Edit tour
Windows
Analysis Report
SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe
Overview
General Information
Detection
Score: | 63 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Compliance
Score: | 48 |
Range: | 0 - 100 |
Signatures
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Deletes keys which are related to windows safe boot (disables safe mode boot)
Enables network access during safeboot for specific services
Installs a global keyboard hook
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Writes a notice file (html or txt) to demand a ransom
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a global mouse hook
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64native
- svchost.exe (PID: 2448 cmdline:
C:\Windows \system32\ svchost.ex e -k appmo del -p -s camsvc MD5: F586835082F632DC8D9404D83BC16316)
- SecuriteInfo.com.W64.Remsim.A.gen.Eldorado.5736.8171.exe (PID: 2608 cmdline:
"C:\Users\ user\Deskt op\Securit eInfo.com. W64.Remsim .A.gen.Eld orado.5736 .8171.exe" MD5: B04A7A20D108AF793B0AEBBE8B373D14) - unpack200.exe (PID: 5800 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\crs-age nt.jar.p2" "C:\Users \user\AppD ata\Roamin g\JWrapper -Remote Su pport\JWra pperTemp-1 714016412- 6-app\lib\ crs-agent. jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 5140 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\charset s.jar.p2" "C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\lib\c harsets.ja r" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7256 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\jsse.ja r.p2" "C:\ Users\user \AppData\R oaming\JWr apper-Remo te Support \JWrapperT emp-171401 6412-6-app \lib\jsse. jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7232 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\ext\jac cess.jar.p 2" "C:\Use rs\user\Ap pData\Roam ing\JWrapp er-Remote Support\JW rapperTemp -171401641 2-6-app\li b\ext\jacc ess.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 4320 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\ext\sun pkcs11.jar .p2" "C:\U sers\user\ AppData\Ro aming\JWra pper-Remot e Support\ JWrapperTe mp-1714016 412-6-app\ lib\ext\su npkcs11.ja r" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 4664 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\ext\ope njsse.jar. p2" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\ext\ope njsse.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 7436 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\ext\leg acy8ujsse. jar.p2" "C :\Users\us er\AppData \Roaming\J Wrapper-Re mote Suppo rt\JWrappe rTemp-1714 016412-6-a pp\lib\ext \legacy8uj sse.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 5756 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\ext\cld rdata.jar. p2" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\ext\cld rdata.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 3552 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\ext\acc ess-bridge -64.jar.p2 " "C:\User s\user\App Data\Roami ng\JWrappe r-Remote S upport\JWr apperTemp- 1714016412 -6-app\lib \ext\acces s-bridge-6 4.