Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-04-2021 19:01
Static task
static1
Behavioral task
behavioral1
Sample
No. 024OPSCON-INVIII2021.js
Resource
win7v20210410
Behavioral task
behavioral2
Sample
No. 024OPSCON-INVIII2021.js
Resource
win10v20210408
General
-
Target
No. 024OPSCON-INVIII2021.js
-
Size
242KB
-
MD5
fc4340a7585070731daaf1f696a0f436
-
SHA1
8ad08a853156911c793861a4ac9f6d3636ced06f
-
SHA256
699ea201d2965d9515e01f981ab4006fd383ab17fd2f6996cc937f974dce39b2
-
SHA512
e2ffb8cfb65a0ff4c0418069490a4ee0dbddb8ac585fc1f340bd4ba61ba17b9b8b53ea0693381801953391326846e52f3d287b5d1bc66fbd1a56921b6cb412e4
Malware Config
Extracted
remcos
umuchu.hopto.org:2405
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
RODS.exeremcos.exepid process 3980 RODS.exe 688 remcos.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
RODS.exeremcos.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ RODS.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" RODS.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
RODS.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings RODS.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
remcos.exepid process 688 remcos.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
wscript.exeRODS.exeWScript.execmd.exedescription pid process target process PID 856 wrote to memory of 3980 856 wscript.exe RODS.exe PID 856 wrote to memory of 3980 856 wscript.exe RODS.exe PID 856 wrote to memory of 3980 856 wscript.exe RODS.exe PID 3980 wrote to memory of 508 3980 RODS.exe WScript.exe PID 3980 wrote to memory of 508 3980 RODS.exe WScript.exe PID 3980 wrote to memory of 508 3980 RODS.exe WScript.exe PID 508 wrote to memory of 200 508 WScript.exe cmd.exe PID 508 wrote to memory of 200 508 WScript.exe cmd.exe PID 508 wrote to memory of 200 508 WScript.exe cmd.exe PID 200 wrote to memory of 688 200 cmd.exe remcos.exe PID 200 wrote to memory of 688 200 cmd.exe remcos.exe PID 200 wrote to memory of 688 200 cmd.exe remcos.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\No. 024OPSCON-INVIII2021.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RODS.exe"C:\Users\Admin\AppData\Local\Temp\RODS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RODS.exeMD5
2de4e35c8603c78b4814fdf39852e620
SHA15ea9c317553aa760ef396dbf51a8a1f3c6969ecb
SHA25635f55fc5c08da65988fef28e13d4662769fdf47bd5c66add346cf1c56aa6f275
SHA5122b3e603b6124daad69733d3d1169866eaec6e1fae83983ae4a8d9bfd5d84bc114446b9b14a63b85a87506912709cd5f37fdbe29e77ffe9a8d5038b053ab6dc9e
-
C:\Users\Admin\AppData\Local\Temp\RODS.exeMD5
2de4e35c8603c78b4814fdf39852e620
SHA15ea9c317553aa760ef396dbf51a8a1f3c6969ecb
SHA25635f55fc5c08da65988fef28e13d4662769fdf47bd5c66add346cf1c56aa6f275
SHA5122b3e603b6124daad69733d3d1169866eaec6e1fae83983ae4a8d9bfd5d84bc114446b9b14a63b85a87506912709cd5f37fdbe29e77ffe9a8d5038b053ab6dc9e
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
b92d64fe5b1d1f59df4b738262aea8df
SHA1c8fb1981759c2d9bb2ec91b705985fba5fc7af63
SHA256fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a
SHA5122566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
2de4e35c8603c78b4814fdf39852e620
SHA15ea9c317553aa760ef396dbf51a8a1f3c6969ecb
SHA25635f55fc5c08da65988fef28e13d4662769fdf47bd5c66add346cf1c56aa6f275
SHA5122b3e603b6124daad69733d3d1169866eaec6e1fae83983ae4a8d9bfd5d84bc114446b9b14a63b85a87506912709cd5f37fdbe29e77ffe9a8d5038b053ab6dc9e
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
2de4e35c8603c78b4814fdf39852e620
SHA15ea9c317553aa760ef396dbf51a8a1f3c6969ecb
SHA25635f55fc5c08da65988fef28e13d4662769fdf47bd5c66add346cf1c56aa6f275
SHA5122b3e603b6124daad69733d3d1169866eaec6e1fae83983ae4a8d9bfd5d84bc114446b9b14a63b85a87506912709cd5f37fdbe29e77ffe9a8d5038b053ab6dc9e
-
memory/200-119-0x0000000000000000-mapping.dmp
-
memory/508-117-0x0000000000000000-mapping.dmp
-
memory/688-120-0x0000000000000000-mapping.dmp
-
memory/3980-114-0x0000000000000000-mapping.dmp