Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 02:31
Static task
static1
Behavioral task
behavioral1
Sample
MBL+BL INVOICE SHIPPING DOCS2.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
MBL+BL INVOICE SHIPPING DOCS2.exe
Resource
win10-en-20211014
General
-
Target
MBL+BL INVOICE SHIPPING DOCS2.exe
-
Size
759KB
-
MD5
f9f7b73497e53dab0f0da51e6ea7ad47
-
SHA1
35f739ad7246794d85487c425a299a765b18bff6
-
SHA256
b62b1e316fbcabfe8d88212f7b49ed54c3351187c5ec73f7ff90c7698ea28876
-
SHA512
498f223f50df39cce36be964656980a2c03c88b67e94bddf19ed0ba29b652eb7126f223c56204d9857a0f51252832b5242c291d5322783281f6bfd5d7069088c
Malware Config
Extracted
remcos
3.3.0 Pro
RemoteHost
172.94.88.26:3033
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-LNYWHZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MBL+BL INVOICE SHIPPING DOCS2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MBL+BL INVOICE SHIPPING DOCS2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MBL+BL INVOICE SHIPPING DOCS2.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
MBL+BL INVOICE SHIPPING DOCS2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MBL+BL INVOICE SHIPPING DOCS2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 MBL+BL INVOICE SHIPPING DOCS2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MBL+BL INVOICE SHIPPING DOCS2.exedescription pid process target process PID 1828 set thread context of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 3076 powershell.exe 3076 powershell.exe 3076 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3076 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
MBL+BL INVOICE SHIPPING DOCS2.exedescription pid process target process PID 1828 wrote to memory of 3076 1828 MBL+BL INVOICE SHIPPING DOCS2.exe powershell.exe PID 1828 wrote to memory of 3076 1828 MBL+BL INVOICE SHIPPING DOCS2.exe powershell.exe PID 1828 wrote to memory of 3076 1828 MBL+BL INVOICE SHIPPING DOCS2.exe powershell.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe PID 1828 wrote to memory of 360 1828 MBL+BL INVOICE SHIPPING DOCS2.exe MBL+BL INVOICE SHIPPING DOCS2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"C:\Users\Admin\AppData\Local\Temp\MBL+BL INVOICE SHIPPING DOCS2.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/360-130-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/360-136-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/360-131-0x000000000042FC39-mapping.dmp
-
memory/1828-117-0x0000000007B80000-0x0000000007B81000-memory.dmpFilesize
4KB
-
memory/1828-118-0x0000000007760000-0x0000000007761000-memory.dmpFilesize
4KB
-
memory/1828-119-0x0000000007680000-0x0000000007B7E000-memory.dmpFilesize
5.0MB
-
memory/1828-120-0x00000000078E0000-0x00000000078E1000-memory.dmpFilesize
4KB
-
memory/1828-121-0x000000000AE60000-0x000000000AE68000-memory.dmpFilesize
32KB
-
memory/1828-122-0x000000000B090000-0x000000000B091000-memory.dmpFilesize
4KB
-
memory/1828-123-0x000000000B1D0000-0x000000000B265000-memory.dmpFilesize
596KB
-
memory/1828-125-0x000000000B400000-0x000000000B401000-memory.dmpFilesize
4KB
-
memory/1828-115-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/3076-132-0x0000000006AC0000-0x0000000006AC1000-memory.dmpFilesize
4KB
-
memory/3076-138-0x0000000007580000-0x0000000007581000-memory.dmpFilesize
4KB
-
memory/3076-128-0x0000000004140000-0x0000000004141000-memory.dmpFilesize
4KB
-
memory/3076-127-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/3076-126-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/3076-133-0x00000000041D0000-0x00000000041D1000-memory.dmpFilesize
4KB
-
memory/3076-135-0x0000000006C60000-0x0000000006C61000-memory.dmpFilesize
4KB
-
memory/3076-134-0x00000000041D2000-0x00000000041D3000-memory.dmpFilesize
4KB
-
memory/3076-124-0x0000000000000000-mapping.dmp
-
memory/3076-129-0x0000000006D70000-0x0000000006D71000-memory.dmpFilesize
4KB
-
memory/3076-139-0x00000000073E0000-0x00000000073E1000-memory.dmpFilesize
4KB
-
memory/3076-140-0x0000000007E60000-0x0000000007E61000-memory.dmpFilesize
4KB
-
memory/3076-141-0x0000000007C70000-0x0000000007C71000-memory.dmpFilesize
4KB
-
memory/3076-142-0x0000000002820000-0x0000000002821000-memory.dmpFilesize
4KB
-
memory/3076-149-0x00000000089F0000-0x0000000008A23000-memory.dmpFilesize
204KB
-
memory/3076-156-0x00000000089D0000-0x00000000089D1000-memory.dmpFilesize
4KB
-
memory/3076-161-0x0000000008D50000-0x0000000008D51000-memory.dmpFilesize
4KB
-
memory/3076-162-0x000000007EB00000-0x000000007EB01000-memory.dmpFilesize
4KB
-
memory/3076-163-0x0000000008F60000-0x0000000008F61000-memory.dmpFilesize
4KB
-
memory/3076-232-0x00000000041D3000-0x00000000041D4000-memory.dmpFilesize
4KB