Overview

overview

10

Static

static

CONFIRM OR...df.exe

windows7_x64

10

CONFIRM OR...df.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-04-2021 12:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CONFIRM ORDER_O452-11189H6U77,pdf.exe

  • Size

    743KB

  • MD5

    a10b06acd92325678e2b960544c9257f

  • SHA1

    754dfa9962325d7ad6676779bafcd8b5e18d6978

  • SHA256

    6ce1eb96c697ce276022f1a14fe7da73f910487fcfb384d676b28aa55f0c05ca

  • SHA512

    8fef2e063e121fdf49f2d1fedb35aa6bd17fcf15e775f2460d473f13783e9e9f256765c3da6b7aa8334dd096d69c6b5774ba1ee7f703f6e07a4acaabdcc0a249

Score
10/10
remcosevasionrat

Malware Config

Extracted

Family

remcos

C2

goddywin.freedynamicdns.net:6712

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Uses the VBS compiler for execution 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CONFIRM ORDER_O452-11189H6U77,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\CONFIRM ORDER_O452-11189H6U77,pdf.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1456
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CONFIRM ORDER_O452-11189H6U77,pdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2056
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JttnSaHiiAm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1228
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JttnSaHiiAm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4811.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3020
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JttnSaHiiAm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:3176

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      db01a2c1c7e70b2b038edf8ad5ad9826

      SHA1

      540217c647a73bad8d8a79e3a0f3998b5abd199b

      SHA256

      413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

      SHA512

      c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      a18d6f90107e3696d0f9421aa3c2a8ef

      SHA1

      22880ca374966d658f05ac9574b7ea5e0ead16fb

      SHA256

      f89de61ae0ca16c79e369174cb050d16b9fc1f1c33be0cfef06ed51496144ba2

      SHA512

      cf574e6769fe9c8110460d9f6f965c8a6c338f1fcb0b55d2dca4afb970769820b26c34e2e8c75a61d499d96f16dff6c8cc3100bb88c7ff65132fee23fc468e1c

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      68fb6dbbe9b5e5039d3dad876fdf545d

      SHA1

      befdc1701a51678156707f584452a53240ee06b7

      SHA256

      572f8a3e68893e83202fdefe7b788613ee288ad2772bfddcc0fbd6de39dfc1b5

      SHA512

      ca603c79776f4baabfafb2486134d97aad0d0e01332a6916a7e143f571d4e1b762f0db7d5d4376aa25549bb50f0ccd995eed0b07e62df40869564256096efb46

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp4811.tmp
      MD5

      4f8383bc721b4ad13c3bb3d8e8b42dd7

      SHA1

      aa178422d97cc912d6e330e64464773f33d81744

      SHA256

      be24d0a7974e9e88560480254e7f73e964d0c21e7ff50b1ffcff36392bb16e06

      SHA512

      2664ab1ae379b2740ccbf9ac838ea80d8687a133a49ae9dd4bddc3b71b88ddfb5b16194c7aa4831aea3870102c5dde02c5ff84c47360dc3275a1aa31cbf9f88e

      Download Submit
    • memory/1228-168-0x0000000008560000-0x0000000008561000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1228-141-0x0000000006FF0000-0x0000000006FF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1228-143-0x0000000006FF2000-0x0000000006FF3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1228-171-0x0000000008380000-0x0000000008381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1228-192-0x000000007EDE0000-0x000000007EDE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1228-195-0x0000000006FF3000-0x0000000006FF4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1228-130-0x0000000000000000-mapping.dmp
      Download
    • memory/1456-121-0x0000000005C80000-0x0000000005C8D000-memory.dmp
      Filesize

      52KB

      Download
    • memory/1456-114-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1456-125-0x000000000C3B0000-0x000000000C3B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1456-118-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1456-116-0x0000000005FF0000-0x0000000005FF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1456-119-0x00000000059B0000-0x00000000059B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1456-123-0x0000000001920000-0x0000000001957000-memory.dmp
      Filesize

      220KB

      Download
    • memory/1456-120-0x0000000005AF0000-0x0000000005FEE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/1456-117-0x0000000005A00000-0x0000000005A01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1456-122-0x0000000001860000-0x00000000018D5000-memory.dmp
      Filesize

      468KB

      Download
    • memory/1716-196-0x0000000004C13000-0x0000000004C14000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1716-163-0x0000000004C10000-0x0000000004C11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1716-144-0x0000000000000000-mapping.dmp
      Download
    • memory/1716-194-0x000000007FA30000-0x000000007FA31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1716-164-0x0000000004C12000-0x0000000004C13000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2056-193-0x000000007ECD0000-0x000000007ECD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2056-129-0x0000000007920000-0x0000000007921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2056-124-0x0000000000000000-mapping.dmp
      Download
    • memory/2056-165-0x0000000008270000-0x0000000008271000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2056-146-0x00000000082E0000-0x00000000082E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2056-140-0x00000000072E2000-0x00000000072E3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2056-138-0x00000000072E0000-0x00000000072E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2056-139-0x0000000008100000-0x0000000008101000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2056-136-0x0000000007F80000-0x0000000007F81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2056-128-0x0000000007240000-0x0000000007241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2056-197-0x00000000072E3000-0x00000000072E4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3020-131-0x0000000000000000-mapping.dmp
      Download
    • memory/3176-162-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/3176-148-0x0000000000413FA4-mapping.dmp
      Download
    • memory/3176-147-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download