Analysis
-
max time kernel
82s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 09:19
Static task
static1
Behavioral task
behavioral1
Sample
3.exe
Resource
win7-en-20211014
General
-
Target
3.exe
-
Size
358KB
-
MD5
e8e41fd0c3f4b307c5b8cea610ae2f90
-
SHA1
da24cfc46900a33027575ccb5b741aae2a5c610c
-
SHA256
9127f887ce2cedcbf1c410e431efe9e7f388fbe04e4cadb6c7451545a151fe7b
-
SHA512
05db528be036fd65a3c520eff32878670b186dbdffdc9477b5a5772a8d43a58928d88f5ae48e0fbf5a80aa0712277dfb26f7b25d41a1e12ef74b969b8ad87501
Malware Config
Extracted
remcos
1.7 Pro
Host
185.222.57.90:8780
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_rllxnwmcxxgutsl
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
3.exepid process 4328 3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3.exedescription pid process target process PID 4328 set thread context of 4272 4328 3.exe 3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3.exepid process 4272 3.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3.exedescription pid process target process PID 4328 wrote to memory of 4272 4328 3.exe 3.exe PID 4328 wrote to memory of 4272 4328 3.exe 3.exe PID 4328 wrote to memory of 4272 4328 3.exe 3.exe PID 4328 wrote to memory of 4272 4328 3.exe 3.exe PID 4328 wrote to memory of 4272 4328 3.exe 3.exe PID 4328 wrote to memory of 4272 4328 3.exe 3.exe PID 4328 wrote to memory of 4272 4328 3.exe 3.exe PID 4328 wrote to memory of 4272 4328 3.exe 3.exe PID 4328 wrote to memory of 4272 4328 3.exe 3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsx9666.tmp\sxlxafjdl.dllMD5
459ccf9db3e880db4bd97a275101c92f
SHA157c90985e37903d97a19710c93bc836622643cf3
SHA25680d6cfe595eb1acded67a063ee3b292779e2dcc2f24a47cf5434d7cf70bbde3a
SHA51284186df587f4fa4b05019e2583f4cc6fc00067bbc604e14169795502ed5df9c43179a41960b76745dabc9776efc811eec436c7af2c203cfcce2f744e8221e34a
-
memory/4272-116-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4272-117-0x000000000040FD88-mapping.dmp
-
memory/4272-118-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB