Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 16:01
Static task
static1
Behavioral task
behavioral1
Sample
rQ000112241R02_October-24.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
rQ000112241R02_October-24.exe
Resource
win10v2004-20241007-en
General
-
Target
rQ000112241R02_October-24.exe
-
Size
3.7MB
-
MD5
b7419c5f4cb484befbb098627475a806
-
SHA1
c59a69a2a19fab12903b38a73fea20edc7013abb
-
SHA256
b7cd81494be4fd997d0d47cde6689f357b52f4ac8c50ab730569edef51a25a8c
-
SHA512
471cb8e64ad1048c0f7d211212cd014d4b561f041aa4d9f8c324aa5736d5e37a65292218c3f8eba78298f9d9fa48fd2f3b932912eecfd305f744ac583ca1eed6
-
SSDEEP
24576:G6NBJgWDzcRxQi9yiLiS02733o8MpIVPc:hBJgWAQi9y+502Cm0
Malware Config
Extracted
remcos
RemoteHost
198.46.178.148:2024
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-Z20G9Z
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos family
-
Processes:
rQ000112241R02_October-24.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rQ000112241R02_October-24.exe -
Processes:
rQ000112241R02_October-24.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths rQ000112241R02_October-24.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\rQ000112241R02_October-24.exe = "0" rQ000112241R02_October-24.exe -
Detected Nirsoft tools 3 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
Processes:
resource yara_rule behavioral2/memory/4512-86-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2028-84-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1028-83-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
rQ000112241R02_October-24.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rQ000112241R02_October-24.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1028-83-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2028-84-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
rQ000112241R02_October-24.exedescription ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools rQ000112241R02_October-24.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
rQ000112241R02_October-24.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rQ000112241R02_October-24.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rQ000112241R02_October-24.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
rQ000112241R02_October-24.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation rQ000112241R02_October-24.exe -
Processes:
rQ000112241R02_October-24.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\rQ000112241R02_October-24.exe = "0" rQ000112241R02_October-24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths rQ000112241R02_October-24.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions rQ000112241R02_October-24.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
ngen.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts ngen.exe -
Processes:
rQ000112241R02_October-24.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rQ000112241R02_October-24.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rQ000112241R02_October-24.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
rQ000112241R02_October-24.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum rQ000112241R02_October-24.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 rQ000112241R02_October-24.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
rQ000112241R02_October-24.exengen.exedescription pid Process procid_target PID 2912 set thread context of 1128 2912 rQ000112241R02_October-24.exe 89 PID 1128 set thread context of 2028 1128 ngen.exe 107 PID 1128 set thread context of 1028 1128 ngen.exe 108 PID 1128 set thread context of 4512 1128 ngen.exe 109 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ngen.exengen.exengen.exengen.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exengen.exengen.exepid Process 3688 powershell.exe 3688 powershell.exe 3688 powershell.exe 2028 ngen.exe 2028 ngen.exe 4512 ngen.exe 4512 ngen.exe 2028 ngen.exe 2028 ngen.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
ngen.exepid Process 1128 ngen.exe 1128 ngen.exe 1128 ngen.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
rQ000112241R02_October-24.exepowershell.exeAUDIODG.EXEngen.exedescription pid Process Token: SeDebugPrivilege 2912 rQ000112241R02_October-24.exe Token: SeDebugPrivilege 3688 powershell.exe Token: 33 5004 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5004 AUDIODG.EXE Token: SeDebugPrivilege 4512 ngen.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ngen.exepid Process 1128 ngen.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
ngen.exepid Process 1128 ngen.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ngen.exepid Process 1128 ngen.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
rQ000112241R02_October-24.exengen.exedescription pid Process procid_target PID 2912 wrote to memory of 3688 2912 rQ000112241R02_October-24.exe 88 PID 2912 wrote to memory of 3688 2912 rQ000112241R02_October-24.exe 88 PID 2912 wrote to memory of 1128 2912 rQ000112241R02_October-24.exe 89 PID 2912 wrote to memory of 1128 2912 rQ000112241R02_October-24.exe 89 PID 2912 wrote to memory of 1128 2912 rQ000112241R02_October-24.exe 89 PID 2912 wrote to memory of 1128 2912 rQ000112241R02_October-24.exe 89 PID 2912 wrote to memory of 1128 2912 rQ000112241R02_October-24.exe 89 PID 2912 wrote to memory of 1128 2912 rQ000112241R02_October-24.exe 89 PID 2912 wrote to memory of 1128 2912 rQ000112241R02_October-24.exe 89 PID 2912 wrote to memory of 1128 2912 rQ000112241R02_October-24.exe 89 PID 2912 wrote to memory of 1128 2912 rQ000112241R02_October-24.exe 89 PID 2912 wrote to memory of 1128 2912 rQ000112241R02_October-24.exe 89 PID 2912 wrote to memory of 2948 2912 rQ000112241R02_October-24.exe 91 PID 2912 wrote to memory of 2948 2912 rQ000112241R02_October-24.exe 91 PID 2912 wrote to memory of 2948 2912 rQ000112241R02_October-24.exe 91 PID 1128 wrote to memory of 2028 1128 ngen.exe 107 PID 1128 wrote to memory of 2028 1128 ngen.exe 107 PID 1128 wrote to memory of 2028 1128 ngen.exe 107 PID 1128 wrote to memory of 2028 1128 ngen.exe 107 PID 1128 wrote to memory of 1028 1128 ngen.exe 108 PID 1128 wrote to memory of 1028 1128 ngen.exe 108 PID 1128 wrote to memory of 1028 1128 ngen.exe 108 PID 1128 wrote to memory of 1028 1128 ngen.exe 108 PID 1128 wrote to memory of 4512 1128 ngen.exe 109 PID 1128 wrote to memory of 4512 1128 ngen.exe 109 PID 1128 wrote to memory of 4512 1128 ngen.exe 109 PID 1128 wrote to memory of 4512 1128 ngen.exe 109 -
System policy modification 1 TTPs 1 IoCs
Processes:
rQ000112241R02_October-24.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" rQ000112241R02_October-24.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rQ000112241R02_October-24.exe"C:\Users\Admin\AppData\Local\Temp\rQ000112241R02_October-24.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\rQ000112241R02_October-24.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe /stext "C:\Users\Admin\AppData\Local\Temp\bcnnhryacgctjynsbpvoqqxyrdmzub"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe /stext "C:\Users\Admin\AppData\Local\Temp\lwaxikjcqougtebwsaqptdrpajeinmffm"3⤵
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
PID:1028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe /stext "C:\Users\Admin\AppData\Local\Temp\nyfqj"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"2⤵PID:2948
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x418 0x4101⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222B
MD543c1929fa71c7dc8c55f88f39bef7d29
SHA10ed497019be48d5899d6ef0b23a23e39741557ba
SHA2561cee1e93e13151713f293aef21497cb31ee666be8546c5c909ae801475eb4740
SHA51243873c897797e0aaf491f59032e06bc36427a1c06a3e2b44686b12782df708e6fa0101716972f76849043622968fa064f6a614a00e0f7e7cea5fe42852371304
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5bc25ccf39db8626dc249529bcc8c5639
SHA13e9cbdb20a0970a3c13719a2f289d210cdcc9e1d
SHA256b333f8c736c701bc826886f395d928731850cbce6db77be752b3cf7979114904
SHA5129a546127bddc1d187e674cda82e6c5046cac7f3e6f9515aed68d5bff2264b9d679d857dd97270e10826cd11ce2d92d82dd7f9801e19027e346b60bcc814cca1a