Analysis
-
max time kernel
155s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en -
submitted
15-09-2021 06:52
Static task
static1
Behavioral task
behavioral1
Sample
c706dc84f854932a269f8bf43a9e4d97.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
c706dc84f854932a269f8bf43a9e4d97.exe
Resource
win10-en
General
-
Target
c706dc84f854932a269f8bf43a9e4d97.exe
-
Size
917KB
-
MD5
c706dc84f854932a269f8bf43a9e4d97
-
SHA1
6264f477e9ad508d04c0b59759f5f20d02889738
-
SHA256
55f0daef2926b762aead4c49e47ebb9a19c1281cfa9b08e61de2a4cb2322d38b
-
SHA512
968737f4d4ffa9aa95459a5d221e4390380e751baf7785ca444c1ef3f123ae58d9c64c605c1bcd997024428edadca70123a9e1de26a905e393fd914f7d083394
Malware Config
Extracted
remcos
3.2.0 Pro
RemoteHost
freelife.hopto.org:2404
freelife1.hopto.org:2404
freelife2.hopto.org:2404
freelife01.hopto.org:2404
freelife3.hopto.org:2404
freelife4.hopto.org:2404
freelife5.hopto.org:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
pastananiceforwhat-QQD2AI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c706dc84f854932a269f8bf43a9e4d97.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uhexymko = "C:\\Users\\Public\\Libraries\\okmyxehU.url" c706dc84f854932a269f8bf43a9e4d97.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
c706dc84f854932a269f8bf43a9e4d97.exedescription pid process target process PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe PID 3908 wrote to memory of 2680 3908 c706dc84f854932a269f8bf43a9e4d97.exe secinit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c706dc84f854932a269f8bf43a9e4d97.exe"C:\Users\Admin\AppData\Local\Temp\c706dc84f854932a269f8bf43a9e4d97.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\secinit.exeC:\Windows\System32\secinit.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2680-120-0x0000000000000000-mapping.dmp
-
memory/2680-121-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/2680-123-0x0000000010590000-0x000000001060C000-memory.dmpFilesize
496KB
-
memory/2680-122-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/2680-124-0x0000000000390000-0x0000000000391000-memory.dmpFilesize
4KB
-
memory/2680-125-0x0000000000A70000-0x0000000000AE9000-memory.dmpFilesize
484KB
-
memory/3908-119-0x0000000002230000-0x0000000002231000-memory.dmpFilesize
4KB