Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    30-04-2021 06:20

General

  • Target

    VESSELS DETAILS.exe

  • Size

    1.9MB

  • MD5

    6db13d623c8337161d1ca3066c352162

  • SHA1

    571a08a4478c6aee97998122b59b8f7f2ba83f78

  • SHA256

    01b1f2041aaba6815657a7a7409a0843868459fa3cabf0c377a83862ac88a27f

  • SHA512

    1164e4b3bf020c4ddcac92d878027fb542937323a922d6ff993c11e23fe737959478eedb9a04e2f121a68aa7827ae704acef7f2bebe4c69efc9dbf4cdb7fef85

Score
10/10

Malware Config

Extracted

Family

remcos

C2

64.44.139.178:7200

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VESSELS DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\VESSELS DETAILS.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Users\Admin\AppData\Local\Temp\VESSELS DETAILS.exe
      "C:\Users\Admin\AppData\Local\Temp\VESSELS DETAILS.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Users\Admin\AppData\Local\Temp\._cache_VESSELS DETAILS.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_VESSELS DETAILS.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3332
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3900
            • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
              C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetWindowsHookEx
              PID:3096
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1184
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Modifies registry class
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:3840
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
            5⤵
            • Executes dropped EXE
            PID:2900

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    MD5

    5f72e98442115eb66da8abc96c3ae68d

    SHA1

    aa33377e1a214637b132ac805aef704376ec97c5

    SHA256

    6a27b78dfc13a80e82d04620260cd32423d2ee7c6b9644d2de19fb9b660ecfd4

    SHA512

    9354aacd8b2daf39b93858e8f5aa66801d2a77f73a9cf6ce3d910a8aacfe25aa6a01f8c2e39b05d291bc7b7c62cb100f9bbabc1e400210fb3f177ef828269c21

  • C:\ProgramData\Synaptics\Synaptics.exe
    MD5

    5f72e98442115eb66da8abc96c3ae68d

    SHA1

    aa33377e1a214637b132ac805aef704376ec97c5

    SHA256

    6a27b78dfc13a80e82d04620260cd32423d2ee7c6b9644d2de19fb9b660ecfd4

    SHA512

    9354aacd8b2daf39b93858e8f5aa66801d2a77f73a9cf6ce3d910a8aacfe25aa6a01f8c2e39b05d291bc7b7c62cb100f9bbabc1e400210fb3f177ef828269c21

  • C:\ProgramData\Synaptics\Synaptics.exe
    MD5

    5f72e98442115eb66da8abc96c3ae68d

    SHA1

    aa33377e1a214637b132ac805aef704376ec97c5

    SHA256

    6a27b78dfc13a80e82d04620260cd32423d2ee7c6b9644d2de19fb9b660ecfd4

    SHA512

    9354aacd8b2daf39b93858e8f5aa66801d2a77f73a9cf6ce3d910a8aacfe25aa6a01f8c2e39b05d291bc7b7c62cb100f9bbabc1e400210fb3f177ef828269c21

  • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    MD5

    f4e04ce181bf25a30e3d0cb1ce282c9e

    SHA1

    24c0528a9e5c864980657f646ed5bed615291f15

    SHA256

    e969587901730f24d85569f0a5b3fec0be6754c4edb20f9dcea6430e4a0bf4a1

    SHA512

    b3124d0c31be65f5d0d2239513144a2943421362c0b804e0df1f4cc0c47e41f3466be619c17fe88f6a73cc2b6297be893e763b4b2f702adba583fe19e1caed22

  • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    MD5

    f4e04ce181bf25a30e3d0cb1ce282c9e

    SHA1

    24c0528a9e5c864980657f646ed5bed615291f15

    SHA256

    e969587901730f24d85569f0a5b3fec0be6754c4edb20f9dcea6430e4a0bf4a1

    SHA512

    b3124d0c31be65f5d0d2239513144a2943421362c0b804e0df1f4cc0c47e41f3466be619c17fe88f6a73cc2b6297be893e763b4b2f702adba583fe19e1caed22

  • C:\Users\Admin\AppData\Local\Temp\._cache_VESSELS DETAILS.exe
    MD5

    f4e04ce181bf25a30e3d0cb1ce282c9e

    SHA1

    24c0528a9e5c864980657f646ed5bed615291f15

    SHA256

    e969587901730f24d85569f0a5b3fec0be6754c4edb20f9dcea6430e4a0bf4a1

    SHA512

    b3124d0c31be65f5d0d2239513144a2943421362c0b804e0df1f4cc0c47e41f3466be619c17fe88f6a73cc2b6297be893e763b4b2f702adba583fe19e1caed22

  • C:\Users\Admin\AppData\Local\Temp\._cache_VESSELS DETAILS.exe
    MD5

    f4e04ce181bf25a30e3d0cb1ce282c9e

    SHA1

    24c0528a9e5c864980657f646ed5bed615291f15

    SHA256

    e969587901730f24d85569f0a5b3fec0be6754c4edb20f9dcea6430e4a0bf4a1

    SHA512

    b3124d0c31be65f5d0d2239513144a2943421362c0b804e0df1f4cc0c47e41f3466be619c17fe88f6a73cc2b6297be893e763b4b2f702adba583fe19e1caed22

  • C:\Users\Admin\AppData\Local\Temp\install.vbs
    MD5

    b92d64fe5b1d1f59df4b738262aea8df

    SHA1

    c8fb1981759c2d9bb2ec91b705985fba5fc7af63

    SHA256

    fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

    SHA512

    2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

  • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
    MD5

    f4e04ce181bf25a30e3d0cb1ce282c9e

    SHA1

    24c0528a9e5c864980657f646ed5bed615291f15

    SHA256

    e969587901730f24d85569f0a5b3fec0be6754c4edb20f9dcea6430e4a0bf4a1

    SHA512

    b3124d0c31be65f5d0d2239513144a2943421362c0b804e0df1f4cc0c47e41f3466be619c17fe88f6a73cc2b6297be893e763b4b2f702adba583fe19e1caed22

  • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
    MD5

    f4e04ce181bf25a30e3d0cb1ce282c9e

    SHA1

    24c0528a9e5c864980657f646ed5bed615291f15

    SHA256

    e969587901730f24d85569f0a5b3fec0be6754c4edb20f9dcea6430e4a0bf4a1

    SHA512

    b3124d0c31be65f5d0d2239513144a2943421362c0b804e0df1f4cc0c47e41f3466be619c17fe88f6a73cc2b6297be893e763b4b2f702adba583fe19e1caed22

  • memory/216-115-0x0000000000400000-0x0000000000534000-memory.dmp
    Filesize

    1.2MB

  • memory/216-116-0x000000000049AB80-mapping.dmp
  • memory/216-117-0x0000000000400000-0x0000000000534000-memory.dmp
    Filesize

    1.2MB

  • memory/216-118-0x0000000000F00000-0x000000000104A000-memory.dmp
    Filesize

    1.3MB

  • memory/516-114-0x0000000001500000-0x00000000015AE000-memory.dmp
    Filesize

    696KB

  • memory/1184-127-0x00000000015D0000-0x00000000015D1000-memory.dmp
    Filesize

    4KB

  • memory/1184-123-0x0000000000000000-mapping.dmp
  • memory/2900-137-0x0000000000000000-mapping.dmp
  • memory/3096-129-0x0000000000000000-mapping.dmp
  • memory/3332-122-0x0000000000000000-mapping.dmp
  • memory/3840-133-0x000000000049AB80-mapping.dmp
  • memory/3840-135-0x0000000000400000-0x0000000000534000-memory.dmp
    Filesize

    1.2MB

  • memory/3840-136-0x0000000000B50000-0x0000000000B51000-memory.dmp
    Filesize

    4KB

  • memory/3900-128-0x0000000000000000-mapping.dmp
  • memory/3988-119-0x0000000000000000-mapping.dmp