Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
04-10-2021 13:25
Static task
static1
Behavioral task
behavioral1
Sample
BETT AWB8876E73_SEPT1721,pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
BETT AWB8876E73_SEPT1721,pdf.exe
Resource
win10v20210408
General
-
Target
BETT AWB8876E73_SEPT1721,pdf.exe
-
Size
1.4MB
-
MD5
2177743409ec5fd02a58e371ad413429
-
SHA1
b739d4ee9fe36a1ac527e588ce3f05f8fc73c322
-
SHA256
b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e
-
SHA512
f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5
Malware Config
Extracted
remcos
3.2.1 Pro
CELEBRATION
ongod4ever.ddns.net:3030
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-FCUJUB
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ewtewbhdds.exemscorsvw.exepid process 528 ewtewbhdds.exe 1572 mscorsvw.exe -
Drops startup file 2 IoCs
Processes:
BETT AWB8876E73_SEPT1721,pdf.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe BETT AWB8876E73_SEPT1721,pdf.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe BETT AWB8876E73_SEPT1721,pdf.exe -
Loads dropped DLL 2 IoCs
Processes:
BETT AWB8876E73_SEPT1721,pdf.exeewtewbhdds.exepid process 1336 BETT AWB8876E73_SEPT1721,pdf.exe 528 ewtewbhdds.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1336-56-0x0000000000540000-0x0000000000561000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\wetewudjhdfdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ewtewbhdds.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ewtewbhdds.exedescription pid process target process PID 528 set thread context of 1572 528 ewtewbhdds.exe mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
BETT AWB8876E73_SEPT1721,pdf.exeewtewbhdds.exepid process 1336 BETT AWB8876E73_SEPT1721,pdf.exe 1336 BETT AWB8876E73_SEPT1721,pdf.exe 1336 BETT AWB8876E73_SEPT1721,pdf.exe 1336 BETT AWB8876E73_SEPT1721,pdf.exe 528 ewtewbhdds.exe 528 ewtewbhdds.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BETT AWB8876E73_SEPT1721,pdf.exeewtewbhdds.exedescription pid process Token: SeDebugPrivilege 1336 BETT AWB8876E73_SEPT1721,pdf.exe Token: SeDebugPrivilege 528 ewtewbhdds.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
BETT AWB8876E73_SEPT1721,pdf.execmd.exeewtewbhdds.exedescription pid process target process PID 1336 wrote to memory of 1700 1336 BETT AWB8876E73_SEPT1721,pdf.exe cmd.exe PID 1336 wrote to memory of 1700 1336 BETT AWB8876E73_SEPT1721,pdf.exe cmd.exe PID 1336 wrote to memory of 1700 1336 BETT AWB8876E73_SEPT1721,pdf.exe cmd.exe PID 1336 wrote to memory of 1700 1336 BETT AWB8876E73_SEPT1721,pdf.exe cmd.exe PID 1700 wrote to memory of 1356 1700 cmd.exe reg.exe PID 1700 wrote to memory of 1356 1700 cmd.exe reg.exe PID 1700 wrote to memory of 1356 1700 cmd.exe reg.exe PID 1700 wrote to memory of 1356 1700 cmd.exe reg.exe PID 1336 wrote to memory of 528 1336 BETT AWB8876E73_SEPT1721,pdf.exe ewtewbhdds.exe PID 1336 wrote to memory of 528 1336 BETT AWB8876E73_SEPT1721,pdf.exe ewtewbhdds.exe PID 1336 wrote to memory of 528 1336 BETT AWB8876E73_SEPT1721,pdf.exe ewtewbhdds.exe PID 1336 wrote to memory of 528 1336 BETT AWB8876E73_SEPT1721,pdf.exe ewtewbhdds.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe PID 528 wrote to memory of 1572 528 ewtewbhdds.exe mscorsvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BETT AWB8876E73_SEPT1721,pdf.exe"C:\Users\Admin\AppData\Local\Temp\BETT AWB8876E73_SEPT1721,pdf.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wetewudjhdfdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wetewudjhdfdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe"C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mscorsvw.exeMD5
53076abbb58ebffb79177bef0db30888
SHA1a7f51030b39b42ef54afba08124908179a6f5e85
SHA256f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b
SHA51219eed50bca35358af182d000eb005f587dce54643294040b41b472e8a1754df28122579bb8d79d2cd2f430ca9b4134ca6c5369b30b922e8b146a8bbfaeb6f9eb
-
C:\Users\Admin\AppData\Local\Temp\mscorsvw.exeMD5
53076abbb58ebffb79177bef0db30888
SHA1a7f51030b39b42ef54afba08124908179a6f5e85
SHA256f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b
SHA51219eed50bca35358af182d000eb005f587dce54643294040b41b472e8a1754df28122579bb8d79d2cd2f430ca9b4134ca6c5369b30b922e8b146a8bbfaeb6f9eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exeMD5
2177743409ec5fd02a58e371ad413429
SHA1b739d4ee9fe36a1ac527e588ce3f05f8fc73c322
SHA256b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e
SHA512f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exeMD5
2177743409ec5fd02a58e371ad413429
SHA1b739d4ee9fe36a1ac527e588ce3f05f8fc73c322
SHA256b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e
SHA512f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5
-
\Users\Admin\AppData\Local\Temp\mscorsvw.exeMD5
53076abbb58ebffb79177bef0db30888
SHA1a7f51030b39b42ef54afba08124908179a6f5e85
SHA256f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b
SHA51219eed50bca35358af182d000eb005f587dce54643294040b41b472e8a1754df28122579bb8d79d2cd2f430ca9b4134ca6c5369b30b922e8b146a8bbfaeb6f9eb
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exeMD5
2177743409ec5fd02a58e371ad413429
SHA1b739d4ee9fe36a1ac527e588ce3f05f8fc73c322
SHA256b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e
SHA512f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5
-
memory/528-64-0x0000000000BC0000-0x0000000000BC1000-memory.dmpFilesize
4KB
-
memory/528-68-0x0000000004C11000-0x0000000004C12000-memory.dmpFilesize
4KB
-
memory/528-70-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB
-
memory/528-69-0x00000000005F0000-0x00000000005FB000-memory.dmpFilesize
44KB
-
memory/528-61-0x0000000000000000-mapping.dmp
-
memory/528-66-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/1336-53-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/1336-59-0x0000000004CF1000-0x0000000004CF2000-memory.dmpFilesize
4KB
-
memory/1336-56-0x0000000000540000-0x0000000000561000-memory.dmpFilesize
132KB
-
memory/1336-55-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/1356-58-0x0000000000000000-mapping.dmp
-
memory/1572-73-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1572-74-0x000000000042F71D-mapping.dmp
-
memory/1572-76-0x0000000074C71000-0x0000000074C73000-memory.dmpFilesize
8KB
-
memory/1572-77-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1700-57-0x0000000000000000-mapping.dmp