Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
05-05-2021 19:01
Static task
static1
Behavioral task
behavioral1
Sample
9f7ef650ee32895e313edc085fbc29f9.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
9f7ef650ee32895e313edc085fbc29f9.exe
Resource
win10v20210410
General
-
Target
9f7ef650ee32895e313edc085fbc29f9.exe
-
Size
455KB
-
MD5
9f7ef650ee32895e313edc085fbc29f9
-
SHA1
bcde3f8d90c9b0d3ad79785f77a089003260fedc
-
SHA256
02650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa
-
SHA512
c79c2c31aeb6c22ede5cdfbf1c7b5428be304327b0f9ccd000f094ccbb9ec0a871bb5f5217ec7e98ea05917f6ae927a1082dd80adcc9bd0a35c26daac8de0e50
Malware Config
Extracted
remcos
fieldsdegreenf.duckdns.org:6553
aaeeerbbbeee.duckdns.org:6553
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
remcos.exepid process 1652 remcos.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1716 cmd.exe 1716 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
9f7ef650ee32895e313edc085fbc29f9.exeremcos.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 9f7ef650ee32895e313edc085fbc29f9.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" 9f7ef650ee32895e313edc085fbc29f9.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\Remcos\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
remcos.exedescription pid process target process PID 1652 set thread context of 1072 1652 remcos.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
remcos.exepid process 1652 remcos.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
9f7ef650ee32895e313edc085fbc29f9.exeWScript.execmd.exeremcos.exedescription pid process target process PID 1920 wrote to memory of 1360 1920 9f7ef650ee32895e313edc085fbc29f9.exe WScript.exe PID 1920 wrote to memory of 1360 1920 9f7ef650ee32895e313edc085fbc29f9.exe WScript.exe PID 1920 wrote to memory of 1360 1920 9f7ef650ee32895e313edc085fbc29f9.exe WScript.exe PID 1920 wrote to memory of 1360 1920 9f7ef650ee32895e313edc085fbc29f9.exe WScript.exe PID 1360 wrote to memory of 1716 1360 WScript.exe cmd.exe PID 1360 wrote to memory of 1716 1360 WScript.exe cmd.exe PID 1360 wrote to memory of 1716 1360 WScript.exe cmd.exe PID 1360 wrote to memory of 1716 1360 WScript.exe cmd.exe PID 1716 wrote to memory of 1652 1716 cmd.exe remcos.exe PID 1716 wrote to memory of 1652 1716 cmd.exe remcos.exe PID 1716 wrote to memory of 1652 1716 cmd.exe remcos.exe PID 1716 wrote to memory of 1652 1716 cmd.exe remcos.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe PID 1652 wrote to memory of 1072 1652 remcos.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f7ef650ee32895e313edc085fbc29f9.exe"C:\Users\Admin\AppData\Local\Temp\9f7ef650ee32895e313edc085fbc29f9.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeC:\Users\Admin\AppData\Roaming\Remcos\remcos.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
b92d64fe5b1d1f59df4b738262aea8df
SHA1c8fb1981759c2d9bb2ec91b705985fba5fc7af63
SHA256fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a
SHA5122566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
9f7ef650ee32895e313edc085fbc29f9
SHA1bcde3f8d90c9b0d3ad79785f77a089003260fedc
SHA25602650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa
SHA512c79c2c31aeb6c22ede5cdfbf1c7b5428be304327b0f9ccd000f094ccbb9ec0a871bb5f5217ec7e98ea05917f6ae927a1082dd80adcc9bd0a35c26daac8de0e50
-
C:\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
9f7ef650ee32895e313edc085fbc29f9
SHA1bcde3f8d90c9b0d3ad79785f77a089003260fedc
SHA25602650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa
SHA512c79c2c31aeb6c22ede5cdfbf1c7b5428be304327b0f9ccd000f094ccbb9ec0a871bb5f5217ec7e98ea05917f6ae927a1082dd80adcc9bd0a35c26daac8de0e50
-
\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
9f7ef650ee32895e313edc085fbc29f9
SHA1bcde3f8d90c9b0d3ad79785f77a089003260fedc
SHA25602650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa
SHA512c79c2c31aeb6c22ede5cdfbf1c7b5428be304327b0f9ccd000f094ccbb9ec0a871bb5f5217ec7e98ea05917f6ae927a1082dd80adcc9bd0a35c26daac8de0e50
-
\Users\Admin\AppData\Roaming\Remcos\remcos.exeMD5
9f7ef650ee32895e313edc085fbc29f9
SHA1bcde3f8d90c9b0d3ad79785f77a089003260fedc
SHA25602650bdf290724edd38abc7e303ff74ca1fc7fba26f3f0dcead22cdce5b9b3fa
SHA512c79c2c31aeb6c22ede5cdfbf1c7b5428be304327b0f9ccd000f094ccbb9ec0a871bb5f5217ec7e98ea05917f6ae927a1082dd80adcc9bd0a35c26daac8de0e50
-
memory/1072-71-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1072-72-0x000000000042EEEF-mapping.dmp
-
memory/1072-74-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1360-61-0x0000000000000000-mapping.dmp
-
memory/1652-68-0x0000000000000000-mapping.dmp
-
memory/1716-64-0x0000000000000000-mapping.dmp
-
memory/1920-60-0x0000000076691000-0x0000000076693000-memory.dmpFilesize
8KB