Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-04-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
93d5a6c80343c85fb4aedd5b1de38613.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
93d5a6c80343c85fb4aedd5b1de38613.exe
Resource
win10v20210410
General
-
Target
93d5a6c80343c85fb4aedd5b1de38613.exe
-
Size
128KB
-
MD5
93d5a6c80343c85fb4aedd5b1de38613
-
SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb
-
SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
-
SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
Malware Config
Extracted
remcos
sandshoe.myfirewall.org:2415
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 828 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1184 cmd.exe 1184 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
93d5a6c80343c85fb4aedd5b1de38613.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" 93d5a6c80343c85fb4aedd5b1de38613.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 93d5a6c80343c85fb4aedd5b1de38613.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 828 set thread context of 868 828 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 828 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
93d5a6c80343c85fb4aedd5b1de38613.exeWScript.execmd.exesvchost.exedescription pid process target process PID 1640 wrote to memory of 1764 1640 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 1640 wrote to memory of 1764 1640 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 1640 wrote to memory of 1764 1640 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 1640 wrote to memory of 1764 1640 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 1764 wrote to memory of 1184 1764 WScript.exe cmd.exe PID 1764 wrote to memory of 1184 1764 WScript.exe cmd.exe PID 1764 wrote to memory of 1184 1764 WScript.exe cmd.exe PID 1764 wrote to memory of 1184 1764 WScript.exe cmd.exe PID 1184 wrote to memory of 828 1184 cmd.exe svchost.exe PID 1184 wrote to memory of 828 1184 cmd.exe svchost.exe PID 1184 wrote to memory of 828 1184 cmd.exe svchost.exe PID 1184 wrote to memory of 828 1184 cmd.exe svchost.exe PID 828 wrote to memory of 868 828 svchost.exe svchost.exe PID 828 wrote to memory of 868 828 svchost.exe svchost.exe PID 828 wrote to memory of 868 828 svchost.exe svchost.exe PID 828 wrote to memory of 868 828 svchost.exe svchost.exe PID 828 wrote to memory of 868 828 svchost.exe svchost.exe PID 828 wrote to memory of 868 828 svchost.exe svchost.exe PID 828 wrote to memory of 868 828 svchost.exe svchost.exe PID 828 wrote to memory of 868 828 svchost.exe svchost.exe PID 828 wrote to memory of 868 828 svchost.exe svchost.exe PID 828 wrote to memory of 868 828 svchost.exe svchost.exe PID 828 wrote to memory of 868 828 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93d5a6c80343c85fb4aedd5b1de38613.exe"C:\Users\Admin\AppData\Local\Temp\93d5a6c80343c85fb4aedd5b1de38613.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeC:\Users\Admin\AppData\Roaming\Remcos\svchost.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
19a866a859bf53960e0838991626b634
SHA1068d247b78fcef6c5fdcd06a69479c1852d72b66
SHA2564f19248011c8de17ee236772e367532e2fc946c209e3a777da4925eb86fdeab7
SHA5129ff83f6ee2f8bba5effc9e596961a263c0397a0f286b2f54ad430486b607260f8e531e7e10617352fada3a4572a370e80522cdb136b56f480a95de42d4210520
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
memory/828-68-0x0000000000000000-mapping.dmp
-
memory/868-71-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/868-72-0x0000000000413FA4-mapping.dmp
-
memory/868-74-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1184-64-0x0000000000000000-mapping.dmp
-
memory/1640-60-0x00000000769B1000-0x00000000769B3000-memory.dmpFilesize
8KB
-
memory/1764-61-0x0000000000000000-mapping.dmp