Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 06:38
Static task
static1
Behavioral task
behavioral1
Sample
PO - 2021-000511.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO - 2021-000511.exe
Resource
win10v20201028
General
-
Target
PO - 2021-000511.exe
-
Size
330KB
-
MD5
66942e778b34428234e0a47a0e9c444e
-
SHA1
2bf1b967c0b9ff0c2478441a9294405afb29ec6e
-
SHA256
9d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74
-
SHA512
1bbf9595b15c0a1c0f8635c8a15161d39c5a73bf45a73f2f0fedfa80b33ed60c0bf1db738348a91b7f4ac2ac13e95bbd63d2ee65feaa01627656ba12e2e30989
Malware Config
Extracted
remcos
nkosarevaocs.duckdns.org:7266
Signatures
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1164-24-0x0000000000476274-mapping.dmp WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1164-24-0x0000000000476274-mapping.dmp Nirsoft behavioral1/memory/916-28-0x0000000000422206-mapping.dmp Nirsoft -
Executes dropped EXE 5 IoCs
Processes:
remcos.exeremcos.exeremcos.exeremcos.exeremcos.exepid process 1092 remcos.exe 408 remcos.exe 1164 remcos.exe 916 remcos.exe 852 remcos.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 780 cmd.exe 780 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
PO - 2021-000511.exeremcos.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ PO - 2021-000511.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" PO - 2021-000511.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
PO - 2021-000511.exeremcos.exeremcos.exedescription pid process target process PID 1652 set thread context of 1908 1652 PO - 2021-000511.exe PO - 2021-000511.exe PID 1092 set thread context of 408 1092 remcos.exe remcos.exe PID 408 set thread context of 1164 408 remcos.exe remcos.exe PID 408 set thread context of 916 408 remcos.exe remcos.exe PID 408 set thread context of 852 408 remcos.exe remcos.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
remcos.exepid process 1164 remcos.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
PO - 2021-000511.exeremcos.exepid process 1652 PO - 2021-000511.exe 1092 remcos.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
remcos.exedescription pid process Token: SeDebugPrivilege 916 remcos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
remcos.exepid process 408 remcos.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
PO - 2021-000511.execmd.exePO - 2021-000511.exeWScript.execmd.exeremcos.exeremcos.exedescription pid process target process PID 1652 wrote to memory of 2008 1652 PO - 2021-000511.exe cmd.exe PID 1652 wrote to memory of 2008 1652 PO - 2021-000511.exe cmd.exe PID 1652 wrote to memory of 2008 1652 PO - 2021-000511.exe cmd.exe PID 1652 wrote to memory of 2008 1652 PO - 2021-000511.exe cmd.exe PID 1652 wrote to memory of 1908 1652 PO - 2021-000511.exe PO - 2021-000511.exe PID 1652 wrote to memory of 1908 1652 PO - 2021-000511.exe PO - 2021-000511.exe PID 1652 wrote to memory of 1908 1652 PO - 2021-000511.exe PO - 2021-000511.exe PID 1652 wrote to memory of 1908 1652 PO - 2021-000511.exe PO - 2021-000511.exe PID 1652 wrote to memory of 1908 1652 PO - 2021-000511.exe PO - 2021-000511.exe PID 2008 wrote to memory of 1680 2008 cmd.exe schtasks.exe PID 2008 wrote to memory of 1680 2008 cmd.exe schtasks.exe PID 2008 wrote to memory of 1680 2008 cmd.exe schtasks.exe PID 2008 wrote to memory of 1680 2008 cmd.exe schtasks.exe PID 1908 wrote to memory of 1672 1908 PO - 2021-000511.exe WScript.exe PID 1908 wrote to memory of 1672 1908 PO - 2021-000511.exe WScript.exe PID 1908 wrote to memory of 1672 1908 PO - 2021-000511.exe WScript.exe PID 1908 wrote to memory of 1672 1908 PO - 2021-000511.exe WScript.exe PID 1672 wrote to memory of 780 1672 WScript.exe cmd.exe PID 1672 wrote to memory of 780 1672 WScript.exe cmd.exe PID 1672 wrote to memory of 780 1672 WScript.exe cmd.exe PID 1672 wrote to memory of 780 1672 WScript.exe cmd.exe PID 780 wrote to memory of 1092 780 cmd.exe remcos.exe PID 780 wrote to memory of 1092 780 cmd.exe remcos.exe PID 780 wrote to memory of 1092 780 cmd.exe remcos.exe PID 780 wrote to memory of 1092 780 cmd.exe remcos.exe PID 1092 wrote to memory of 408 1092 remcos.exe remcos.exe PID 1092 wrote to memory of 408 1092 remcos.exe remcos.exe PID 1092 wrote to memory of 408 1092 remcos.exe remcos.exe PID 1092 wrote to memory of 408 1092 remcos.exe remcos.exe PID 1092 wrote to memory of 408 1092 remcos.exe remcos.exe PID 408 wrote to memory of 1164 408 remcos.exe remcos.exe PID 408 wrote to memory of 1164 408 remcos.exe remcos.exe PID 408 wrote to memory of 1164 408 remcos.exe remcos.exe PID 408 wrote to memory of 1164 408 remcos.exe remcos.exe PID 408 wrote to memory of 1164 408 remcos.exe remcos.exe PID 408 wrote to memory of 1164 408 remcos.exe remcos.exe PID 408 wrote to memory of 1164 408 remcos.exe remcos.exe PID 408 wrote to memory of 1164 408 remcos.exe remcos.exe PID 408 wrote to memory of 1164 408 remcos.exe remcos.exe PID 408 wrote to memory of 916 408 remcos.exe remcos.exe PID 408 wrote to memory of 916 408 remcos.exe remcos.exe PID 408 wrote to memory of 916 408 remcos.exe remcos.exe PID 408 wrote to memory of 916 408 remcos.exe remcos.exe PID 408 wrote to memory of 916 408 remcos.exe remcos.exe PID 408 wrote to memory of 916 408 remcos.exe remcos.exe PID 408 wrote to memory of 916 408 remcos.exe remcos.exe PID 408 wrote to memory of 916 408 remcos.exe remcos.exe PID 408 wrote to memory of 916 408 remcos.exe remcos.exe PID 408 wrote to memory of 852 408 remcos.exe remcos.exe PID 408 wrote to memory of 852 408 remcos.exe remcos.exe PID 408 wrote to memory of 852 408 remcos.exe remcos.exe PID 408 wrote to memory of 852 408 remcos.exe remcos.exe PID 408 wrote to memory of 852 408 remcos.exe remcos.exe PID 408 wrote to memory of 852 408 remcos.exe remcos.exe PID 408 wrote to memory of 852 408 remcos.exe remcos.exe PID 408 wrote to memory of 852 408 remcos.exe remcos.exe PID 408 wrote to memory of 852 408 remcos.exe remcos.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO - 2021-000511.exe"C:\Users\Admin\AppData\Local\Temp\PO - 2021-000511.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\c2dda0561025401989fafe74650217e2.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\c2dda0561025401989fafe74650217e2.xml"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\PO - 2021-000511.exe"C:\Users\Admin\AppData\Local\Temp\PO - 2021-000511.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\coryewsitenugptewkgvgmrzphu"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\nqwrfolkhmfzqviinutpjqmqyvdbox"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\xkbbfhweduxmsjemwffqtdyhgcvkpahye"7⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\c2dda0561025401989fafe74650217e2.xmlMD5
9313352a59e3b368ab4eb8173567c406
SHA1fc776c28e3ae9bd5e68f25c2a4f6248126731370
SHA256469d4994320f37196faca4de8ada85161a43dd42c9405b283bea5e4ea84c9a8d
SHA512000f6edf387b4ea0f244003fad3f66be5eb1920012838ba3a19c3f2dcde973fce8450c8e556c22cc20f7a3a0980d735fb169ecfafd440993c9fe5b8875fc7462
-
C:\Users\Admin\AppData\Local\Temp\coryewsitenugptewkgvgmrzphuMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
b92d64fe5b1d1f59df4b738262aea8df
SHA1c8fb1981759c2d9bb2ec91b705985fba5fc7af63
SHA256fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a
SHA5122566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
66942e778b34428234e0a47a0e9c444e
SHA12bf1b967c0b9ff0c2478441a9294405afb29ec6e
