Analysis
-
max time kernel
117s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-10-2021 10:50
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Purchase Order.exe
Resource
win10-en-20210920
General
-
Target
Purchase Order.exe
-
Size
246KB
-
MD5
b48b71d44037bf1e07d0284b8611f9e6
-
SHA1
9ca3d67a31c738c779cea681020bb27e3f25d829
-
SHA256
3a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d
-
SHA512
565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993
Malware Config
Extracted
remcos
1.7 Pro
Host
dera33.ddns.net:1186
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
ddrw.exe
- copy_folder
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_xvhyzfmlwvsqhfc
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
win
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Signatures
-
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
-
Executes dropped EXE 2 IoCs
Processes:
ddrw.exeddrw.exepid process 4212 ddrw.exe 1472 ddrw.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Purchase Order.exeddrw.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Purchase Order.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\ddrw.exe\"" Purchase Order.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\ ddrw.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\ddrw.exe\"" ddrw.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Purchase Order.exeddrw.exedescription pid process target process PID 592 set thread context of 4572 592 Purchase Order.exe Purchase Order.exe PID 4212 set thread context of 1472 4212 ddrw.exe ddrw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ddrw.exepid process 1472 ddrw.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Purchase Order.exePurchase Order.execmd.exeddrw.exedescription pid process target process PID 592 wrote to memory of 4572 592 Purchase Order.exe Purchase Order.exe PID 592 wrote to memory of 4572 592 Purchase Order.exe Purchase Order.exe PID 592 wrote to memory of 4572 592 Purchase Order.exe Purchase Order.exe PID 592 wrote to memory of 4572 592 Purchase Order.exe Purchase Order.exe PID 592 wrote to memory of 4572 592 Purchase Order.exe Purchase Order.exe PID 592 wrote to memory of 4572 592 Purchase Order.exe Purchase Order.exe PID 592 wrote to memory of 4572 592 Purchase Order.exe Purchase Order.exe PID 592 wrote to memory of 4572 592 Purchase Order.exe Purchase Order.exe PID 592 wrote to memory of 4572 592 Purchase Order.exe Purchase Order.exe PID 4572 wrote to memory of 3732 4572 Purchase Order.exe cmd.exe PID 4572 wrote to memory of 3732 4572 Purchase Order.exe cmd.exe PID 4572 wrote to memory of 3732 4572 Purchase Order.exe cmd.exe PID 3732 wrote to memory of 4328 3732 cmd.exe PING.EXE PID 3732 wrote to memory of 4328 3732 cmd.exe PING.EXE PID 3732 wrote to memory of 4328 3732 cmd.exe PING.EXE PID 3732 wrote to memory of 4212 3732 cmd.exe ddrw.exe PID 3732 wrote to memory of 4212 3732 cmd.exe ddrw.exe PID 3732 wrote to memory of 4212 3732 cmd.exe ddrw.exe PID 4212 wrote to memory of 1472 4212 ddrw.exe ddrw.exe PID 4212 wrote to memory of 1472 4212 ddrw.exe ddrw.exe PID 4212 wrote to memory of 1472 4212 ddrw.exe ddrw.exe PID 4212 wrote to memory of 1472 4212 ddrw.exe ddrw.exe PID 4212 wrote to memory of 1472 4212 ddrw.exe ddrw.exe PID 4212 wrote to memory of 1472 4212 ddrw.exe ddrw.exe PID 4212 wrote to memory of 1472 4212 ddrw.exe ddrw.exe PID 4212 wrote to memory of 1472 4212 ddrw.exe ddrw.exe PID 4212 wrote to memory of 1472 4212 ddrw.exe ddrw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 24⤵
- Runs ping.exe
PID:4328 -
C:\Users\Admin\AppData\Roaming\ddrw.exe"C:\Users\Admin\AppData\Roaming\ddrw.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Users\Admin\AppData\Roaming\ddrw.exe"C:\Users\Admin\AppData\Roaming\ddrw.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1472
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batMD5
9ed7a03e913f6f5e76f26038f927563f
SHA17e6c10fb0db740025dcbc924483ac160820cbd65
SHA256f648984d4a5fc9f0190dd1bc01ea298d8b38da04ae618529deeb143829d8e46f
SHA512ea627db68accb37a0b6facc9f3db6e6471b394d65db2297adecf0da4b1e300a505fe021cd81e6a705cd8e9aebfb4f01140fca5f7dfadf6207e35aa0911bce442
-
C:\Users\Admin\AppData\Roaming\ddrw.exeMD5
b48b71d44037bf1e07d0284b8611f9e6
SHA19ca3d67a31c738c779cea681020bb27e3f25d829
SHA2563a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d
SHA512565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993
-
C:\Users\Admin\AppData\Roaming\ddrw.exeMD5
b48b71d44037bf1e07d0284b8611f9e6
SHA19ca3d67a31c738c779cea681020bb27e3f25d829
SHA2563a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d
SHA512565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993
-
C:\Users\Admin\AppData\Roaming\ddrw.exeMD5
b48b71d44037bf1e07d0284b8611f9e6
SHA19ca3d67a31c738c779cea681020bb27e3f25d829
SHA2563a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d
SHA512565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993
-
memory/592-121-0x0000000005730000-0x0000000005737000-memory.dmpFilesize
28KB
-
memory/592-122-0x00000000061C0000-0x00000000061C1000-memory.dmpFilesize
4KB
-
memory/592-123-0x0000000006160000-0x0000000006199000-memory.dmpFilesize
228KB
-
memory/592-115-0x0000000000BA0000-0x0000000000BA1000-memory.dmpFilesize
4KB
-
memory/592-117-0x0000000005A20000-0x0000000005A21000-memory.dmpFilesize
4KB
-
memory/592-120-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/592-119-0x0000000005520000-0x0000000005A1E000-memory.dmpFilesize
5.0MB
-
memory/592-118-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/1472-143-0x000000000040FD88-mapping.dmp
-
memory/3732-126-0x0000000000000000-mapping.dmp
-
memory/4212-139-0x0000000005100000-0x00000000055FE000-memory.dmpFilesize
5.0MB
-
memory/4212-130-0x0000000000000000-mapping.dmp
-
memory/4328-129-0x0000000000000000-mapping.dmp
-
memory/4572-124-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4572-127-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4572-125-0x000000000040FD88-mapping.dmp