Analysis
-
max time kernel
300s -
max time network
304s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 02:37
Static task
static1
Behavioral task
behavioral1
Sample
77954-668716095406000-20240826160944.pdf.exe
Resource
win7-20241023-en
General
-
Target
77954-668716095406000-20240826160944.pdf.exe
-
Size
3.7MB
-
MD5
9716314d2e2df9ef07b0a5e62594ec54
-
SHA1
4b77033c3a9c5c897c288c57fb5c9c55d57236e9
-
SHA256
7d9a4ed0a06ed9371e27c634f50c6aed4ebc1869c4a094287b03a6be4b810c63
-
SHA512
5acac2ba47c101095d4b0efaf1737b6044977f9547a846f615be67f9bee77c5f6b1361b95308f26e311642ce39909510a0d80a35607d0571a5ca25b6a83b4ee3
-
SSDEEP
24576:CgkzHf6uxcDC8VeaAOJ5o+cPugMB5jrgjafY9M:CgkzHyacDXVei+2FB0jj9M
Malware Config
Extracted
remcos
Host
oyo.work.gd:3142
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
vlc
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
pdf
-
mouse_option
false
-
mutex
jkm-I9KENP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
ios
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77954-668716095406000-20240826160944.pdf.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 77954-668716095406000-20240826160944.pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\77954-668716095406000-20240826160944.pdf.exe = "0" 77954-668716095406000-20240826160944.pdf.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions 77954-668716095406000-20240826160944.pdf.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4484 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools 77954-668716095406000-20240826160944.pdf.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 77954-668716095406000-20240826160944.pdf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 77954-668716095406000-20240826160944.pdf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 77954-668716095406000-20240826160944.pdf.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions 77954-668716095406000-20240826160944.pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\77954-668716095406000-20240826160944.pdf.exe = "0" 77954-668716095406000-20240826160944.pdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 77954-668716095406000-20240826160944.pdf.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 77954-668716095406000-20240826160944.pdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77954-668716095406000-20240826160944.pdf.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 77954-668716095406000-20240826160944.pdf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 77954-668716095406000-20240826160944.pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2388 set thread context of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_wp.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4484 powershell.exe 4484 powershell.exe 4484 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2388 77954-668716095406000-20240826160944.pdf.exe Token: SeDebugPrivilege 4484 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4388 aspnet_wp.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2388 wrote to memory of 4484 2388 77954-668716095406000-20240826160944.pdf.exe 91 PID 2388 wrote to memory of 4484 2388 77954-668716095406000-20240826160944.pdf.exe 91 PID 2388 wrote to memory of 1848 2388 77954-668716095406000-20240826160944.pdf.exe 92 PID 2388 wrote to memory of 1848 2388 77954-668716095406000-20240826160944.pdf.exe 92 PID 2388 wrote to memory of 1848 2388 77954-668716095406000-20240826160944.pdf.exe 92 PID 2388 wrote to memory of 1848 2388 77954-668716095406000-20240826160944.pdf.exe 92 PID 2388 wrote to memory of 1848 2388 77954-668716095406000-20240826160944.pdf.exe 92 PID 2388 wrote to memory of 1848 2388 77954-668716095406000-20240826160944.pdf.exe 92 PID 2388 wrote to memory of 1848 2388 77954-668716095406000-20240826160944.pdf.exe 92 PID 2388 wrote to memory of 1848 2388 77954-668716095406000-20240826160944.pdf.exe 92 PID 2388 wrote to memory of 1848 2388 77954-668716095406000-20240826160944.pdf.exe 92 PID 2388 wrote to memory of 1848 2388 77954-668716095406000-20240826160944.pdf.exe 92 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 4388 2388 77954-668716095406000-20240826160944.pdf.exe 95 PID 2388 wrote to memory of 928 2388 77954-668716095406000-20240826160944.pdf.exe 96 PID 2388 wrote to memory of 928 2388 77954-668716095406000-20240826160944.pdf.exe 96 PID 2388 wrote to memory of 928 2388 77954-668716095406000-20240826160944.pdf.exe 96 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77954-668716095406000-20240826160944.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\77954-668716095406000-20240826160944.pdf.exe"C:\Users\Admin\AppData\Local\Temp\77954-668716095406000-20240826160944.pdf.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2388 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\77954-668716095406000-20240826160944.pdf.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"2⤵PID:1848
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4388
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"2⤵PID:928
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5375d2d2b9d88fa53c873a11188c34fc0
SHA1caba0078ec7ef618c175758e6406dbad3bbf2d40
SHA2565c47a8af74ff4ba640dd5032ba8b36838048db9deda6c9c6ce307953e821c44d
SHA5120ad556eced9d2fc1068f7d9cd51288101811df831d5234bb019ae18e3ec47e32c976375ff8dc63ea933effc7d181bc99e3c592855b83f06914ca06204d83c6e4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82