Analysis
-
max time kernel
147s -
max time network
173s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
20-10-2021 02:31
Static task
static1
Behavioral task
behavioral1
Sample
MBL+BL INVOICE SHIPPING DOCS2.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
MBL+BL INVOICE SHIPPING DOCS2.exe
Resource
win10-en-20211014
General
-
Target
MBL+BL INVOICE SHIPPING DOCS2.exe
-
Size
759KB
-
MD5
f9f7b73497e53dab0f0da51e6ea7ad47
-
SHA1
35f739ad7246794d85487c425a299a765b18bff6
-
SHA256
b62b1e316fbcabfe8d88212f7b49ed54c3351187c5ec73f7ff90c7698ea28876
-
SHA512
498f223f50df39cce36be964656980a2c03c88b67e94bddf19ed0ba29b652eb7126f223c56204d9857a0f51252832b5242c291d5322783281f6bfd5d7069088c
Malware Config
Extracted
remcos
3.3.0 Pro
RemoteHost
172.94.88.26:3033
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-LNYWHZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MBL+BL INVOICE SHIPPING DOCS2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MBL+BL INVOICE SHIPPING DOCS2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MBL+BL INVOICE SHIPPING DOCS2.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
MBL+BL INVOICE SHIPPING DOCS2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MBL+BL INVOICE SHIPPING DOCS2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 MBL+BL INVOICE SHIPPING DOCS2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MBL+BL INVOICE SHIPPING DOCS2.exedescription pid process target process PID 2020 set thread context of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1972 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1972 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
MBL+BL INVOICE SHIPPING DOCS2.exedescription pid process target process PID 2020 wrote to memory of 1972 2020 MBL+BL INVOICE SHIPPING DOCS2.exe powershell.exe PID 2020 wrote to memory of 1972 2020 MBL+BL INVOICE SHIPPING DOCS2.exe powershell.exe PID 2020 wrote to memory of 1972 2020 MBL+BL INVOICE SHIPPING DOCS2.exe powershell.exe PID 2020 wrote to memory of 1972 2020 MBL+BL INVOICE SHIPPING DOCS2.exe powershell.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 2020 wrote to memory of 1552 2020 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1552-62-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1552-67-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1552-66-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1552-65-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1552-64-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1552-71-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1552-60-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1552-61-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1552-69-0x000000000042FC39-mapping.dmp
-
memory/1552-68-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1552-63-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1972-59-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1972-72-0x0000000002430000-0x000000000307A000-memory.dmpFilesize
12.3MB
-
memory/1972-58-0x0000000000000000-mapping.dmp
-
memory/2020-53-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/2020-57-0x0000000007710000-0x00000000077A5000-memory.dmpFilesize
596KB
-
memory/2020-56-0x0000000000700000-0x0000000000708000-memory.dmpFilesize
32KB
-
memory/2020-55-0x00000000072B0000-0x00000000072B1000-memory.dmpFilesize
4KB