Analysis
-
max time kernel
302s -
max time network
326s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
19-08-2021 12:37
General
-
Target
HOH76746.js
-
Size
1.7MB
-
MD5
e261e68bcae0c10642170416082702b7
-
SHA1
6c9b48b65090ec13326a07bef72b1c3995f72513
-
SHA256
f126bcd906ba8815594cd987e4ba8852bccd58d813ac415a626e66ab5a395db2
-
SHA512
05979d43fee175648476accc5562a02c9736337e21ca850ce893791365f5b54f55f9b6813cc0a20d2781ba09c16b6425ee01cb853ab546e049bc1e7e03dd8818
Malware Config
Extracted
remcos
3.2.0 Pro
250million
www.ommi-it.com:8760
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
250million-2CWGNX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Blocklisted process makes network request 32 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops startup file 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\HOH76746.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\OrmKzxDqEk.js"2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\250million.exe"C:\Users\Admin\AppData\Roaming\250million.exe"2⤵
- Executes dropped EXE
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\250million.exeMD5
d9569e6f7afd3afb9debc99245595adb
SHA1b3e25ed7212be6a1fb0567a14fe9385941086794
SHA256e3f38af5cd488978bbc4156eb62e881c04df48055f5e6819eabcca429c9051d7
SHA512f195cebe98d30bb2a0ca7c07cd984a22cd201288d75e15f000ff41d901f09f825a591d71e4799ab320892b8625a62196e792ce57eb618ef6b3ceb826a8bb9a21
-
C:\Users\Admin\AppData\Roaming\OrmKzxDqEk.jsMD5
4ddac2fa49c2f9f17a5faad271025659
SHA1575f942637af4b6e75eba0d046acd7ab67914714
SHA256810c2f963f1741e83aae85cd7e93a99435557f230966cb6632ca405e9482df34
SHA512d26169bd1430337a6dc27b2a75238108701c670bafb52b44f9d07ef70e3dd0b0d385009d7317e06ab159e6be0b41c1c6e356a82e8cb9c88ebd68fbcb77a2bd2f
-
memory/1212-61-0x0000000000000000-mapping.dmp
-
memory/1632-60-0x000007FEFBAB1000-0x000007FEFBAB3000-memory.dmpFilesize
8KB
-
memory/1960-63-0x0000000000000000-mapping.dmp
-
memory/1960-65-0x0000000075411000-0x0000000075413000-memory.dmpFilesize
8KB