Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-08-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
Angebotsanfrage - Order-00132E,pdf.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Angebotsanfrage - Order-00132E,pdf.exe
Resource
win10v20210408
General
-
Target
Angebotsanfrage - Order-00132E,pdf.exe
-
Size
1020KB
-
MD5
4cbc5df423aca14b9102340af4f3defc
-
SHA1
bbcd8057225afc8f1c68fa5670da07c8187b9b34
-
SHA256
8d076437949873b971f9534e630ebe26a8437f50786c430eaeb46c71d53a88e5
-
SHA512
6859bb6f60a5af6ffa8ba94dad41499cda9405e3a3e133040be3bf0591cb5d67e5f47f3455c4f40b9517563e78c0cedf794fb01523d1a50a60e50e49616bb37b
Malware Config
Extracted
remcos
LAS LAS
goddywin.freedynamicdns.net:4108
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-YZ590Y
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Blocklisted process makes network request 64 IoCs
Processes:
mshta.exeflow pid process 24 3580 mshta.exe 25 3580 mshta.exe 26 3580 mshta.exe 27 3580 mshta.exe 28 3580 mshta.exe 29 3580 mshta.exe 30 3580 mshta.exe 31 3580 mshta.exe 32 3580 mshta.exe 33 3580 mshta.exe 34 3580 mshta.exe 35 3580 mshta.exe 36 3580 mshta.exe 37 3580 mshta.exe 38 3580 mshta.exe 39 3580 mshta.exe 40 3580 mshta.exe 41 3580 mshta.exe 42 3580 mshta.exe 43 3580 mshta.exe 44 3580 mshta.exe 45 3580 mshta.exe 46 3580 mshta.exe 47 3580 mshta.exe 48 3580 mshta.exe 49 3580 mshta.exe 50 3580 mshta.exe 51 3580 mshta.exe 53 3580 mshta.exe 55 3580 mshta.exe 56 3580 mshta.exe 57 3580 mshta.exe 58 3580 mshta.exe 59 3580 mshta.exe 60 3580 mshta.exe 61 3580 mshta.exe 62 3580 mshta.exe 63 3580 mshta.exe 64 3580 mshta.exe 65 3580 mshta.exe 66 3580 mshta.exe 67 3580 mshta.exe 68 3580 mshta.exe 69 3580 mshta.exe 70 3580 mshta.exe 71 3580 mshta.exe 72 3580 mshta.exe 73 3580 mshta.exe 74 3580 mshta.exe 75 3580 mshta.exe 76 3580 mshta.exe 77 3580 mshta.exe 78 3580 mshta.exe 79 3580 mshta.exe 80 3580 mshta.exe 81 3580 mshta.exe 82 3580 mshta.exe 83 3580 mshta.exe 85 3580 mshta.exe 87 3580 mshta.exe 88 3580 mshta.exe 89 3580 mshta.exe 90 3580 mshta.exe 91 3580 mshta.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Angebotsanfrage - Order-00132E,pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yggfenf = "C:\\Users\\Public\\Libraries\\fnefggY.url" Angebotsanfrage - Order-00132E,pdf.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Angebotsanfrage - Order-00132E,pdf.exedescription pid process target process PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe PID 632 wrote to memory of 3580 632 Angebotsanfrage - Order-00132E,pdf.exe mshta.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Angebotsanfrage - Order-00132E,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Angebotsanfrage - Order-00132E,pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\mshta.exeC:\Windows\System32\mshta.exe2⤵
- Blocklisted process makes network request
PID:3580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/632-115-0x0000000002510000-0x000000000252B000-memory.dmpFilesize
108KB
-
memory/632-118-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/3580-119-0x0000000000000000-mapping.dmp
-
memory/3580-121-0x00000000029B0000-0x00000000029B1000-memory.dmpFilesize
4KB
-
memory/3580-122-0x0000000002A00000-0x0000000002A01000-memory.dmpFilesize
4KB
-
memory/3580-120-0x0000000002830000-0x0000000002831000-memory.dmpFilesize
4KB
-
memory/3580-123-0x0000000010590000-0x000000001060D000-memory.dmpFilesize
500KB
-
memory/3580-124-0x0000000002A50000-0x0000000002ACA000-memory.dmpFilesize
488KB