Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 07:14
Static task
static1
Behavioral task
behavioral1
Sample
unpaid.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
unpaid.exe
Resource
win10v20201028
General
-
Target
unpaid.exe
-
Size
289KB
-
MD5
23195e221bd52fc2ff7bcecef0c6e9af
-
SHA1
efffd2231109a8103f1b85da879ee2cfd9e59ba8
-
SHA256
07cb866df6df9ad51ce01426b0a0466834619e72c2653ff7c25320cc3c0a3f9a
-
SHA512
8cbb1a709e198e7c905b81554000d83f88e2429c821d5990d45c8f182442e2409828de014750aa2ef23c97f033b0f098bdf281cc8bc7b5c1e7ff53ca7d2dd3c8
Malware Config
Extracted
remcos
nkosarevaocs.duckdns.org:7266
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
remcos.exeremcos.exepid process 1520 remcos.exe 468 remcos.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1552 cmd.exe 1552 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
unpaid.exeremcos.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" unpaid.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" remcos.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ unpaid.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
unpaid.exeremcos.exedescription pid process target process PID 1248 set thread context of 1228 1248 unpaid.exe unpaid.exe PID 1520 set thread context of 468 1520 remcos.exe remcos.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
unpaid.exeunpaid.exeremcos.exepid process 1832 unpaid.exe 1248 unpaid.exe 1520 remcos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
remcos.exepid process 468 remcos.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
unpaid.exeunpaid.exeunpaid.exeWScript.execmd.exeremcos.exedescription pid process target process PID 1832 wrote to memory of 1044 1832 unpaid.exe unpaid.exe PID 1832 wrote to memory of 1044 1832 unpaid.exe unpaid.exe PID 1832 wrote to memory of 1044 1832 unpaid.exe unpaid.exe PID 1832 wrote to memory of 1044 1832 unpaid.exe unpaid.exe PID 1832 wrote to memory of 1248 1832 unpaid.exe unpaid.exe PID 1832 wrote to memory of 1248 1832 unpaid.exe unpaid.exe PID 1832 wrote to memory of 1248 1832 unpaid.exe unpaid.exe PID 1832 wrote to memory of 1248 1832 unpaid.exe unpaid.exe PID 1248 wrote to memory of 1228 1248 unpaid.exe unpaid.exe PID 1248 wrote to memory of 1228 1248 unpaid.exe unpaid.exe PID 1248 wrote to memory of 1228 1248 unpaid.exe unpaid.exe PID 1248 wrote to memory of 1228 1248 unpaid.exe unpaid.exe PID 1248 wrote to memory of 1228 1248 unpaid.exe unpaid.exe PID 1228 wrote to memory of 1984 1228 unpaid.exe WScript.exe PID 1228 wrote to memory of 1984 1228 unpaid.exe WScript.exe PID 1228 wrote to memory of 1984 1228 unpaid.exe WScript.exe PID 1228 wrote to memory of 1984 1228 unpaid.exe WScript.exe PID 1984 wrote to memory of 1552 1984 WScript.exe cmd.exe PID 1984 wrote to memory of 1552 1984 WScript.exe cmd.exe PID 1984 wrote to memory of 1552 1984 WScript.exe cmd.exe PID 1984 wrote to memory of 1552 1984 WScript.exe cmd.exe PID 1552 wrote to memory of 1520 1552 cmd.exe remcos.exe PID 1552 wrote to memory of 1520 1552 cmd.exe remcos.exe PID 1552 wrote to memory of 1520 1552 cmd.exe remcos.exe PID 1552 wrote to memory of 1520 1552 cmd.exe remcos.exe PID 1520 wrote to memory of 468 1520 remcos.exe remcos.exe PID 1520 wrote to memory of 468 1520 remcos.exe remcos.exe PID 1520 wrote to memory of 468 1520 remcos.exe remcos.exe PID 1520 wrote to memory of 468 1520 remcos.exe remcos.exe PID 1520 wrote to memory of 468 1520 remcos.exe remcos.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\unpaid.exe"C:\Users\Admin\AppData\Local\Temp\unpaid.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\unpaid.exe"C:\Users\Admin\AppData\Local\Temp\unpaid.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\unpaid.exe"C:\Users\Admin\AppData\Local\Temp\unpaid.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\unpaid.exe"C:\Users\Admin\AppData\Local\Temp\unpaid.exe"3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
b92d64fe5b1d1f59df4b738262aea8df
SHA1c8fb1981759c2d9bb2ec91b705985fba5fc7af63
SHA256fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a
SHA5122566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
23195e221bd52fc2ff7bcecef0c6e9af
SHA1efffd2231109a8103f1b85da879ee2cfd9e59ba8
SHA25607cb866df6df9ad51ce01426b0a0466834619e72c2653ff7c25320cc3c0a3f9a
SHA5128cbb1a709e198e7c905b81554000d83f88e2429c821d5990d45c8f182442e2409828de014750aa2ef23c97f033b0f098bdf281cc8bc7b5c1e7ff53ca7d2dd3c8
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
23195e221bd52fc2ff7bcecef0c6e9af
SHA1efffd2231109a8103f1b85da879ee2cfd9e59ba8
SHA25607cb866df6df9ad51ce01426b0a0466834619e72c2653ff7c25320cc3c0a3f9a
SHA5128cbb1a709e198e7c905b81554000d83f88e2429c821d5990d45c8f182442e2409828de014750aa2ef23c97f033b0f098bdf281cc8bc7b5c1e7ff53ca7d2dd3c8
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
23195e221bd52fc2ff7bcecef0c6e9af
SHA1efffd2231109a8103f1b85da879ee2cfd9e59ba8
SHA25607cb866df6df9ad51ce01426b0a0466834619e72c2653ff7c25320cc3c0a3f9a
SHA5128cbb1a709e198e7c905b81554000d83f88e2429c821d5990d45c8f182442e2409828de014750aa2ef23c97f033b0f098bdf281cc8bc7b5c1e7ff53ca7d2dd3c8
-
\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
23195e221bd52fc2ff7bcecef0c6e9af
SHA1efffd2231109a8103f1b85da879ee2cfd9e59ba8
SHA25607cb866df6df9ad51ce01426b0a0466834619e72c2653ff7c25320cc3c0a3f9a
SHA5128cbb1a709e198e7c905b81554000d83f88e2429c821d5990d45c8f182442e2409828de014750aa2ef23c97f033b0f098bdf281cc8bc7b5c1e7ff53ca7d2dd3c8
-
\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
23195e221bd52fc2ff7bcecef0c6e9af
SHA1efffd2231109a8103f1b85da879ee2cfd9e59ba8
SHA25607cb866df6df9ad51ce01426b0a0466834619e72c2653ff7c25320cc3c0a3f9a
SHA5128cbb1a709e198e7c905b81554000d83f88e2429c821d5990d45c8f182442e2409828de014750aa2ef23c97f033b0f098bdf281cc8bc7b5c1e7ff53ca7d2dd3c8
-
memory/468-16-0x0000000000413FA4-mapping.dmp
-
memory/468-19-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1228-3-0x0000000000413FA4-mapping.dmp
-
memory/1228-8-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1228-4-0x0000000076371000-0x0000000076373000-memory.dmpFilesize
8KB
-
memory/1248-2-0x0000000000000000-mapping.dmp
-
memory/1520-14-0x0000000000000000-mapping.dmp
-
memory/1552-9-0x0000000000000000-mapping.dmp
-
memory/1984-10-0x0000000002660000-0x0000000002664000-memory.dmpFilesize
16KB
-
memory/1984-5-0x0000000000000000-mapping.dmp