Analysis
-
max time kernel
300s -
max time network
302s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
30-10-2021 16:36
Static task
static1
Behavioral task
behavioral1
Sample
PRODUCT ENQUIRY #20211030.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
PRODUCT ENQUIRY #20211030.exe
Resource
win10-en-20211014
General
-
Target
PRODUCT ENQUIRY #20211030.exe
-
Size
1.6MB
-
MD5
d4ab0233615eac735996a239124e9dbe
-
SHA1
eae1a6445bd76e829261323fb1718fa7402f0a7c
-
SHA256
396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
-
SHA512
446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062
Malware Config
Extracted
remcos
3.3.0 Pro
TMT stub
185.140.53.178:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-9B7MHK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\MAINPROC.exe," reg.exe -
Executes dropped EXE 4 IoCs
Processes:
MAINPROC.exeMAINPROC.exeSMSS.exeSMSS.exepid process 1816 MAINPROC.exe 972 MAINPROC.exe 1436 SMSS.exe 900 SMSS.exe -
Loads dropped DLL 3 IoCs
Processes:
PRODUCT ENQUIRY #20211030.exeMAINPROC.exeSMSS.exepid process 960 PRODUCT ENQUIRY #20211030.exe 1816 MAINPROC.exe 1436 SMSS.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/960-57-0x00000000020A0000-0x00000000020C1000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MAINPROC.exedescription pid process target process PID 1816 set thread context of 972 1816 MAINPROC.exe MAINPROC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
PRODUCT ENQUIRY #20211030.exeMAINPROC.exeSMSS.exeSMSS.exepid process 960 PRODUCT ENQUIRY #20211030.exe 960 PRODUCT ENQUIRY #20211030.exe 960 PRODUCT ENQUIRY #20211030.exe 1816 MAINPROC.exe 1816 MAINPROC.exe 1816 MAINPROC.exe 1436 SMSS.exe 900 SMSS.exe 900 SMSS.exe 900 SMSS.exe 1816 MAINPROC.exe 1816 MAINPROC.exe 1816 MAINPROC.exe 1816 MAINPROC.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PRODUCT ENQUIRY #20211030.exeMAINPROC.exeSMSS.exeSMSS.exedescription pid process Token: SeDebugPrivilege 960 PRODUCT ENQUIRY #20211030.exe Token: SeDebugPrivilege 1816 MAINPROC.exe Token: SeDebugPrivilege 1436 SMSS.exe Token: SeDebugPrivilege 900 SMSS.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
PRODUCT ENQUIRY #20211030.execmd.exeMAINPROC.exeSMSS.exedescription pid process target process PID 960 wrote to memory of 816 960 PRODUCT ENQUIRY #20211030.exe cmd.exe PID 960 wrote to memory of 816 960 PRODUCT ENQUIRY #20211030.exe cmd.exe PID 960 wrote to memory of 816 960 PRODUCT ENQUIRY #20211030.exe cmd.exe PID 960 wrote to memory of 816 960 PRODUCT ENQUIRY #20211030.exe cmd.exe PID 816 wrote to memory of 676 816 cmd.exe reg.exe PID 816 wrote to memory of 676 816 cmd.exe reg.exe PID 816 wrote to memory of 676 816 cmd.exe reg.exe PID 816 wrote to memory of 676 816 cmd.exe reg.exe PID 960 wrote to memory of 1816 960 PRODUCT ENQUIRY #20211030.exe MAINPROC.exe PID 960 wrote to memory of 1816 960 PRODUCT ENQUIRY #20211030.exe MAINPROC.exe PID 960 wrote to memory of 1816 960 PRODUCT ENQUIRY #20211030.exe MAINPROC.exe PID 960 wrote to memory of 1816 960 PRODUCT ENQUIRY #20211030.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 972 1816 MAINPROC.exe MAINPROC.exe PID 1816 wrote to memory of 1436 1816 MAINPROC.exe SMSS.exe PID 1816 wrote to memory of 1436 1816 MAINPROC.exe SMSS.exe PID 1816 wrote to memory of 1436 1816 MAINPROC.exe SMSS.exe PID 1816 wrote to memory of 1436 1816 MAINPROC.exe SMSS.exe PID 1436 wrote to memory of 900 1436 SMSS.exe SMSS.exe PID 1436 wrote to memory of 900 1436 SMSS.exe SMSS.exe PID 1436 wrote to memory of 900 1436 SMSS.exe SMSS.exe PID 1436 wrote to memory of 900 1436 SMSS.exe SMSS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY #20211030.exe"C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY #20211030.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"3⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exe"C:\Users\Admin\AppData\Roaming\MAINPROC.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exe"C:\Users\Admin\AppData\Roaming\MAINPROC.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exe"C:\Users\Admin\AppData\Local\Temp\SMSS.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exe"C:\Users\Admin\AppData\Local\Temp\SMSS.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\SMSS.txtMD5
