Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-04-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
93d5a6c80343c85fb4aedd5b1de38613.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
93d5a6c80343c85fb4aedd5b1de38613.exe
Resource
win10v20210410
General
-
Target
93d5a6c80343c85fb4aedd5b1de38613.exe
-
Size
128KB
-
MD5
93d5a6c80343c85fb4aedd5b1de38613
-
SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb
-
SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
-
SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
Malware Config
Extracted
remcos
sandshoe.myfirewall.org:2415
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1516 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exe93d5a6c80343c85fb4aedd5b1de38613.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" svchost.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 93d5a6c80343c85fb4aedd5b1de38613.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" 93d5a6c80343c85fb4aedd5b1de38613.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1516 set thread context of 2412 1516 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
93d5a6c80343c85fb4aedd5b1de38613.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings 93d5a6c80343c85fb4aedd5b1de38613.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 1516 svchost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
93d5a6c80343c85fb4aedd5b1de38613.exeWScript.execmd.exesvchost.exedescription pid process target process PID 4024 wrote to memory of 636 4024 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 4024 wrote to memory of 636 4024 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 4024 wrote to memory of 636 4024 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 636 wrote to memory of 1736 636 WScript.exe cmd.exe PID 636 wrote to memory of 1736 636 WScript.exe cmd.exe PID 636 wrote to memory of 1736 636 WScript.exe cmd.exe PID 1736 wrote to memory of 1516 1736 cmd.exe svchost.exe PID 1736 wrote to memory of 1516 1736 cmd.exe svchost.exe PID 1736 wrote to memory of 1516 1736 cmd.exe svchost.exe PID 1516 wrote to memory of 2412 1516 svchost.exe svchost.exe PID 1516 wrote to memory of 2412 1516 svchost.exe svchost.exe PID 1516 wrote to memory of 2412 1516 svchost.exe svchost.exe PID 1516 wrote to memory of 2412 1516 svchost.exe svchost.exe PID 1516 wrote to memory of 2412 1516 svchost.exe svchost.exe PID 1516 wrote to memory of 2412 1516 svchost.exe svchost.exe PID 1516 wrote to memory of 2412 1516 svchost.exe svchost.exe PID 1516 wrote to memory of 2412 1516 svchost.exe svchost.exe PID 1516 wrote to memory of 2412 1516 svchost.exe svchost.exe PID 1516 wrote to memory of 2412 1516 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93d5a6c80343c85fb4aedd5b1de38613.exe"C:\Users\Admin\AppData\Local\Temp\93d5a6c80343c85fb4aedd5b1de38613.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeC:\Users\Admin\AppData\Roaming\Remcos\svchost.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
19a866a859bf53960e0838991626b634
SHA1068d247b78fcef6c5fdcd06a69479c1852d72b66
SHA2564f19248011c8de17ee236772e367532e2fc946c209e3a777da4925eb86fdeab7
SHA5129ff83f6ee2f8bba5effc9e596961a263c0397a0f286b2f54ad430486b607260f8e531e7e10617352fada3a4572a370e80522cdb136b56f480a95de42d4210520
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
memory/636-114-0x0000000000000000-mapping.dmp
-
memory/1516-117-0x0000000000000000-mapping.dmp
-
memory/1736-116-0x0000000000000000-mapping.dmp
-
memory/2412-120-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2412-121-0x0000000000413FA4-mapping.dmp
-
memory/2412-124-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB