Overview

overview

10

Static

static

Vid_439430...43.exe

windows7_x64

10

Vid_439430...43.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    110s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-04-2021 15:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Vid_439430_pac_934843.exe

  • Size

    1.3MB

  • MD5

    ce572029aaca7d1613ec12caf4bcd431

  • SHA1

    ff71ea43c2af9304e2c3a61bb1f54879d092683e

  • SHA256

    be1f798fcf2591f54609b93ae15d8eccad68946aa02eebd48d7b8f015e468809

  • SHA512

    e3d419d1db0b335270696fc93f2f1c71919ea13e0622fe37976f6f1e75e95d0a34b5a0c83fbde270c4b5e02d850dd88958c6540e070e910fb2342a7b7be6dc35

Score
10/10
nanocoreremcoskeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

remcos

C2

sungito.zklg.net:4033

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Vid_439430_pac_934843.exe
    "C:\Users\Admin\AppData\Local\Temp\Vid_439430_pac_934843.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Users\Admin\64481923\cksakbkn.pif
      "C:\Users\Admin\64481923\cksakbkn.pif" sptodpihal.tmp
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:3884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\64481923\cksakbkn.pif
    MD5

    6b57334b6cde8f40e11ad21b9e878adf

    SHA1

    4a6e4ad50297b3d941a392fac503a6731fab6eac

    SHA256

    0ce3edfd31e07ed4e16495a92e107ca5b60e2e6ae938de2a57a565d2d7d256db

    SHA512

    8d0fb7a156d07b416b4d102eabb0ba06cac3696ca3205f0d69a21077c6011adf192cc30530c3716ad0fba92cfeb50d9dbf96f6a65c4955fde093a37d167e05ff

    Download Submit
  • C:\Users\Admin\64481923\cksakbkn.pif
    MD5

    6b57334b6cde8f40e11ad21b9e878adf

    SHA1

    4a6e4ad50297b3d941a392fac503a6731fab6eac

    SHA256

    0ce3edfd31e07ed4e16495a92e107ca5b60e2e6ae938de2a57a565d2d7d256db

    SHA512

    8d0fb7a156d07b416b4d102eabb0ba06cac3696ca3205f0d69a21077c6011adf192cc30530c3716ad0fba92cfeb50d9dbf96f6a65c4955fde093a37d167e05ff

    Download Submit
  • C:\Users\Admin\64481923\sptodpihal.tmp
    MD5

    c573ce59dd846967646f4021ccc92669

    SHA1

    c96bbf35ff635bbff0a191f3bdb046eb539141cb

    SHA256

    616d751dfaad93aaf626502db4132904753fc6f04e02544b4810b19071727a48

    SHA512

    eb972067822333f5b4eb79dd24fb1ca55f0c164b5135e72c6298f91cd6ba97686c2267c652a3f8c84a98d338b4d1d3fea6823604938f818f908c75aad0b2b0cc

    Download Submit
  • C:\Users\Admin\64481923\wvwehlvk.jpg
    MD5

    ff72fe9f666078c6da13980312f8f6c6

    SHA1

    3bbb574ef4f5744d83397755475d046cf36cb7a4

    SHA256

    ca4fa2af0f6024a7cb35af4ba673ec4398272aadb7b9806136a5ddd1a13d1d61

    SHA512

    28744237a31e1ab07c7a7bfa13276fc4bb2c66746cc5335aa2d706e6481d39d539d9a366e9e938e942153ff3dbcfdc55f546b9478df54f8c3ed44b7a56438ac7

    Download Submit
  • memory/2128-114-0x0000000000000000-mapping.dmp
    Download
  • memory/3884-119-0x0000000000D00000-0x0000000001322000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3884-120-0x0000000000D2EEEF-mapping.dmp
    Download
  • memory/3884-121-0x0000000000D00000-0x0000000001322000-memory.dmp
    Filesize

    6.1MB

    Download