Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 13:54
Static task
static1
Behavioral task
behavioral1
Sample
BANKSLIP.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
BANKSLIP.exe
Resource
win10-en-20210920
General
-
Target
BANKSLIP.exe
-
Size
726KB
-
MD5
fdd9b67bd04d1768858f095d90d5dc88
-
SHA1
07c81bd427eecbd130e52351d99432b16bdc8d2e
-
SHA256
3536f79b815a6d77e371df48abaec315c92ccec6e197e547440fa66629edd640
-
SHA512
4356e6c1ad77ecb750ce4d720521da2113f69f6dfed113c306a0ef6681512cb356c39ecd1d0917d55990efbb7e8abfb796d48c0a77bb0742c75c480777a2b491
Malware Config
Extracted
remcos
3.3.0 Pro
RemoteHost
172.94.88.26:3033
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-FFP6U6
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
BANKSLIP.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BANKSLIP.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BANKSLIP.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
BANKSLIP.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 BANKSLIP.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum BANKSLIP.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BANKSLIP.exedescription pid process target process PID 692 set thread context of 1588 692 BANKSLIP.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1944 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1944 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
BANKSLIP.exedescription pid process target process PID 692 wrote to memory of 1944 692 BANKSLIP.exe powershell.exe PID 692 wrote to memory of 1944 692 BANKSLIP.exe powershell.exe PID 692 wrote to memory of 1944 692 BANKSLIP.exe powershell.exe PID 692 wrote to memory of 1944 692 BANKSLIP.exe powershell.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe PID 692 wrote to memory of 1588 692 BANKSLIP.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BANKSLIP.exe"C:\Users\Admin\AppData\Local\Temp\BANKSLIP.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\BANKSLIP.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/692-54-0x0000000000190000-0x0000000000191000-memory.dmpFilesize
4KB
-
memory/692-56-0x0000000075871000-0x0000000075873000-memory.dmpFilesize
8KB
-
memory/692-57-0x00000000002F0000-0x00000000002F7000-memory.dmpFilesize
28KB
-
memory/692-58-0x0000000000530000-0x0000000000531000-memory.dmpFilesize
4KB
-
memory/692-59-0x00000000052F0000-0x0000000005385000-memory.dmpFilesize
596KB
-
memory/1588-71-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1588-72-0x000000000042FC39-mapping.dmp
-
memory/1588-63-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1588-64-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1588-68-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1588-69-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1588-70-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1588-62-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1588-65-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1588-66-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1588-75-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1944-67-0x00000000025E0000-0x000000000322A000-memory.dmpFilesize
12.3MB
-
memory/1944-74-0x00000000025E0000-0x000000000322A000-memory.dmpFilesize
12.3MB
-
memory/1944-60-0x0000000000000000-mapping.dmp
-
memory/1944-76-0x00000000025E0000-0x000000000322A000-memory.dmpFilesize
12.3MB