 wrote to memory of 2976 4652 jhl_service.exe 95 PID 4652 wrote to memory of 2976 4652 jhl_service.exe 95 PID 4652 wrote to memory of 3276 4652 jhl_service.exe 96 PID 4652 wrote to memory of 3276 4652 jhl_service.exe 96 PID 4652 wrote to memory of 3276 4652 jhl_service.exe 96 PID 4652 wrote to memory of 3276 4652 jhl_service.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\jhl_service.exe"C:\Users\Admin\AppData\Local\Temp\jhl_service.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\jhl_service.exeC:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\kdyln"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
C:\Users\Admin\AppData\Local\Temp\jhl_service.exeC:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\ufmdgjhp"2⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Users\Admin\AppData\Local\Temp\jhl_service.exeC:\Users\Admin\AppData\Local\Temp\jhl_service.exe /stext "C:\Users\Admin\AppData\Local\Temp\wzrwhbsjher"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5e1db733e43aa8d065fb7e8669db76524
SHA13f9c62ee28959959271632fdc7f5387d539a1d23
SHA2569e65d9e8ebb895f3b03c95ce64f044c70251fff444a4bcbee83f558b599a614d
SHA5123f6106f32932e72d197865f7b796eba072c8ab20c22b4d205f27de9b9fc6c139be8450ae25541fbdac37a06bc3ec2d1fab3f9b3216201a9231b70fcde6fb8eb3
-
Filesize
144B
MD5f6416ec34f1275639b449698f9132297
SHA1ba9ccafc7e216f5fd69b5a80ed9f734186215d90
SHA256aa16b47fcc5b7836e00425485ac64b272b93262f216069d06a8d5c5f4f4356cb
SHA512083701a30c1414b8a956aa05eae631977a430317ce6e975b19c8c99d03b05fd4dad63221b36c327a0b8f89521a425777aa917244c6ea82f3d4f49e90a41d156b
-
Filesize
230B
MD5f643330e664f46394fe45cdda05e3965
SHA1a87f65d6b3909c8d09b37d04b023761774934dcf
SHA256e304791e988f7a1f22390e63b1fb68931667a533694bf95f6153cdb9d5df0d7d
SHA512f6f724c4bc604c39293cba84e4e19a212ad37ca0483f26ffce132b5d6e9b69c322f0d2eb4b37c1b9a9bec22e6d8fa5dec8e6a7dc1bdbb6512730b659ae30712c
-
Filesize
4KB
MD5faaa2b16df1bfc1a3792faaa35786349
SHA1359534a59d7c5139ae205c24533ba60afdfb9f3f
SHA2563586befc3b8b4da223e2ee0dcb00965ba5c0a205c14f2acefdeec7e46efddd5a
SHA5122fbc79cace52a58e69ab983d034bb41ebb2496f767e18e5e4b31eefc4447c935d8614f744c71302e459350a05562fadc4c2355d76638b595e7cff1bb3d1618db