Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-04-2021 12:25
Static task
static1
Behavioral task
behavioral1
Sample
93d5a6c80343c85fb4aedd5b1de38613.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
93d5a6c80343c85fb4aedd5b1de38613.exe
Resource
win10v20210410
General
-
Target
93d5a6c80343c85fb4aedd5b1de38613.exe
-
Size
128KB
-
MD5
93d5a6c80343c85fb4aedd5b1de38613
-
SHA1
12e13aba5ea9dc2d86030befeac7c124dc17a6eb
-
SHA256
9626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
-
SHA512
6d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
Malware Config
Extracted
remcos
sandshoe.myfirewall.org:2415
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3864 svchost.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exe93d5a6c80343c85fb4aedd5b1de38613.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" svchost.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 93d5a6c80343c85fb4aedd5b1de38613.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\svchost.exe\"" 93d5a6c80343c85fb4aedd5b1de38613.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
93d5a6c80343c85fb4aedd5b1de38613.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings 93d5a6c80343c85fb4aedd5b1de38613.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 3864 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
93d5a6c80343c85fb4aedd5b1de38613.exeWScript.execmd.exesvchost.exedescription pid process target process PID 3368 wrote to memory of 2528 3368 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 3368 wrote to memory of 2528 3368 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 3368 wrote to memory of 2528 3368 93d5a6c80343c85fb4aedd5b1de38613.exe WScript.exe PID 2528 wrote to memory of 728 2528 WScript.exe cmd.exe PID 2528 wrote to memory of 728 2528 WScript.exe cmd.exe PID 2528 wrote to memory of 728 2528 WScript.exe cmd.exe PID 728 wrote to memory of 3864 728 cmd.exe svchost.exe PID 728 wrote to memory of 3864 728 cmd.exe svchost.exe PID 728 wrote to memory of 3864 728 cmd.exe svchost.exe PID 3864 wrote to memory of 420 3864 svchost.exe svchost.exe PID 3864 wrote to memory of 420 3864 svchost.exe svchost.exe PID 3864 wrote to memory of 420 3864 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93d5a6c80343c85fb4aedd5b1de38613.exe"C:\Users\Admin\AppData\Local\Temp\93d5a6c80343c85fb4aedd5b1de38613.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\svchost.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeC:\Users\Admin\AppData\Roaming\Remcos\svchost.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
19a866a859bf53960e0838991626b634
SHA1068d247b78fcef6c5fdcd06a69479c1852d72b66
SHA2564f19248011c8de17ee236772e367532e2fc946c209e3a777da4925eb86fdeab7
SHA5129ff83f6ee2f8bba5effc9e596961a263c0397a0f286b2f54ad430486b607260f8e531e7e10617352fada3a4572a370e80522cdb136b56f480a95de42d4210520
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
C:\Users\Admin\AppData\Roaming\Remcos\svchost.exeMD5
93d5a6c80343c85fb4aedd5b1de38613
SHA112e13aba5ea9dc2d86030befeac7c124dc17a6eb
SHA2569626b19106a81d22416acbbe7ea291de316ca3a8f359beb9fe09850649fd5292
SHA5126d30c5c43db627499332d43c1bb0f176be5a26679554229ec493c44342e77093a03e6b5f5576df28cb17d2b6392b3e979d5551393519c187620c9e8856c68e52
-
memory/728-116-0x0000000000000000-mapping.dmp
-
memory/2528-114-0x0000000000000000-mapping.dmp
-
memory/3864-117-0x0000000000000000-mapping.dmp