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 6460 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\ext\sun mscapi.jar .p2" "C:\U sers\user\ AppData\Ro aming\JWra pper-Remot e Support\ JWrapperTe mp-1714016 412-6-app\ lib\ext\su nmscapi.ja r" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - unpack200.exe (PID: 1244 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\u npack200.e xe" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\rt.jar. p2" "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J WrapperTem p-17140164 12-6-app\l ib\rt.jar" MD5: FFAE954C09033DF1EBCD4FE056B183F2) - windowslauncher.exe (PID: 1524 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 14016412-6 -app\bin\w indowslaun cher.exe" "-Xshare:d ump" MD5: 58AF839323322202948776B70447BECD) - Remote SupportECompatibility.exe (PID: 5284 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s64JRE-000 84000053-c omplete\bi n\Remote S upportECom patibility .exe" -cp "C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 1401647287 6-5\jwrapp er_utils.j ar;C:\User s\user\App Data\Roami ng\JWrappe r-Remote S upport\JWr apperTemp- 1714016472 876-5\cust omer.jar;C :\Users\us er\AppData \Roaming\J Wrapper-Re mote Suppo rt\JWrappe rTemp-1714 016472876- 5\sevenzip .jar" -Xmx 512m -Xms5 m -XX:MinH eapFreeRat io=15 -XX: MaxHeapFre eRatio=30 -Djava.uti l.Arrays.u seLegacyMe rgeSort=tr ue -Djava. net.prefer IPv4Stack= true -Dsun .java2d.dp iaware=tru e -Dhttps. protocols= TLSv1,TLSv 1.1,TLSv1. 2 jwrapper .JWrapper "C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap perTemp-17 1401647287 6-5\unrest ricted\JWL aunchPrope rties-1714 016482748- 0" MD5: 58AF839323322202948776B70447BECD) - Remote Support.exe (PID: 7480 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s64JRE-000 84000053-c omplete\bi n\Remote S upport.exe " -cp "C:\ Users\user \AppData\R oaming\JWr apper-Remo te Support \JWrapper- Remote Sup port-00089 360998-com plete\jwra pper_utils .jar;C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J Wrapper-Re mote Suppo rt-0008936 0998-compl ete\custom er.jar;C:\ Users\user \AppData\R oaming\JWr apper-Remo te Support \JWrapper- Remote Sup port-00089 360998-com plete\seve nzip.jar" -Xmx512m - Xms5m -XX: MinHeapFre eRatio=15 -XX:MaxHea pFreeRatio =30 -Djava .util.Arra ys.useLega cyMergeSor t=true -Dj ava.net.pr eferIPv4St ack=true - Dsun.java2 d.dpiaware =true -Dht tps.protoc ols=TLSv1, TLSv1.1,TL Sv1.2 jwra pper.JWrap per "C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J Wrapper-Re mote Suppo rt-0008936 0998-compl ete\unrest ricted\JWL aunchPrope rties-1714 016484279- 3" MD5: 58AF839323322202948776B70447BECD) - icacls.exe (PID: 2992 cmdline:
icacls "C: \ProgramDa ta\SimpleH elp" /t /c /grant *S -1-1-0:(OI )(CI)F MD5: 48C87E3B3003A2413D6399EA77707F5D) - conhost.exe (PID: 2932 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - icacls.exe (PID: 3336 cmdline:
icacls "C: \ProgramDa ta\SimpleH elp\Elevat eSH" /t /c /grant *S -1-5-32-54 5:(OI)(CI) F MD5: 48C87E3B3003A2413D6399EA77707F5D) - conhost.exe (PID: 1336 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - icacls.exe (PID: 1264 cmdline:
icacls "C: \ProgramDa ta\SimpleH elp\Elevat eSH\*.*" / t /c /gran t *S-1-1-0 :(OI)(CI)F MD5: 48C87E3B3003A2413D6399EA77707F5D) - conhost.exe (PID: 3148 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68) - elev_win.exe (PID: 3732 cmdline:
C:\Program Data\Simpl eHelp\Elev ateSH\elev _win.exe C :\ProgramD ata\Simple Help\Eleva teSH\elev_ win.exe C: \ProgramDa ta\SimpleH elp\Elevat eSH\Simple Service.ex e -install C:\Progra mData\Simp leHelp\Ele vateSH\MMo veLauncher 4406301724 889628321. service MD5: BC1AD7F1B708F9F738DD14BD3C550433) - elev_win.exe (PID: 1104 cmdline:
