Windows Analysis Report
RemComSvc.exe.exe

Overview

General Information

Sample name: RemComSvc.exe.exe
renamed because original name is a hash value
Original sample name: RemComSvc.exe.dll
Analysis ID: 1427733
MD5: d564d9f5a17648c7f22737c37fb9d712
SHA1: 9db44ef0f9ad530fb0d5791ef4eb8fd24b954ee1
SHA256: d8a83162cd6f506345d0944567d3548575f58363198511e8a07fdf9d17e6db97
Infos:

Detection

RemCom RemoteAdmin
Score: 27
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Sigma detected: Suspicious New Service Creation
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to delete services
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found evasive API chain checking for process token information
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected RemCom RemoteAdmin tool

Classification

Uses 32bit PE files
Source: RemComSvc.exe.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RemComSvc.exe.exe Static PE information: certificate valid
Source: RemComSvc.exe.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\jenkins\workspace\KServerAgentW---61e685db\KServerAgentWindows\build\Win32\Release\bin\RemComSvc.pdb source: RemComSvc.exe.exe
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C967B FindFirstFileExA, 6_2_003C967B
Source: RemComSvc.exe.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: RemComSvc.exe.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: RemComSvc.exe.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: RemComSvc.exe.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: RemComSvc.exe.exe String found in binary or memory: http://ocsp.thawte.com0
Source: RemComSvc.exe.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: RemComSvc.exe.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: RemComSvc.exe.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: RemComSvc.exe.exe String found in binary or memory: https://sectigo.com/CPS0C
Contains functionality to delete services
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C140E OpenSCManagerA,OpenServiceA,CloseServiceHandle,DeleteService,SetServiceStatus,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 6_2_003C140E
Detected potential crypto function
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003CC42E 6_2_003CC42E
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003D107C 6_2_003D107C
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C4993 6_2_003C4993
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C4764 6_2_003C4764
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003CBF80 6_2_003CBF80
Uses 32bit PE files
Source: RemComSvc.exe.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: sus27.winEXE@10/2@0/0
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C1761 _wprintf,StartServiceCtrlDispatcherA, 6_2_003C1761
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C1761 _wprintf,StartServiceCtrlDispatcherA, 6_2_003C1761
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6316:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6412:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_03
Source: RemComSvc.exe.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\sc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RemComSvc.exe.exe String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create BMnpO binpath= "C:\Users\user\Desktop\RemComSvc.exe.exe" >> C:\servicereg.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create BMnpO binpath= "C:\Users\user\Desktop\RemComSvc.exe.exe"
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start BMnpO >> C:\servicestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start BMnpO
Source: unknown Process created: C:\Users\user\Desktop\RemComSvc.exe.exe C:\Users\user\Desktop\RemComSvc.exe.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create BMnpO binpath= "C:\Users\user\Desktop\RemComSvc.exe.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start BMnpO Jump to behavior
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: RemComSvc.exe.exe Static PE information: certificate valid
Source: RemComSvc.exe.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RemComSvc.exe.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RemComSvc.exe.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RemComSvc.exe.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RemComSvc.exe.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RemComSvc.exe.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: RemComSvc.exe.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: RemComSvc.exe.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\jenkins\workspace\KServerAgentW---61e685db\KServerAgentWindows\build\Win32\Release\bin\RemComSvc.pdb source: RemComSvc.exe.exe
Source: RemComSvc.exe.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RemComSvc.exe.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RemComSvc.exe.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RemComSvc.exe.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RemComSvc.exe.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C2186 push ecx; ret 6_2_003C2199
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C1761 _wprintf,StartServiceCtrlDispatcherA, 6_2_003C1761
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create BMnpO binpath= "C:\Users\user\Desktop\RemComSvc.exe.exe"
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C967B FindFirstFileExA, 6_2_003C967B
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C6F28 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_003C6F28
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C6279 mov eax, dword ptr fs:[00000030h] 6_2_003C6279
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003CB11E GetProcessHeap, 6_2_003CB11E
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C208C SetUnhandledExceptionFilter, 6_2_003C208C
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C1A5E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_003C1A5E
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C6F28 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_003C6F28
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C1F2A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_003C1F2A
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc create BMnpO binpath= "C:\Users\user\Desktop\RemComSvc.exe.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc start BMnpO Jump to behavior
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C10CA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,ConnectNamedPipe, 6_2_003C10CA
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C1490 GetCurrentProcessId,OpenProcess,OpenProcessToken,GetLastError,LocalAlloc,GetTokenInformation,GetLastError,GetLastError,GetLastError,LocalFree,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,AllocateAndInitializeSid,EqualSid,EqualSid,FreeSid,FreeSid,FreeSid,LocalFree,CloseHandle,FindCloseChangeNotification,CloseHandle, 6_2_003C1490
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C219B cpuid 6_2_003C219B
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C10CA InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateNamedPipeA,ConnectNamedPipe, 6_2_003C10CA
Source: C:\Users\user\Desktop\RemComSvc.exe.exe Code function: 6_2_003C1E19 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 6_2_003C1E19
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Yara detected RemCom RemoteAdmin tool
Source: Yara match File source: RemComSvc.exe.exe, type: SAMPLE
Source: Yara match File source: 6.2.RemComSvc.exe.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.RemComSvc.exe.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.1624010662.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2865411128.00000000003D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RemComSvc.exe.exe PID: 4136, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1427733 Sample: RemComSvc.exe.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 27 25 Sigma detected: Suspicious New Service Creation 2->25 6 cmd.exe 2 2->6         started        9 cmd.exe 2 2->9         started        11 RemComSvc.exe.exe 2->11         started        process3 file4 23 C:\servicereg.log, ASCII 6->23 dropped 13 conhost.exe 6->13         started        15 sc.exe 1 6->15         started        17 conhost.exe 9->17         started        19 conhost.exe 9->19         started        21 sc.exe 1 9->21         started        process5
No contacted IP infos