Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-04-2021 12:25
Static task
static1
Behavioral task
behavioral1
Sample
93d5a6c80343c85fb4aedd5b1de38613.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
93d5a6c80343c85fb4aedd5b1de38613.exe
Resource
win10v20210410
General
-
Target
93d5a6c80343c85fb4aedd5b1de38613.exe
-
Size
128KB
-
MD5
93d5a6c80343c85fb4aedd5b1de38613
-
SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb
-
SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
-
SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
Malware Config
Extracted
remcos
sandshoe.myfirewall.org:2415
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1364 svchost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1280 cmd.exe 1280 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
93d5a6c80343c85fb4aedd5b1de38613.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 93d5a6c80343c85fb4aedd5b1de38613.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" 93d5a6c80343c85fb4aedd5b1de38613.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1364 set thread context of 396 1364 svchost.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 1364 svchost.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
93d5a6c80343c85fb4aedd5b1de38613.exeWScript.execmd.exesvchost.exedescription pid process target process PID 1748 wrote to memory of 2000 1748 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 1748 wrote to memory of 2000 1748 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 1748 wrote to memory of 2000 1748 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 1748 wrote to memory of 2000 1748 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 2000 wrote to memory of 1280 2000 WScript.exe cmd.exe PID 2000 wrote to memory of 1280 2000 WScript.exe cmd.exe PID 2000 wrote to memory of 1280 2000 WScript.exe cmd.exe PID 2000 wrote to memory of 1280 2000 WScript.exe cmd.exe PID 1280 wrote to memory of 1364 1280 cmd.exe svchost.exe PID 1280 wrote to memory of 1364 1280 cmd.exe svchost.exe PID 1280 wrote to memory of 1364 1280 cmd.exe svchost.exe PID 1280 wrote to memory of 1364 1280 cmd.exe svchost.exe PID 1364 wrote to memory of 396 1364 svchost.exe svchost.exe PID 1364 wrote to memory of 396 1364 svchost.exe svchost.exe PID 1364 wrote to memory of 396 1364 svchost.exe svchost.exe PID 1364 wrote to memory of 396 1364 svchost.exe svchost.exe PID 1364 wrote to memory of 396 1364 svchost.exe svchost.exe PID 1364 wrote to memory of 396 1364 svchost.exe svchost.exe PID 1364 wrote to memory of 396 1364 svchost.exe svchost.exe PID 1364 wrote to memory of 396 1364 svchost.exe svchost.exe PID 1364 wrote to memory of 396 1364 svchost.exe svchost.exe PID 1364 wrote to memory of 396 1364 svchost.exe svchost.exe PID 1364 wrote to memory of 396 1364 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93d5a6c80343c85fb4aedd5b1de38613.exe"C:\Users\Admin\AppData\Local\Temp\93d5a6c80343c85fb4aedd5b1de38613.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeC:\Users\Admin\AppData\Roaming\Remcos\svchost.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
19a866a859bf53960e0838991626b634
SHA1068d247b78fcef6c5fdcd06a69479c1852d72b66
SHA2564f19248011c8de17ee236772e367532e2fc946c209e3a777da4925eb86fdeab7
SHA5129ff83f6ee2f8bba5effc9e596961a263c0397a0f286b2f54ad430486b607260f8e531e7e10617352fada3a4572a370e80522cdb136b56f480a95de42d4210520
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
memory/396-71-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/396-72-0x0000000000413FA4-mapping.dmp
-
memory/396-74-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1280-64-0x0000000000000000-mapping.dmp
-
memory/1364-68-0x0000000000000000-mapping.dmp
-
memory/1748-60-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/2000-61-0x0000000000000000-mapping.dmp