Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 06:39
Static task
static1
Behavioral task
behavioral1
Sample
EASTERS.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
EASTERS.exe
Resource
win10v20201028
General
-
Target
EASTERS.exe
-
Size
128KB
-
MD5
4c884f97e78f79fc6d179fde087de2d3
-
SHA1
1fac33ee2e51cc0d358a53b1633536ca457bb86e
-
SHA256
4191897f0eb05e71e982d4ab0289ddce7e769a09e125d09e05b170824a3efbc6
-
SHA512
a3029d94f76ee2c435a01d23b52ad48beb4b9d6fa69ec013c13a6622f74d4a9de60d83b6e0c0110c1ad88cacafd3beaa3ce8f4e85ad893774765e39b56432b91
Malware Config
Extracted
remcos
osisego.ddns.net:2405
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
remcos.exepid process 3940 remcos.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
EASTERS.exeremcos.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" EASTERS.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" remcos.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ EASTERS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
EASTERS.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings EASTERS.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
remcos.exepid process 3940 remcos.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
EASTERS.exeWScript.execmd.exedescription pid process target process PID 3496 wrote to memory of 3116 3496 EASTERS.exe WScript.exe PID 3496 wrote to memory of 3116 3496 EASTERS.exe WScript.exe PID 3496 wrote to memory of 3116 3496 EASTERS.exe WScript.exe PID 3116 wrote to memory of 2484 3116 WScript.exe cmd.exe PID 3116 wrote to memory of 2484 3116 WScript.exe cmd.exe PID 3116 wrote to memory of 2484 3116 WScript.exe cmd.exe PID 2484 wrote to memory of 3940 2484 cmd.exe remcos.exe PID 2484 wrote to memory of 3940 2484 cmd.exe remcos.exe PID 2484 wrote to memory of 3940 2484 cmd.exe remcos.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EASTERS.exe"C:\Users\Admin\AppData\Local\Temp\EASTERS.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
b92d64fe5b1d1f59df4b738262aea8df
SHA1c8fb1981759c2d9bb2ec91b705985fba5fc7af63
SHA256fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a
SHA5122566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
4c884f97e78f79fc6d179fde087de2d3
SHA11fac33ee2e51cc0d358a53b1633536ca457bb86e
SHA2564191897f0eb05e71e982d4ab0289ddce7e769a09e125d09e05b170824a3efbc6
SHA512a3029d94f76ee2c435a01d23b52ad48beb4b9d6fa69ec013c13a6622f74d4a9de60d83b6e0c0110c1ad88cacafd3beaa3ce8f4e85ad893774765e39b56432b91
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
4c884f97e78f79fc6d179fde087de2d3
SHA11fac33ee2e51cc0d358a53b1633536ca457bb86e
SHA2564191897f0eb05e71e982d4ab0289ddce7e769a09e125d09e05b170824a3efbc6
SHA512a3029d94f76ee2c435a01d23b52ad48beb4b9d6fa69ec013c13a6622f74d4a9de60d83b6e0c0110c1ad88cacafd3beaa3ce8f4e85ad893774765e39b56432b91
-
memory/2484-4-0x0000000000000000-mapping.dmp
-
memory/3116-2-0x0000000000000000-mapping.dmp
-
memory/3940-5-0x0000000000000000-mapping.dmp