Analysis
-
max time kernel
299s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 02:37
Static task
static1
Behavioral task
behavioral1
Sample
77954-668716095406000-20240826160944.pdf.exe
Resource
win7-20241023-en
General
-
Target
77954-668716095406000-20240826160944.pdf.exe
-
Size
3.7MB
-
MD5
9716314d2e2df9ef07b0a5e62594ec54
-
SHA1
4b77033c3a9c5c897c288c57fb5c9c55d57236e9
-
SHA256
7d9a4ed0a06ed9371e27c634f50c6aed4ebc1869c4a094287b03a6be4b810c63
-
SHA512
5acac2ba47c101095d4b0efaf1737b6044977f9547a846f615be67f9bee77c5f6b1361b95308f26e311642ce39909510a0d80a35607d0571a5ca25b6a83b4ee3
-
SSDEEP
24576:CgkzHf6uxcDC8VeaAOJ5o+cPugMB5jrgjafY9M:CgkzHyacDXVei+2FB0jj9M
Malware Config
Extracted
remcos
Host
oyo.work.gd:3142
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
vlc
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
pdf
-
mouse_option
false
-
mutex
jkm-I9KENP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
ios
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77954-668716095406000-20240826160944.pdf.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions 77954-668716095406000-20240826160944.pdf.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2928 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools 77954-668716095406000-20240826160944.pdf.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 77954-668716095406000-20240826160944.pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 77954-668716095406000-20240826160944.pdf.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77954-668716095406000-20240826160944.pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77954-668716095406000-20240826160944.pdf.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 77954-668716095406000-20240826160944.pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 77954-668716095406000-20240826160944.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1372 set thread context of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1372 77954-668716095406000-20240826160944.pdf.exe Token: SeDebugPrivilege 2928 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2188 wmplayer.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1372 wrote to memory of 2928 1372 77954-668716095406000-20240826160944.pdf.exe 32 PID 1372 wrote to memory of 2928 1372 77954-668716095406000-20240826160944.pdf.exe 32 PID 1372 wrote to memory of 2928 1372 77954-668716095406000-20240826160944.pdf.exe 32 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2088 1372 77954-668716095406000-20240826160944.pdf.exe 34 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 2188 1372 77954-668716095406000-20240826160944.pdf.exe 35 PID 1372 wrote to memory of 3024 1372 77954-668716095406000-20240826160944.pdf.exe 36 PID 1372 wrote to memory of 3024 1372 77954-668716095406000-20240826160944.pdf.exe 36 PID 1372 wrote to memory of 3024 1372 77954-668716095406000-20240826160944.pdf.exe 36 PID 1372 wrote to memory of 3024 1372 77954-668716095406000-20240826160944.pdf.exe 36 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77954-668716095406000-20240826160944.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77954-668716095406000-20240826160944.pdf.exe"C:\Users\Admin\AppData\Local\Temp\77954-668716095406000-20240826160944.pdf.exe"1⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\77954-668716095406000-20240826160944.pdf.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:2088
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2188
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵PID:3024
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD57f06237694441d6c770c3598ba4f95f2
SHA137b996c5dce136dcf6d434df9534b1b51960ac5f
SHA2564dea512c815030dc89ae42d139fff37e27544eba7bbb2b0862c98f48de029d88
SHA512dee250b5125bc3b9943ec7f191ff535ae6c67f1cd81cb8edbdb0e2897ff18318183cfd594786448128fdd631c0a623e2897b3084914ea62e01e8c0b32066196a