Analysis
-
max time kernel
109s -
max time network
287s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
22-10-2021 03:57
Static task
static1
Behavioral task
behavioral1
Sample
RQKH08765434560780098765.exe
Resource
win7-en-20211014
General
-
Target
RQKH08765434560780098765.exe
-
Size
405KB
-
MD5
d24341052b9c2846ce4ded275ca8945c
-
SHA1
1b17684788b42c5bd981750d49b13d64cdc8e90a
-
SHA256
831e7dcf43daa00beb78eb3d0afc5d67fed17aaecb04eb1e7267295d648acb8e
-
SHA512
df87ed0e9164ee4d348ad79af48e31d513deb5f7ebc67c7a5e8f61b0c577d2bfc2ad80f63bd9cdf537846a3d296268db22fde81aa5e2e187d47dc54c0733f7a7
Malware Config
Extracted
remcos
1.7 Pro
Host
185.222.57.90:8780
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_rllxnwmcxxgutsl
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
RQKH08765434560780098765.exepid process 3396 RQKH08765434560780098765.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RQKH08765434560780098765.exedescription pid process target process PID 3396 set thread context of 892 3396 RQKH08765434560780098765.exe RQKH08765434560780098765.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RQKH08765434560780098765.exepid process 892 RQKH08765434560780098765.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
RQKH08765434560780098765.exedescription pid process target process PID 3396 wrote to memory of 892 3396 RQKH08765434560780098765.exe RQKH08765434560780098765.exe PID 3396 wrote to memory of 892 3396 RQKH08765434560780098765.exe RQKH08765434560780098765.exe PID 3396 wrote to memory of 892 3396 RQKH08765434560780098765.exe RQKH08765434560780098765.exe PID 3396 wrote to memory of 892 3396 RQKH08765434560780098765.exe RQKH08765434560780098765.exe PID 3396 wrote to memory of 892 3396 RQKH08765434560780098765.exe RQKH08765434560780098765.exe PID 3396 wrote to memory of 892 3396 RQKH08765434560780098765.exe RQKH08765434560780098765.exe PID 3396 wrote to memory of 892 3396 RQKH08765434560780098765.exe RQKH08765434560780098765.exe PID 3396 wrote to memory of 892 3396 RQKH08765434560780098765.exe RQKH08765434560780098765.exe PID 3396 wrote to memory of 892 3396 RQKH08765434560780098765.exe RQKH08765434560780098765.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RQKH08765434560780098765.exe"C:\Users\Admin\AppData\Local\Temp\RQKH08765434560780098765.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RQKH08765434560780098765.exe"C:\Users\Admin\AppData\Local\Temp\RQKH08765434560780098765.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nspDC96.tmp\ueyw.dllMD5
a21aa0019729f13fa73f7c58c4a9e79b
SHA1eb7210b344a100b0ed20c05868833bd7beed49b4
SHA256db4b3114ec2471c0acc88542aba11bfd48cd8ccf6c52ebc116e79aabdfbe6d34
SHA512e6ce5ce7c7cdfda1d1573a2b42e579ff0f73d26d07e36ddb4193fc91c32930d5a006526c77eb8ef78195eb86fb57b78dd7655c391adf8f6c2600e173fe673ac8
-
memory/892-116-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/892-117-0x000000000040FD88-mapping.dmp
-
memory/892-118-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB