Analysis
-
max time kernel
16s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 18:14
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v20201028
General
-
Target
Quotation.exe
-
Size
1.5MB
-
MD5
8ed2eb4f9aab811fef61c8cc1d61cf24
-
SHA1
d4e2452748d1efc5bb62ee873bbd0af96d5f5d13
-
SHA256
133a9c9b926ecb6806cf9afa73409b01472e67d80a7908dbadbfe2cf7e24f7e5
-
SHA512
7686e04c7a5c348e3eaa01f0a56e4062ff94b142164111857499682e50b7e05c2aa481a524099229e100e7c97a96ed58f45004a4c7f621287504640100f7ed52
Malware Config
Extracted
remcos
whatgodcannotdodoestnotexist.duckdns.org:2889
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
remcos.exepid process 1188 remcos.exe -
Drops startup file 1 IoCs
Processes:
Quotation.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url Quotation.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Quotation.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Quotation.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" Quotation.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation.exedescription pid process target process PID 4776 set thread context of 4176 4776 Quotation.exe Quotation.exe -
Modifies registry class 1 IoCs
Processes:
Quotation.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings Quotation.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Quotation.exepid process 4776 Quotation.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Quotation.exeremcos.exepid process 4776 Quotation.exe 4776 Quotation.exe 4776 Quotation.exe 1188 remcos.exe 1188 remcos.exe 1188 remcos.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Quotation.exeremcos.exepid process 4776 Quotation.exe 4776 Quotation.exe 4776 Quotation.exe 1188 remcos.exe 1188 remcos.exe 1188 remcos.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Quotation.exeQuotation.exeWScript.execmd.exedescription pid process target process PID 4776 wrote to memory of 4176 4776 Quotation.exe Quotation.exe PID 4776 wrote to memory of 4176 4776 Quotation.exe Quotation.exe PID 4776 wrote to memory of 4176 4776 Quotation.exe Quotation.exe PID 4776 wrote to memory of 4176 4776 Quotation.exe Quotation.exe PID 4176 wrote to memory of 2012 4176 Quotation.exe WScript.exe PID 4176 wrote to memory of 2012 4176 Quotation.exe WScript.exe PID 4176 wrote to memory of 2012 4176 Quotation.exe WScript.exe PID 2012 wrote to memory of 608 2012 WScript.exe cmd.exe PID 2012 wrote to memory of 608 2012 WScript.exe cmd.exe PID 2012 wrote to memory of 608 2012 WScript.exe cmd.exe PID 608 wrote to memory of 1188 608 cmd.exe remcos.exe PID 608 wrote to memory of 1188 608 cmd.exe remcos.exe PID 608 wrote to memory of 1188 608 cmd.exe remcos.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
b92d64fe5b1d1f59df4b738262aea8df
SHA1c8fb1981759c2d9bb2ec91b705985fba5fc7af63
SHA256fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a
SHA5122566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
8ed2eb4f9aab811fef61c8cc1d61cf24
SHA1d4e2452748d1efc5bb62ee873bbd0af96d5f5d13
SHA256133a9c9b926ecb6806cf9afa73409b01472e67d80a7908dbadbfe2cf7e24f7e5
SHA5127686e04c7a5c348e3eaa01f0a56e4062ff94b142164111857499682e50b7e05c2aa481a524099229e100e7c97a96ed58f45004a4c7f621287504640100f7ed52
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
8ed2eb4f9aab811fef61c8cc1d61cf24
SHA1d4e2452748d1efc5bb62ee873bbd0af96d5f5d13
SHA256133a9c9b926ecb6806cf9afa73409b01472e67d80a7908dbadbfe2cf7e24f7e5
SHA5127686e04c7a5c348e3eaa01f0a56e4062ff94b142164111857499682e50b7e05c2aa481a524099229e100e7c97a96ed58f45004a4c7f621287504640100f7ed52
-
memory/608-8-0x0000000000000000-mapping.dmp
-
memory/1188-9-0x0000000000000000-mapping.dmp
-
memory/2012-3-0x0000000000000000-mapping.dmp
-
memory/4176-2-0x0000000000413FA4-mapping.dmp
-
memory/4176-7-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4776-4-0x0000000003830000-0x0000000003851000-memory.dmpFilesize
132KB
-
memory/4776-6-0x00000000037A0000-0x00000000037A3000-memory.dmpFilesize
12KB