"C:\Progra mData\Simp leHelp\Ele vateSH\ele v_win.exe" "C:\Progr amData\Sim pleHelp\El evateSH\Si mpleServic e.exe" "-i nstall" "C :\ProgramD ata\Simple Help\Eleva teSH\MMove Launcher44 0630172488 9628321.se rvice" MD5: BC1AD7F1B708F9F738DD14BD3C550433) - SimpleService.exe (PID: 5116 cmdline:
"C:\Progra mData\Simp leHelp\Ele vateSH\Sim pleService .exe" "-in stall" "C: \ProgramDa ta\SimpleH elp\Elevat eSH\MMoveL auncher440 6301724889 628321.ser vice" MD5: AF0DE3441565A4FA8BBB7057657D2D5D)
- SimpleService.exe (PID: 6528 cmdline:
"C:\Progra mData\Simp leHelp\Ele vateSH\Sim pleService .exe" MD5: AF0DE3441565A4FA8BBB7057657D2D5D) - session_win.exe (PID: 4184 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Remote Support-0 0089360998 -complete\ session_wi n.exe" "C: \Users\use r\AppData\ Roaming\JW rapper-Rem ote Suppor t\JWrapper -Windows64 JRE-000840 00053-comp lete\bin\w indowslaun cher.exe" "-cp" "C:\ Users\user \AppData\R oaming\JWr apper-Remo te Support \JWrapper- Remote Sup port-00089 360998-com plete\jwra pper_utils .jar;C:\Us ers\user\A ppData\Roa ming\JWrap per-Remote Support\J Wrapper-Re mote Suppo rt-0008936 0998-compl ete\custom er.jar;C:\ Users\user \AppData\R oaming\JWr apper-Remo te Support \JWrapper- Remote Sup port-00089 360998-com plete\seve nzip.jar" "-Xmx128m" "-Xms5m" "-Dsun.jav a2d.dpiawa re=true" " -Djava.lib rary.path= C:\Users\u ser\AppDat a\Roaming\ JWrapper-R emote Supp ort\JWrapp er-Remote Support-00 089360998- complete" "com.aem.s desktop.ut il.MouseMo ver" "127. 0.0.1" "50 309" "127. 0.0.1" "50 310" "elev ated" MD5: A7094B15E6E1E3659FEC2B12AA98C6E7) - windowslauncher.exe (PID: 2052 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s64JRE-000 84000053-c omplete\bi n\windowsl auncher.ex e" "-cp" " C:\Users\u ser\AppDat a\Roaming\ JWrapper-R emote Supp ort\JWrapp er-Remote Support-00 089360998- complete\j wrapper_ut ils.jar;C: \Users\use r\AppData\ Roaming\JW rapper-Rem ote Suppor t\JWrapper -Remote Su pport-0008 9360998-co mplete\cus tomer.jar; C:\Users\u ser\AppDat a\Roaming\ JWrapper-R emote Supp ort\JWrapp er-Remote Support-00 089360998- complete\s evenzip.ja r" "-Xmx12 8m" "-Xms5 m" "-Dsun. java2d.dpi aware=true " "-Djava. library.pa th=C:\User s\user\App Data\Roami ng\JWrappe r-Remote S upport\JWr apper-Remo te Support -000893609 98-complet e" "com.ae m.sdesktop .util.Mous eMover" "1 27.0.0.1" "50309" "1 27.0.0.1" "50310" "e levated" MD5: 58AF839323322202948776B70447BECD) - Session Elevation Helper (PID: 2288 cmdline:
"C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Window s64JRE-000 84000053-c omplete\bi n\Session Elevation Helper" -c p "C:\User s\user\App Data\Roami ng\JWrappe r-Remote S upport\JWr apper-Remo te Support -000893609 98-complet e\jwrapper _utils.jar ;C:\Users\ user\AppDa ta\Roaming \JWrapper- Remote Sup port\JWrap per-Remote Support-0 0089360998 -complete\ customer.j ar;C:\User s\user\App Data\Roami ng\JWrappe r-Remote S upport\JWr apper-Remo te Support -000893609 98-complet e\sevenzip .jar" -Xmx 128m -Xms5 m -Dsun.ja va2d.dpiaw are=true " -Djava.lib rary.path= C:\Users\u ser\AppDat a\Roaming\ JWrapper-R emote Supp ort\JWrapp er-Remote Support-00 089360998- complete" com.aem.sd esktop.uti l.MouseMov er 127.0.0 .1 50312 1 27.0.0.1 5 0313 eleva ted_backup MD5: 58AF839323322202948776B70447BECD) - SimpleService.exe (PID: 856 cmdline:
"C:\Progra mData\Simp leHelp\Ele vateSH\Sim pleService .exe" -uni nstallbyna me ShTempo raryServic e66694190 MD5: AF0DE3441565A4FA8BBB7057657D2D5D)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Max Altgelt (Nextron Systems): |