Analysis
-
max time kernel
88s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
04-10-2021 13:25
Static task
static1
Behavioral task
behavioral1
Sample
BETT AWB8876E73_SEPT1721,pdf.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
BETT AWB8876E73_SEPT1721,pdf.exe
Resource
win10v20210408
General
-
Target
BETT AWB8876E73_SEPT1721,pdf.exe
-
Size
1.4MB
-
MD5
2177743409ec5fd02a58e371ad413429
-
SHA1
b739d4ee9fe36a1ac527e588ce3f05f8fc73c322
-
SHA256
b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e
-
SHA512
f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5
Malware Config
Extracted
remcos
3.2.1 Pro
CELEBRATION
ongod4ever.ddns.net:3030
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-FCUJUB
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
ewtewbhdds.exemscorsvw.exepid process 4072 ewtewbhdds.exe 740 mscorsvw.exe -
Drops startup file 2 IoCs
Processes:
BETT AWB8876E73_SEPT1721,pdf.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe BETT AWB8876E73_SEPT1721,pdf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe BETT AWB8876E73_SEPT1721,pdf.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/3716-120-0x0000000005D20000-0x0000000005D41000-memory.dmp agile_net behavioral2/memory/3716-125-0x0000000004FB0000-0x000000000504C000-memory.dmp agile_net behavioral2/memory/4072-137-0x0000000004EA0000-0x0000000004F3C000-memory.dmp agile_net behavioral2/memory/4072-138-0x0000000004EA0000-0x0000000004F3C000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wetewudjhdfdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ewtewbhdds.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ewtewbhdds.exedescription pid process target process PID 4072 set thread context of 740 4072 ewtewbhdds.exe mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3888 740 WerFault.exe mscorsvw.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
BETT AWB8876E73_SEPT1721,pdf.exeewtewbhdds.exeWerFault.exepid process 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 3716 BETT AWB8876E73_SEPT1721,pdf.exe 4072 ewtewbhdds.exe 4072 ewtewbhdds.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
BETT AWB8876E73_SEPT1721,pdf.exeewtewbhdds.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3716 BETT AWB8876E73_SEPT1721,pdf.exe Token: SeDebugPrivilege 4072 ewtewbhdds.exe Token: SeRestorePrivilege 3888 WerFault.exe Token: SeBackupPrivilege 3888 WerFault.exe Token: SeDebugPrivilege 3888 WerFault.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
BETT AWB8876E73_SEPT1721,pdf.execmd.exeewtewbhdds.exedescription pid process target process PID 3716 wrote to memory of 2980 3716 BETT AWB8876E73_SEPT1721,pdf.exe cmd.exe PID 3716 wrote to memory of 2980 3716 BETT AWB8876E73_SEPT1721,pdf.exe cmd.exe PID 3716 wrote to memory of 2980 3716 BETT AWB8876E73_SEPT1721,pdf.exe cmd.exe PID 2980 wrote to memory of 764 2980 cmd.exe reg.exe PID 2980 wrote to memory of 764 2980 cmd.exe reg.exe PID 2980 wrote to memory of 764 2980 cmd.exe reg.exe PID 3716 wrote to memory of 4072 3716 BETT AWB8876E73_SEPT1721,pdf.exe ewtewbhdds.exe PID 3716 wrote to memory of 4072 3716 BETT AWB8876E73_SEPT1721,pdf.exe ewtewbhdds.exe PID 3716 wrote to memory of 4072 3716 BETT AWB8876E73_SEPT1721,pdf.exe ewtewbhdds.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe PID 4072 wrote to memory of 740 4072 ewtewbhdds.exe mscorsvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BETT AWB8876E73_SEPT1721,pdf.exe"C:\Users\Admin\AppData\Local\Temp\BETT AWB8876E73_SEPT1721,pdf.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wetewudjhdfdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wetewudjhdfdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe"C:\Users\Admin\AppData\Local\Temp\mscorsvw.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 5684⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mscorsvw.exeMD5
53076abbb58ebffb79177bef0db30888
SHA1a7f51030b39b42ef54afba08124908179a6f5e85
SHA256f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b
SHA51219eed50bca35358af182d000eb005f587dce54643294040b41b472e8a1754df28122579bb8d79d2cd2f430ca9b4134ca6c5369b30b922e8b146a8bbfaeb6f9eb
-
C:\Users\Admin\AppData\Local\Temp\mscorsvw.exeMD5
53076abbb58ebffb79177bef0db30888
SHA1a7f51030b39b42ef54afba08124908179a6f5e85
SHA256f7c22d1ac8bd67e0423dfd4929eb1dcebada6e32a573c6228171e7bef2c2b76b
SHA51219eed50bca35358af182d000eb005f587dce54643294040b41b472e8a1754df28122579bb8d79d2cd2f430ca9b4134ca6c5369b30b922e8b146a8bbfaeb6f9eb
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exeMD5
2177743409ec5fd02a58e371ad413429
SHA1b739d4ee9fe36a1ac527e588ce3f05f8fc73c322
SHA256b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e
SHA512f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ewtewbhdds.exeMD5
2177743409ec5fd02a58e371ad413429
SHA1b739d4ee9fe36a1ac527e588ce3f05f8fc73c322
SHA256b3830ac26206a05fa89bb58269aab31ec7edb2cd1c77c9bea6332e53363eb83e
SHA512f6d21a56c5ed89c3f8fffcd5720ec774ad48f2f53d1fa23a45957a8e7d4f869c67531d85e908c0756328382d3acc3723653a1f5eff3a86f91d7859ebc42db5b5
-
memory/740-152-0x0000000000820000-0x0000000000899000-memory.dmpFilesize
484KB
-
memory/740-144-0x0000000000820000-0x0000000000899000-memory.dmpFilesize
484KB
-
memory/740-142-0x000000000042F71D-mapping.dmp
-
memory/764-124-0x0000000000000000-mapping.dmp
-
memory/2980-123-0x0000000000000000-mapping.dmp
-
memory/3716-125-0x0000000004FB0000-0x000000000504C000-memory.dmpFilesize
624KB
-
memory/3716-119-0x0000000005C80000-0x0000000005C81000-memory.dmpFilesize
4KB
-
memory/3716-122-0x0000000005DA0000-0x0000000005DA1000-memory.dmpFilesize
4KB
-
memory/3716-116-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/3716-121-0x0000000005DE0000-0x0000000005DE1000-memory.dmpFilesize
4KB
-
memory/3716-117-0x0000000004FB0000-0x000000000504C000-memory.dmpFilesize
624KB
-
memory/3716-118-0x0000000006090000-0x0000000006091000-memory.dmpFilesize
4KB
-
memory/3716-114-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/3716-120-0x0000000005D20000-0x0000000005D41000-memory.dmpFilesize
132KB
-
memory/4072-140-0x0000000007070000-0x0000000007071000-memory.dmpFilesize
4KB
-
memory/4072-139-0x0000000007060000-0x000000000706B000-memory.dmpFilesize
44KB
-
memory/4072-138-0x0000000004EA0000-0x0000000004F3C000-memory.dmpFilesize
624KB
-
memory/4072-137-0x0000000004EA0000-0x0000000004F3C000-memory.dmpFilesize
624KB
-
memory/4072-126-0x0000000000000000-mapping.dmp