Overview
overview
10Static
static
3mixazed_20...20.exe
windows7-x64
10mixazed_20...20.exe
windows10-2004-x64
10mixazed_20...23.exe
windows7-x64
10mixazed_20...23.exe
windows10-2004-x64
10mixazed_20...04.exe
windows7-x64
10mixazed_20...04.exe
windows10-2004-x64
10mixazed_20...25.exe
windows7-x64
10mixazed_20...25.exe
windows10-2004-x64
10mixazed_20...06.exe
windows7-x64
10mixazed_20...06.exe
windows10-2004-x64
10mixazed_20...07.exe
windows7-x64
10mixazed_20...07.exe
windows10-2004-x64
10mixazed_20...48.exe
windows7-x64
10mixazed_20...48.exe
windows10-2004-x64
10mixsix_202...11.exe
windows7-x64
10mixsix_202...11.exe
windows10-2004-x64
10usfive_202...29.exe
windows7-x64
10usfive_202...29.exe
windows10-2004-x64
10usfive_202...19.exe
windows7-x64
10usfive_202...19.exe
windows10-2004-x64
10usfive_202...38.exe
windows7-x64
10usfive_202...38.exe
windows10-2004-x64
10usfive_202...22.exe
windows7-x64
10usfive_202...22.exe
windows10-2004-x64
10usfive_202...45.exe
windows7-x64
10usfive_202...45.exe
windows10-2004-x64
10usfive_202...26.exe
windows7-x64
10usfive_202...26.exe
windows10-2004-x64
10usfive_202...26.exe
windows7-x64
10usfive_202...26.exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
mixazed_20210808-071120.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
mixazed_20210808-071120.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
mixazed_20210808-075823.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
mixazed_20210808-075823.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
mixazed_20210808-090104.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
mixazed_20210808-090104.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
mixazed_20210808-093225.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
mixazed_20210808-093225.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
mixazed_20210808-094806.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
mixazed_20210808-094806.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
mixazed_20210808-103507.exe
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
mixazed_20210808-103507.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
mixazed_20210808-113748.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
mixazed_20210808-113748.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
mixsix_20210808-081411.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
mixsix_20210808-081411.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
usfive_20210807-233729.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
usfive_20210807-233729.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
usfive_20210808-050619.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
usfive_20210808-050619.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
usfive_20210808-053738.exe
Resource
win7-20241010-en
Behavioral task
behavioral22
Sample
usfive_20210808-053738.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
usfive_20210808-090122.exe
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
usfive_20210808-090122.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
usfive_20210808-101945.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
usfive_20210808-101945.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
usfive_20210808-112226.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
usfive_20210808-112226.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
usfive_20210808-120926.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
usfive_20210808-120926.exe
Resource
win10v2004-20241007-en
General
-
Target
mixazed_20210808-071120.exe
-
Size
542KB
-
MD5
bdff95108f1380b097200f1a1063775c
-
SHA1
ae61a14382009adde7b63fc0d2cac23cba715dfe
-
SHA256
874e9527126f7470fb2482a75d1e8016f988c7ed7b417ae7e0a991e49bc094a5
-
SHA512
8592f307efeb628e81167f693dc85d8ed54531f9540dc6cab1d35b76546b763448cab7e38380e35c8365678f798ba1a296e72044374a82f40fe7b3157b4f02e2
-
SSDEEP
12288:3NfcfEpahAGNjIlJbkGaDmZ0uNEQxUbzkMbbzScgC:efSal+kG4w0uNEQxUbIp
Malware Config
Extracted
remcos
3.1.5 Pro
winslogon
178.18.247.224:45265
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
winslogon.exe
-
copy_folder
sys
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
sys
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
winslogon-QT8NX3
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
systemp
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
winslogon
