Analysis
-
max time kernel
419s -
max time network
421s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10-09-2024 16:00
Static task
static1
Behavioral task
behavioral1
Sample
ezyzip.zip
Resource
win10v2004-20240802-en
General
-
Target
ezyzip.zip
-
Size
5.9MB
-
MD5
100aabac8fd8766ba396a03ec81387dc
-
SHA1
e6250df08d0582688a06b0fc3d84a27cc5a29feb
-
SHA256
cbaf643a15c5a72bb396eaf1ff247b9ad1862271c1b35765851b39220102cde7
-
SHA512
bbd39ed1168de1dca7331a1647ba8218b687a9486928a54a9b38b7e53a36042721667e4d730fde0b450868e372e8b73e54417c95e414e3fbadf6427ac4b1bdce
-
SSDEEP
98304:SmMetA4nLjnWWL62vL+kqYv+3DNxTmDqBxVpdgTvM5TtcMTVBJlTbXfS69UH:SmTjWWzyZxyqBxLm05GGzJlTp9+
Malware Config
Extracted
remcos
RemoteHost
privmerkt.com:8922
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-LAI9XP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3304 2023 TRISHA ORGANIZERpdf.exe 3588 2023 TRISHA ORGANIZERpdf.exe -
Loads dropped DLL 1 IoCs
pid Process 3304 2023 TRISHA ORGANIZERpdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco = "rundll32.exe C:\\Users\\Admin\\Documents\\CiscoUpdater000_PARTIAL.dll,EntryPoint" reg.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2023 TRISHA ORGANIZERpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2023 TRISHA ORGANIZERpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 2056 7zG.exe Token: 35 2056 7zG.exe Token: SeSecurityPrivilege 2056 7zG.exe Token: SeSecurityPrivilege 2056 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2056 7zG.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4732 wrote to memory of 5088 4732 cmd.exe 104 PID 4732 wrote to memory of 5088 4732 cmd.exe 104 PID 4732 wrote to memory of 5088 4732 cmd.exe 104
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\ezyzip.zip1⤵PID:548
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2832
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\ezyzip\" -spe -an -ai#7zMap26113:92:7zEvent269931⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2056
-
C:\Users\Admin\AppData\Local\Temp\ezyzip\2023 TRISHA ORGANIZERpdf.exe"C:\Users\Admin\AppData\Local\Temp\ezyzip\2023 TRISHA ORGANIZERpdf.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\ezyzip\2023 TRISHA ORGANIZERpdf.exe"C:\Users\Admin\AppData\Local\Temp\ezyzip\2023 TRISHA ORGANIZERpdf.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\reg.exereg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5088
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.1MB
MD54864a55cff27f686023456a22371e790
SHA16ed30c0371fe167d38411bfa6d720fcdcacc4f4c
SHA25608c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2
SHA5124bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb
-
Filesize
6.3MB
MD56c1d68c7960415c632429da5aa258062
SHA1c4de42e1b1de043c1a4224eacbd429d4fbef5764
SHA2565b9c3d8a7377aa103f13a12bbd81f9d833de987e1a39da3d1b30ef4a30437cfa
SHA5125d3b250636bc6ee96f4b3329a29d0d4b7cbebbcf7f7ed325725b2cbd9830d51f843b472b55f5c34845f90c69fe7f80e803e44b0142df443ab5c53b2af4805e86