SHA2569d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74
SHA5121bbf9595b15c0a1c0f8635c8a15161d39c5a73bf45a73f2f0fedfa80b33ed60c0bf1db738348a91b7f4ac2ac13e95bbd63d2ee65feaa01627656ba12e2e30989
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
66942e778b34428234e0a47a0e9c444e
SHA12bf1b967c0b9ff0c2478441a9294405afb29ec6e
SHA2569d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74
SHA5121bbf9595b15c0a1c0f8635c8a15161d39c5a73bf45a73f2f0fedfa80b33ed60c0bf1db738348a91b7f4ac2ac13e95bbd63d2ee65feaa01627656ba12e2e30989
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
66942e778b34428234e0a47a0e9c444e
SHA12bf1b967c0b9ff0c2478441a9294405afb29ec6e
SHA2569d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74
SHA5121bbf9595b15c0a1c0f8635c8a15161d39c5a73bf45a73f2f0fedfa80b33ed60c0bf1db738348a91b7f4ac2ac13e95bbd63d2ee65feaa01627656ba12e2e30989
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
66942e778b34428234e0a47a0e9c444e
SHA12bf1b967c0b9ff0c2478441a9294405afb29ec6e
SHA2569d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74
SHA5121bbf9595b15c0a1c0f8635c8a15161d39c5a73bf45a73f2f0fedfa80b33ed60c0bf1db738348a91b7f4ac2ac13e95bbd63d2ee65feaa01627656ba12e2e30989
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
66942e778b34428234e0a47a0e9c444e
SHA12bf1b967c0b9ff0c2478441a9294405afb29ec6e
SHA2569d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74
SHA5121bbf9595b15c0a1c0f8635c8a15161d39c5a73bf45a73f2f0fedfa80b33ed60c0bf1db738348a91b7f4ac2ac13e95bbd63d2ee65feaa01627656ba12e2e30989
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
66942e778b34428234e0a47a0e9c444e
SHA12bf1b967c0b9ff0c2478441a9294405afb29ec6e
SHA2569d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74
SHA5121bbf9595b15c0a1c0f8635c8a15161d39c5a73bf45a73f2f0fedfa80b33ed60c0bf1db738348a91b7f4ac2ac13e95bbd63d2ee65feaa01627656ba12e2e30989
-
\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
66942e778b34428234e0a47a0e9c444e
SHA12bf1b967c0b9ff0c2478441a9294405afb29ec6e
SHA2569d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74
SHA5121bbf9595b15c0a1c0f8635c8a15161d39c5a73bf45a73f2f0fedfa80b33ed60c0bf1db738348a91b7f4ac2ac13e95bbd63d2ee65feaa01627656ba12e2e30989
-
\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
66942e778b34428234e0a47a0e9c444e
SHA12bf1b967c0b9ff0c2478441a9294405afb29ec6e
SHA2569d3eddc1a411d1749efa3f08827529ab80356d515cb5321ed5ea7cca0dedca74
SHA5121bbf9595b15c0a1c0f8635c8a15161d39c5a73bf45a73f2f0fedfa80b33ed60c0bf1db738348a91b7f4ac2ac13e95bbd63d2ee65feaa01627656ba12e2e30989
-
memory/408-19-0x0000000000413FA4-mapping.dmp
-
memory/408-22-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/780-12-0x0000000000000000-mapping.dmp
-
memory/852-38-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/852-32-0x0000000000455238-mapping.dmp
-
memory/852-31-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/916-28-0x0000000000422206-mapping.dmp
-
memory/916-37-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/916-26-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1092-17-0x0000000000000000-mapping.dmp
-
memory/1164-36-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1164-24-0x0000000000476274-mapping.dmp
-
memory/1164-23-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1196-35-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmpFilesize
2.5MB
-
memory/1652-2-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/1672-8-0x0000000000000000-mapping.dmp
-
memory/1672-13-0x0000000002900000-0x0000000002904000-memory.dmpFilesize
16KB
-
memory/1680-6-0x0000000000000000-mapping.dmp
-
memory/1908-4-0x0000000000413FA4-mapping.dmp
-
memory/1908-10-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2008-3-0x0000000000000000-mapping.dmp