Analysis
-
max time kernel
1384s -
max time network
1172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 16:28
Behavioral task
behavioral1
Sample
pacuka.exe
Resource
win7-20231129-en
General
-
Target
pacuka.exe
-
Size
92KB
-
MD5
16653b45d28e26bd88f741bd8e62f7a6
-
SHA1
1bd612b271d4b010ea4f1cab6658afaa15fac347
-
SHA256
3aae90682e6e388e729b635380876409c38d7fe52a4581d45778258e8378b795
-
SHA512
bf12f0f4819af831c3b30e4b826167e7e786c75f429fa1434d2c8495d78c2541bf777b00e2205a4eb7b94fc66b72401753ee693ca802a935dac210f7ca00ba0c
-
SSDEEP
1536:YhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6irT:+hzYTGWVvJ8f2v1TbPzuMsIFSHNThy+9
Malware Config
Extracted
remcos
1.7 Pro
Host
185.254.97.15:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
packu.exe
-
copy_folder
skid
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%SystemDrive%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%WinDir%\System32
-
mouse_option
false
-
mutex
rukbdcxfoo
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Discord
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
pacuka.exepacku.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation pacuka.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation packu.exe -
Executes dropped EXE 1 IoCs
Processes:
packu.exepid process 2276 packu.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
packu.exepacuka.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\skid\\packu.exe\"" packu.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\skid\\packu.exe\"" pacuka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\skid\\packu.exe\"" pacuka.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\skid\\packu.exe\"" packu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
packu.exepid process 2276 packu.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
pacuka.execmd.execmd.exepacku.execmd.exedescription pid process target process PID 3852 wrote to memory of 4976 3852 pacuka.exe cmd.exe PID 3852 wrote to memory of 4976 3852 pacuka.exe cmd.exe PID 3852 wrote to memory of 4976 3852 pacuka.exe cmd.exe PID 4976 wrote to memory of 4320 4976 cmd.exe reg.exe PID 4976 wrote to memory of 4320 4976 cmd.exe reg.exe PID 4976 wrote to memory of 4320 4976 cmd.exe reg.exe PID 3852 wrote to memory of 1640 3852 pacuka.exe cmd.exe PID 3852 wrote to memory of 1640 3852 pacuka.exe cmd.exe PID 3852 wrote to memory of 1640 3852 pacuka.exe cmd.exe PID 1640 wrote to memory of 4284 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 4284 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 4284 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 2276 1640 cmd.exe packu.exe PID 1640 wrote to memory of 2276 1640 cmd.exe packu.exe PID 1640 wrote to memory of 2276 1640 cmd.exe packu.exe PID 2276 wrote to memory of 4444 2276 packu.exe cmd.exe PID 2276 wrote to memory of 4444 2276 packu.exe cmd.exe PID 2276 wrote to memory of 4444 2276 packu.exe cmd.exe PID 2276 wrote to memory of 2712 2276 packu.exe iexplore.exe PID 2276 wrote to memory of 2712 2276 packu.exe iexplore.exe PID 2276 wrote to memory of 2712 2276 packu.exe iexplore.exe PID 4444 wrote to memory of 3916 4444 cmd.exe reg.exe PID 4444 wrote to memory of 3916 4444 cmd.exe reg.exe PID 4444 wrote to memory of 3916 4444 cmd.exe reg.exe PID 2276 wrote to memory of 3120 2276 packu.exe cmd.exe PID 2276 wrote to memory of 3120 2276 packu.exe cmd.exe PID 2276 wrote to memory of 3120 2276 packu.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pacuka.exe"C:\Users\Admin\AppData\Local\Temp\pacuka.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\skid\packu.exe"C:\skid\packu.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uninstall.bat" "4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
68B
MD5086c6015cf0c1deb685322e0d160d756
SHA1d5d29e7db31ed1443cdf5d881e66851287c03e87
SHA25610b2265ccd77e0536d3a5652a0532228a38123aee20e6aa01e74db491a356544
SHA512cd5c9ba83f7669130bbfdde8681e0174afe2aed932f9f9cee713c6ce77c6c8fa3aad798235e653b5aafc1779b42fff01bf63497bd6dec2a8b93905f5cd500a7d
-
C:\Users\Admin\AppData\Local\Temp\uninstall.batFilesize
110B
MD598408dd2e8a07956418230602f43bd55
SHA16680dd5a2a4466f206568eb1856636b527ea8de1
SHA256df6065623a997a9b0bb357f3e20ded4c62576db800ef016d44f05fe85a48f4c6
SHA512b51f2598179d85cadce02196e5c99d5a3d5e7a6e90495730c0c1ac0d888bc69c1b63495fd17c0a8acd0ad1bd241ca8322de982a42817c5386b1c9511cc0fd976
-
C:\skid\packu.exeFilesize
92KB
MD516653b45d28e26bd88f741bd8e62f7a6
SHA11bd612b271d4b010ea4f1cab6658afaa15fac347
SHA2563aae90682e6e388e729b635380876409c38d7fe52a4581d45778258e8378b795
SHA512bf12f0f4819af831c3b30e4b826167e7e786c75f429fa1434d2c8495d78c2541bf777b00e2205a4eb7b94fc66b72401753ee693ca802a935dac210f7ca00ba0c