Analysis
-
max time kernel
122s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
25-10-2021 12:41
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Purchase Order.exe
Resource
win10-en-20211014
General
-
Target
Purchase Order.exe
-
Size
246KB
-
MD5
b48b71d44037bf1e07d0284b8611f9e6
-
SHA1
9ca3d67a31c738c779cea681020bb27e3f25d829
-
SHA256
3a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d
-
SHA512
565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993
Malware Config
Extracted
remcos
1.7 Pro
Host
dera33.ddns.net:1186
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
ddrw.exe
- copy_folder
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_xvhyzfmlwvsqhfc
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
win
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Signatures
-
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
-
Executes dropped EXE 2 IoCs
Processes:
ddrw.exeddrw.exepid process 1836 ddrw.exe 828 ddrw.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1400 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Purchase Order.exeddrw.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Purchase Order.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\ddrw.exe\"" Purchase Order.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\ ddrw.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\ddrw.exe\"" ddrw.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Purchase Order.exeddrw.exedescription pid process target process PID 584 set thread context of 1496 584 Purchase Order.exe Purchase Order.exe PID 1836 set thread context of 828 1836 ddrw.exe ddrw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ddrw.exepid process 828 ddrw.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
Purchase Order.exePurchase Order.execmd.exeddrw.exedescription pid process target process PID 584 wrote to memory of 1496 584 Purchase Order.exe Purchase Order.exe PID 584 wrote to memory of 1496 584 Purchase Order.exe Purchase Order.exe PID 584 wrote to memory of 1496 584 Purchase Order.exe Purchase Order.exe PID 584 wrote to memory of 1496 584 Purchase Order.exe Purchase Order.exe PID 584 wrote to memory of 1496 584 Purchase Order.exe Purchase Order.exe PID 584 wrote to memory of 1496 584 Purchase Order.exe Purchase Order.exe PID 584 wrote to memory of 1496 584 Purchase Order.exe Purchase Order.exe PID 584 wrote to memory of 1496 584 Purchase Order.exe Purchase Order.exe PID 584 wrote to memory of 1496 584 Purchase Order.exe Purchase Order.exe PID 584 wrote to memory of 1496 584 Purchase Order.exe Purchase Order.exe PID 1496 wrote to memory of 1400 1496 Purchase Order.exe cmd.exe PID 1496 wrote to memory of 1400 1496 Purchase Order.exe cmd.exe PID 1496 wrote to memory of 1400 1496 Purchase Order.exe cmd.exe PID 1496 wrote to memory of 1400 1496 Purchase Order.exe cmd.exe PID 1496 wrote to memory of 1400 1496 Purchase Order.exe cmd.exe PID 1496 wrote to memory of 1400 1496 Purchase Order.exe cmd.exe PID 1496 wrote to memory of 1400 1496 Purchase Order.exe cmd.exe PID 1400 wrote to memory of 392 1400 cmd.exe PING.EXE PID 1400 wrote to memory of 392 1400 cmd.exe PING.EXE PID 1400 wrote to memory of 392 1400 cmd.exe PING.EXE PID 1400 wrote to memory of 392 1400 cmd.exe PING.EXE PID 1400 wrote to memory of 1836 1400 cmd.exe ddrw.exe PID 1400 wrote to memory of 1836 1400 cmd.exe ddrw.exe PID 1400 wrote to memory of 1836 1400 cmd.exe ddrw.exe PID 1400 wrote to memory of 1836 1400 cmd.exe ddrw.exe PID 1836 wrote to memory of 828 1836 ddrw.exe ddrw.exe PID 1836 wrote to memory of 828 1836 ddrw.exe ddrw.exe PID 1836 wrote to memory of 828 1836 ddrw.exe ddrw.exe PID 1836 wrote to memory of 828 1836 ddrw.exe ddrw.exe PID 1836 wrote to memory of 828 1836 ddrw.exe ddrw.exe PID 1836 wrote to memory of 828 1836 ddrw.exe ddrw.exe PID 1836 wrote to memory of 828 1836 ddrw.exe ddrw.exe PID 1836 wrote to memory of 828 1836 ddrw.exe ddrw.exe PID 1836 wrote to memory of 828 1836 ddrw.exe ddrw.exe PID 1836 wrote to memory of 828 1836 ddrw.exe ddrw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 24⤵
- Runs ping.exe
PID:392 -
C:\Users\Admin\AppData\Roaming\ddrw.exe"C:\Users\Admin\AppData\Roaming\ddrw.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Users\Admin\AppData\Roaming\ddrw.exe"C:\Users\Admin\AppData\Roaming\ddrw.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batMD5
9ed7a03e913f6f5e76f26038f927563f
SHA17e6c10fb0db740025dcbc924483ac160820cbd65
SHA256f648984d4a5fc9f0190dd1bc01ea298d8b38da04ae618529deeb143829d8e46f
SHA512ea627db68accb37a0b6facc9f3db6e6471b394d65db2297adecf0da4b1e300a505fe021cd81e6a705cd8e9aebfb4f01140fca5f7dfadf6207e35aa0911bce442
-
C:\Users\Admin\AppData\Roaming\ddrw.exeMD5
b48b71d44037bf1e07d0284b8611f9e6
SHA19ca3d67a31c738c779cea681020bb27e3f25d829
SHA2563a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d
SHA512565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993
-
C:\Users\Admin\AppData\Roaming\ddrw.exeMD5
b48b71d44037bf1e07d0284b8611f9e6
SHA19ca3d67a31c738c779cea681020bb27e3f25d829
SHA2563a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d
SHA512565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993
-
C:\Users\Admin\AppData\Roaming\ddrw.exeMD5
b48b71d44037bf1e07d0284b8611f9e6
SHA19ca3d67a31c738c779cea681020bb27e3f25d829
SHA2563a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d
SHA512565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993
-
\Users\Admin\AppData\Roaming\ddrw.exeMD5
b48b71d44037bf1e07d0284b8611f9e6
SHA19ca3d67a31c738c779cea681020bb27e3f25d829
SHA2563a2b6b7cd1cec006f28a7e4d69c14273a7b3de368c273840ea5c6f2b9d62e50d
SHA512565340c000f208450e5287cc0ccb04b51459d198765da4484e96ecb6f3af902b525e75d4b3383b93ca0f11154d50e8d7ade8715a7976daebacdf871f8c3df993
-
memory/392-69-0x0000000000000000-mapping.dmp
-
memory/584-58-0x00000000020A0000-0x00000000020D9000-memory.dmpFilesize
228KB
-
memory/584-54-0x0000000000C50000-0x0000000000C51000-memory.dmpFilesize
4KB
-
memory/584-57-0x0000000000680000-0x0000000000687000-memory.dmpFilesize
28KB
-
memory/584-56-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/828-86-0x000000000040FD88-mapping.dmp
-
memory/828-89-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1400-67-0x0000000000000000-mapping.dmp
-
memory/1496-61-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1496-66-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1496-70-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1496-65-0x000000000040FD88-mapping.dmp
-
memory/1496-64-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1496-62-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1496-63-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1496-60-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1496-59-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1836-73-0x0000000000000000-mapping.dmp
-
memory/1836-75-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/1836-78-0x0000000004500000-0x0000000004501000-memory.dmpFilesize
4KB