Analysis
-
max time kernel
159s -
max time network
160s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 07:15
Static task
static1
Behavioral task
behavioral1
Sample
New Order List & Specification.scr
Resource
win7v20210408
Behavioral task
behavioral2
Sample
New Order List & Specification.scr
Resource
win10-en-20210920
General
-
Target
New Order List & Specification.scr
-
Size
1.3MB
-
MD5
39f59475d4b4672638a90ac2e475cd90
-
SHA1
0fdabe47559fab6484f383fab08a451be9879f65
-
SHA256
13a65e23f4c45234d2e73ce746b29a13b10df6f5a7508087029432aa62d458c5
-
SHA512
f26355f9da0afa11fcc8782bad79c293735ba7a099f54b9bd60195122f9e7687ac322f93eba5d0caa7c0f2d49e7a4ce4f464bbb6cf08efb71e0cc998511b8b9d
Malware Config
Extracted
remcos
OCTOBER-$$$$
mgc0147.hopto.org:2930
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-3MPDYA
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
osgexnsck.pifRegSvcs.exepid process 1020 osgexnsck.pif 1064 RegSvcs.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
osgexnsck.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run osgexnsck.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\43719123\\OSGEXN~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\43719123\\tqsxtg.ekv" osgexnsck.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
osgexnsck.pifdescription pid process target process PID 1020 set thread context of 1064 1020 osgexnsck.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
osgexnsck.pifpid process 1020 osgexnsck.pif 1020 osgexnsck.pif -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
osgexnsck.pifRegSvcs.exepid process 1020 osgexnsck.pif 1064 RegSvcs.exe 1064 RegSvcs.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
New Order List & Specification.scrosgexnsck.pifdescription pid process target process PID 1860 wrote to memory of 1020 1860 New Order List & Specification.scr osgexnsck.pif PID 1860 wrote to memory of 1020 1860 New Order List & Specification.scr osgexnsck.pif PID 1860 wrote to memory of 1020 1860 New Order List & Specification.scr osgexnsck.pif PID 1020 wrote to memory of 3584 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 3584 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 3584 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 4064 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 4064 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 4064 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 1072 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 1072 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 1072 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 344 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 344 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 344 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 3660 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 3660 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 3660 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 1428 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 1428 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 1428 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 876 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 876 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 876 1020 osgexnsck.pif mshta.exe PID 1020 wrote to memory of 1064 1020 osgexnsck.pif RegSvcs.exe PID 1020 wrote to memory of 1064 1020 osgexnsck.pif RegSvcs.exe PID 1020 wrote to memory of 1064 1020 osgexnsck.pif RegSvcs.exe PID 1020 wrote to memory of 1064 1020 osgexnsck.pif RegSvcs.exe PID 1020 wrote to memory of 1064 1020 osgexnsck.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Order List & Specification.scr"C:\Users\Admin\AppData\Local\Temp\New Order List & Specification.scr" /S1⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Roaming\43719123\osgexnsck.pif"C:\Users\Admin\AppData\Roaming\43719123\osgexnsck.pif" tqsxtg.ekv2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:3584
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:4064
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:1072
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:344
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:3660
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:1428
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵PID:876
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Roaming\43719123\fcdi.mp3MD5
d40d39871eb1e08fb898f0f58dd9c138
SHA1c3e45c711297c286f8cf2e8ba1b35c7d545f1771
SHA256a1ec2daca2043eb4681d6b73b1e30ef93ad39ff794a1728d8d30a9cb2092c708
SHA5126a57255ff93d41d3e70b6e8a290aaf43f49d94f0f08dbe61bdd3f0f9cb5da0632acbb4b19d71cfc3a6b919cbca7c6e3952a347730238f598e75d886c405175ae
-
C:\Users\Admin\AppData\Roaming\43719123\osgexnsck.pifMD5
279dae7236f5f2488a4bacde6027f730
SHA129a012e5259739f24480cedfd6d5f2d860cfcdb3
SHA256415850f2706681a6d80708fca8ac18dcf97e58b8f3fdc7bc4b558ab15fc0a03f
SHA512b81276fc4d915a9721dae15aa064781a1dba665ff4864ccbdf624e8049c1b3c12a2b374f11cffcf6e4a5217766836edbc5f2376ffa8765f9070cbd87d7ae2fe8
-
C:\Users\Admin\AppData\Roaming\43719123\osgexnsck.pifMD5
279dae7236f5f2488a4bacde6027f730
SHA129a012e5259739f24480cedfd6d5f2d860cfcdb3
SHA256415850f2706681a6d80708fca8ac18dcf97e58b8f3fdc7bc4b558ab15fc0a03f
SHA512b81276fc4d915a9721dae15aa064781a1dba665ff4864ccbdf624e8049c1b3c12a2b374f11cffcf6e4a5217766836edbc5f2376ffa8765f9070cbd87d7ae2fe8
-
C:\Users\Admin\AppData\Roaming\43719123\smqewogxj.iowMD5
897d811670ccf4422316b304b8c09ec9
SHA15cb58926daa398a79c8d7299feac61492c07e4f0
SHA256b39a4320e002d1a7857ead4c2e5bb84f89a6e1377bfcf39e439d9a2ef89766da
SHA512bcb9be58d1f1b75d25dc08d1e0d6c1c2e039798dbdc9f6036c6e017eece57c5f370522f05b3ad5aa981855853fe5422b58b04127116492e9f24cfd23af4d0a56
-
C:\Users\Admin\AppData\Roaming\43719123\tqsxtg.ekvMD5
265df73b89dcbb0ba82837951b5c3c2e
SHA1ebb66ef902970e1832e8250604e13bc6dc279e7e
SHA2564a7bb249741fbb7199687fc5a99ee88cd5f9005c5cf53c17eedd7edf2882444e
SHA51273829ee17f9a2a625825b9a8b2b8ebec5d8714689876a37438126335c6e939767b380e27b06dfb841480224f5f270a0f6befbb3b2ec0ae41ef35e4e0cc30a6e8
-
memory/344-123-0x0000000000000000-mapping.dmp
-
memory/876-126-0x0000000000000000-mapping.dmp
-
memory/1020-115-0x0000000000000000-mapping.dmp
-
memory/1064-129-0x000000000104FC39-mapping.dmp
-
memory/1064-128-0x0000000001020000-0x00000000015AD000-memory.dmpFilesize
5.6MB
-
memory/1064-132-0x0000000001020000-0x00000000015AD000-memory.dmpFilesize
5.6MB
-
memory/1064-133-0x0000000001020000-0x00000000015AD000-memory.dmpFilesize
5.6MB
-
memory/1072-122-0x0000000000000000-mapping.dmp
-
memory/1428-125-0x0000000000000000-mapping.dmp
-
memory/3584-120-0x0000000000000000-mapping.dmp
-
memory/3660-124-0x0000000000000000-mapping.dmp
-
memory/4064-121-0x0000000000000000-mapping.dmp