Analysis
-
max time kernel
147s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 13:01
Static task
static1
Behavioral task
behavioral1
Sample
ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr
Resource
win10-en-20210920
General
-
Target
ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr
-
Size
1.3MB
-
MD5
a0747b376c17728fe2731e9e98d1b017
-
SHA1
7917d0e5d6adfb0690455afdafbe81db00cfc41b
-
SHA256
870130235c0034bb2649c4268bfc3ff87de0fe2cf13d0af41ce0c0f397e5ea50
-
SHA512
58b934b044ce00910e8abf5c12b1bd25aeb9e5cd458740967e5d538ea13f0cb871595658e13da2acbf2dc3e3d94848ccd79cf64dca74b25d9a8c0d4337318585
Malware Config
Extracted
remcos
3.3.0 Pro
OCTOBER-$$$$
mgc0147.hopto.org:2930
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-3MPDYA
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
bmxbniuglo.pifRegSvcs.exepid process 680 bmxbniuglo.pif 1532 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scrbmxbniuglo.pifpid process 1516 ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr 1516 ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr 1516 ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr 1516 ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr 680 bmxbniuglo.pif -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bmxbniuglo.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run bmxbniuglo.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\45235440\\BMXBNI~1.PIF c:\\45235440\\JIFVHS~1.TCL" bmxbniuglo.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bmxbniuglo.pifdescription pid process target process PID 680 set thread context of 1532 680 bmxbniuglo.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
bmxbniuglo.pifpid process 680 bmxbniuglo.pif -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegSvcs.exepid process 1532 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1532 RegSvcs.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scrbmxbniuglo.pifdescription pid process target process PID 1516 wrote to memory of 680 1516 ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr bmxbniuglo.pif PID 1516 wrote to memory of 680 1516 ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr bmxbniuglo.pif PID 1516 wrote to memory of 680 1516 ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr bmxbniuglo.pif PID 1516 wrote to memory of 680 1516 ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr bmxbniuglo.pif PID 680 wrote to memory of 568 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 568 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 568 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 568 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1752 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1752 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1752 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1752 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1836 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1836 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1836 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1836 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1504 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1504 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1504 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1504 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 436 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 436 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 436 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 436 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 2004 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 2004 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 2004 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 2004 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1948 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1948 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1948 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1948 680 bmxbniuglo.pif mshta.exe PID 680 wrote to memory of 1532 680 bmxbniuglo.pif RegSvcs.exe PID 680 wrote to memory of 1532 680 bmxbniuglo.pif RegSvcs.exe PID 680 wrote to memory of 1532 680 bmxbniuglo.pif RegSvcs.exe PID 680 wrote to memory of 1532 680 bmxbniuglo.pif RegSvcs.exe PID 680 wrote to memory of 1532 680 bmxbniuglo.pif RegSvcs.exe PID 680 wrote to memory of 1532 680 bmxbniuglo.pif RegSvcs.exe PID 680 wrote to memory of 1532 680 bmxbniuglo.pif RegSvcs.exe PID 680 wrote to memory of 1532 680 bmxbniuglo.pif RegSvcs.exe PID 680 wrote to memory of 1532 680 bmxbniuglo.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr"C:\Users\Admin\AppData\Local\Temp\ORIGINAL DOCUMENTS BL, C.I. & PACKING LIST.scr" /S1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\45235440\bmxbniuglo.pif"C:\45235440\bmxbniuglo.pif" jifvhstup.tcl2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\45235440\bmxbniuglo.pifMD5
8e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
C:\45235440\cpuclokd.iniMD5
8b670b655cf5bdbec4e8bf031a5c303a
SHA1446d41c4e7a03d7e21261b52bc42a499e78697e8
SHA25658ffca8fbe9fe189e29909b12d8306af25dcea9b98af76167905d3f7d27555f1
SHA512d95918f4a5fd2649298b1218d4e62e8339d59eda01a47708c2934bbec6d7f0e16f68a8abc27c178dfe117c73a4e36083d1ca58e106900bde945179b1440fcffc
-
C:\45235440\jifvhstup.tclMD5
e263f4cfc881010a1f708fe3362def71
SHA1e2a2fd67e35100df972329540d1d8d360801a817
SHA25622fd46af8b13881cc697bd0dee62d33813912e05b966f1a86d6bb86158a786f7
SHA51264389ccc9b05b20b24f1c198944d7a8482fec72193ec58e39fc1651168065d4288ad38a8ab8e861070f6c023ea9612fa451865033f3a09d01b02838d29318668
-
C:\45235440\qtbjvco.vjkMD5
03371574057f34d8f0cd8b857234477e
SHA1fabea7c051eb26d402e42be3279c24b51243172e
SHA2561093ea8b90ac829a7ca7058f5e7aafb74012a331090e52c3f2e7229a70895f08
SHA51282b25daf3662746f1d009c2ee2bc1f01715389d5545d883f3c795a8557d5796711f49840fbb5728081fd22203e961a82225f70a75ee7c2d29d1664c68f0f6f54
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\45235440\bmxbniuglo.pifMD5
8e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
\45235440\bmxbniuglo.pifMD5
8e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
\45235440\bmxbniuglo.pifMD5
8e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
\45235440\bmxbniuglo.pifMD5
8e699954f6b5d64683412cc560938507
SHA18ca6708b0f158eacce3ac28b23c23ed42c168c29
SHA256c9a2399cc1ce6f71db9da2f16e6c025bf6cb0f4345b427f21449cf927d627a40
SHA51213035106149c8d336189b4a6bdaf25e10ac0b027baea963b3ec66a815a572426b2e9485258447cf1362802a0f03a2aa257b276057590663161d9d55d5b737b02
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/436-68-0x0000000000000000-mapping.dmp
-
memory/568-64-0x0000000000000000-mapping.dmp
-
memory/680-59-0x0000000000000000-mapping.dmp
-
memory/1504-67-0x0000000000000000-mapping.dmp
-
memory/1516-54-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB
-
memory/1532-78-0x0000000000350000-0x00000000008B3000-memory.dmpFilesize
5.4MB
-
memory/1532-75-0x000000000037FC39-mapping.dmp
-
memory/1532-74-0x0000000000350000-0x00000000008B3000-memory.dmpFilesize
5.4MB
-
memory/1532-73-0x0000000000350000-0x00000000008B3000-memory.dmpFilesize
5.4MB
-
memory/1752-65-0x0000000000000000-mapping.dmp
-
memory/1836-66-0x0000000000000000-mapping.dmp
-
memory/1948-70-0x0000000000000000-mapping.dmp
-
memory/2004-69-0x0000000000000000-mapping.dmp