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Remcos family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run mixazed_20210808-071120.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\"" mixazed_20210808-071120.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run winslogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\"" winslogon.exe -
Deletes itself 1 IoCs
pid Process 1600 WScript.exe -
Executes dropped EXE 1 IoCs
pid Process 2724 winslogon.exe -
Loads dropped DLL 2 IoCs
pid Process 776 cmd.exe 776 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\"" winslogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\"" winslogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\"" mixazed_20210808-071120.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winslogon = "\"C:\\Users\\Admin\\AppData\\Roaming\\sys\\winslogon.exe\"" mixazed_20210808-071120.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mixazed_20210808-071120.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winslogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 2748 reg.exe 1784 reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2724 winslogon.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2416 wrote to memory of 1864 2416 mixazed_20210808-071120.exe 30 PID 2416 wrote to memory of 1864 2416 mixazed_20210808-071120.exe 30 PID 2416 wrote to memory of 1864 2416 mixazed_20210808-071120.exe 30 PID 2416 wrote to memory of 1864 2416 mixazed_20210808-071120.exe 30 PID 1864 wrote to memory of 1784 1864 cmd.exe 32 PID 1864 wrote to memory of 1784 1864 cmd.exe 32 PID 1864 wrote to memory of 1784 1864 cmd.exe 32 PID 1864 wrote to memory of 1784 1864 cmd.exe 32 PID 2416 wrote to memory of 1600 2416 mixazed_20210808-071120.exe 33 PID 2416 wrote to memory of 1600 2416 mixazed_20210808-071120.exe 33 PID 2416 wrote to memory of 1600 2416 mixazed_20210808-071120.exe 33 PID 2416 wrote to memory of 1600 2416 mixazed_20210808-071120.exe 33 PID 1600 wrote to memory of 776 1600 WScript.exe 35 PID 1600 wrote to memory of 776 1600 WScript.exe 35 PID 1600 wrote to memory of 776 1600 WScript.exe 35 PID 1600 wrote to memory of 776 1600 WScript.exe 35 PID 776 wrote to memory of 2724 776 cmd.exe 37 PID 776 wrote to memory of 2724 776 cmd.exe 37 PID 776 wrote to memory of 2724 776 cmd.exe 37 PID 776 wrote to memory of 2724 776 cmd.exe 37 PID 2724 wrote to memory of 2824 2724 winslogon.exe 38 PID 2724 wrote to memory of 2824 2724 winslogon.exe 38 PID 2724 wrote to memory of 2824 2724 winslogon.exe 38 PID 2724 wrote to memory of 2824 2724 winslogon.exe 38 PID 2724 wrote to memory of 2904 2724 winslogon.exe 40 PID 2724 wrote to memory of 2904 2724 winslogon.exe 40 PID 2724 wrote to memory of 2904 2724 winslogon.exe 40 PID 2724 wrote to memory of 2904 2724 winslogon.exe 40 PID 2824 wrote to memory of 2748 2824 cmd.exe 41 PID 2824 wrote to memory of 2748 2824 cmd.exe 41 PID 2824 wrote to memory of 2748 2824 cmd.exe 41 PID 2824 wrote to memory of 2748 2824 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-071120.exe"C:\Users\Admin\AppData\Local\Temp\mixazed_20210808-071120.exe"1⤵
- Adds policy Run key to start application
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1784
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\sys\winslogon.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Users\Admin\AppData\Roaming\sys\winslogon.exeC:\Users\Admin\AppData\Roaming\sys\winslogon.exe4⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2748
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵PID:2904
-
-
-
-
Network
- No results found
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 80 B 3 2
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
152 B 120 B 3 3
-
104 B 80 B 2 2
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
576B
MD57c01e4ef9d70bfb4dd8940a38601a1aa
SHA1f6464b830b2720844a8867d31a0cef1913334d4e
SHA256950afb6215d6e9192f80a349f0acf3caf9b4787cb07cc96f1c47808e67e26c3a
SHA5129614e9112453f511766b369d33a34e3af48060c2e203a35720dadd2856c323ef1debbb3978f21e9d4aac542b7fc1c0f1156d6e5125142d316a78dbd248480e9c
-
Filesize
350KB
MD53b69fb1e9c7f99bed0b3d19d2d0ddff0
SHA1498ebaed231af4df1232f09110e948371d4f84bf
SHA256b1ec64a6d9279f0919241d4e896a67bf7e35e6dac8cd6bc48ea961e6b62e97cf
SHA512844c3bc82761a1ca271eaa501f0e028f40bbe0abef0583e1de7dea456f18aed3ff71c09564869aec6c282c9e972f517f21ca2a6b71773221686be4da9cce82cb
-
Filesize
542KB
MD5bdff95108f1380b097200f1a1063775c
SHA1ae61a14382009adde7b63fc0d2cac23cba715dfe
SHA256874e9527126f7470fb2482a75d1e8016f988c7ed7b417ae7e0a991e49bc094a5
SHA5128592f307efeb628e81167f693dc85d8ed54531f9540dc6cab1d35b76546b763448cab7e38380e35c8365678f798ba1a296e72044374a82f40fe7b3157b4f02e2