1b5d3a910873ef9e6177aa5154ae2778
SHA1a2faabcdd9e4476f5b38ca53bf629114bff2e85f
SHA2567fdc9a77a4569e4af83ef4b33a5c73d9c55ee445785cdd7904a7ac6c8138a967
SHA51281ddb517292caa5b2bfd44366ea37900c6ff776a1c875ad405d7bd2a29f8ec1e1505afb23546d6e7e2f94f6fbb6e1dc9a01a70665d89bffb99c4d3f65313289e
-
C:\Users\Admin\AppData\Local\Temp\SMSS.txtMD5
e47a228c7ebbb7290eecad3cffaa85fc
SHA12df385d0fa9c37c898aab965bd0be90239d14a29
SHA2564e2ca9ce7dc3b1051225cbed0db1032aa3f3eef09450a11a01015d9d1a834eaf
SHA512f6da5efe5c7b7d544fbb52116d86fb5e1e4983bfbf42558209f8c75584dfc8b128c8d75fd9228e8edd93158533d478c2cb9ed288a2aed0d373d62402abe4add8
-
C:\Users\Admin\AppData\Local\Temp\SMSS.txtMD5
e47a228c7ebbb7290eecad3cffaa85fc
SHA12df385d0fa9c37c898aab965bd0be90239d14a29
SHA2564e2ca9ce7dc3b1051225cbed0db1032aa3f3eef09450a11a01015d9d1a834eaf
SHA512f6da5efe5c7b7d544fbb52116d86fb5e1e4983bfbf42558209f8c75584dfc8b128c8d75fd9228e8edd93158533d478c2cb9ed288a2aed0d373d62402abe4add8
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exeMD5
d4ab0233615eac735996a239124e9dbe
SHA1eae1a6445bd76e829261323fb1718fa7402f0a7c
SHA256396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
SHA512446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exeMD5
d4ab0233615eac735996a239124e9dbe
SHA1eae1a6445bd76e829261323fb1718fa7402f0a7c
SHA256396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
SHA512446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exeMD5
d4ab0233615eac735996a239124e9dbe
SHA1eae1a6445bd76e829261323fb1718fa7402f0a7c
SHA256396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
SHA512446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062
-
\Users\Admin\AppData\Local\Temp\SMSS.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
\Users\Admin\AppData\Local\Temp\SMSS.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
\Users\Admin\AppData\Roaming\MAINPROC.exeMD5
d4ab0233615eac735996a239124e9dbe
SHA1eae1a6445bd76e829261323fb1718fa7402f0a7c
SHA256396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
SHA512446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062
-
memory/676-60-0x0000000000000000-mapping.dmp
-
memory/816-59-0x0000000000000000-mapping.dmp
-
memory/900-92-0x0000000000000000-mapping.dmp
-
memory/960-56-0x0000000004A10000-0x0000000004A11000-memory.dmpFilesize
4KB
-
memory/960-57-0x00000000020A0000-0x00000000020C1000-memory.dmpFilesize
132KB
-
memory/960-58-0x0000000004A11000-0x0000000004A12000-memory.dmpFilesize
4KB
-
memory/960-54-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/972-77-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/972-76-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/972-78-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/972-79-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/972-80-0x000000000042FC39-mapping.dmp
-
memory/972-75-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/972-82-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/972-83-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/972-74-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/972-73-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/972-72-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/972-71-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1436-88-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/1436-85-0x0000000000000000-mapping.dmp
-
memory/1816-65-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/1816-62-0x0000000000000000-mapping.dmp
-
memory/1816-70-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/1816-69-0x0000000000A30000-0x0000000000A3B000-memory.dmpFilesize
44KB
-
memory/1816-67-0x00000000047C0000-0x00000000047C1000-memory.dmpFilesize
4KB