Analysis
-
max time kernel
299s -
max time network
302s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
30-10-2021 16:36
Static task
static1
Behavioral task
behavioral1
Sample
PRODUCT ENQUIRY #20211030.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
PRODUCT ENQUIRY #20211030.exe
Resource
win10-en-20211014
General
-
Target
PRODUCT ENQUIRY #20211030.exe
-
Size
1.6MB
-
MD5
d4ab0233615eac735996a239124e9dbe
-
SHA1
eae1a6445bd76e829261323fb1718fa7402f0a7c
-
SHA256
396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
-
SHA512
446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062
Malware Config
Extracted
remcos
3.3.0 Pro
TMT stub
185.140.53.178:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-9B7MHK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\MAINPROC.exe," reg.exe -
Executes dropped EXE 4 IoCs
Processes:
MAINPROC.exeMAINPROC.exeSMSS.exeSMSS.exepid process 4360 MAINPROC.exe 1732 MAINPROC.exe 2056 SMSS.exe 2764 SMSS.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4388-122-0x0000000006900000-0x0000000006921000-memory.dmp agile_net -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MAINPROC.exedescription pid process target process PID 4360 set thread context of 1732 4360 MAINPROC.exe MAINPROC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
PRODUCT ENQUIRY #20211030.exeMAINPROC.exeSMSS.exeSMSS.exepid process 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4388 PRODUCT ENQUIRY #20211030.exe 4360 MAINPROC.exe 4360 MAINPROC.exe 4360 MAINPROC.exe 4360 MAINPROC.exe 2056 SMSS.exe 2764 SMSS.exe 2764 SMSS.exe 2764 SMSS.exe 4360 MAINPROC.exe 4360 MAINPROC.exe 4360 MAINPROC.exe 4360 MAINPROC.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PRODUCT ENQUIRY #20211030.exeMAINPROC.exeSMSS.exeSMSS.exedescription pid process Token: SeDebugPrivilege 4388 PRODUCT ENQUIRY #20211030.exe Token: SeDebugPrivilege 4360 MAINPROC.exe Token: SeDebugPrivilege 2056 SMSS.exe Token: SeDebugPrivilege 2764 SMSS.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
PRODUCT ENQUIRY #20211030.execmd.exeMAINPROC.exeSMSS.exedescription pid process target process PID 4388 wrote to memory of 4444 4388 PRODUCT ENQUIRY #20211030.exe cmd.exe PID 4388 wrote to memory of 4444 4388 PRODUCT ENQUIRY #20211030.exe cmd.exe PID 4388 wrote to memory of 4444 4388 PRODUCT ENQUIRY #20211030.exe cmd.exe PID 4444 wrote to memory of 4436 4444 cmd.exe reg.exe PID 4444 wrote to memory of 4436 4444 cmd.exe reg.exe PID 4444 wrote to memory of 4436 4444 cmd.exe reg.exe PID 4388 wrote to memory of 4360 4388 PRODUCT ENQUIRY #20211030.exe MAINPROC.exe PID 4388 wrote to memory of 4360 4388 PRODUCT ENQUIRY #20211030.exe MAINPROC.exe PID 4388 wrote to memory of 4360 4388 PRODUCT ENQUIRY #20211030.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 1732 4360 MAINPROC.exe MAINPROC.exe PID 4360 wrote to memory of 2056 4360 MAINPROC.exe SMSS.exe PID 4360 wrote to memory of 2056 4360 MAINPROC.exe SMSS.exe PID 4360 wrote to memory of 2056 4360 MAINPROC.exe SMSS.exe PID 2056 wrote to memory of 2764 2056 SMSS.exe SMSS.exe PID 2056 wrote to memory of 2764 2056 SMSS.exe SMSS.exe PID 2056 wrote to memory of 2764 2056 SMSS.exe SMSS.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY #20211030.exe"C:\Users\Admin\AppData\Local\Temp\PRODUCT ENQUIRY #20211030.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\MAINPROC.exe,"3⤵
- Modifies WinLogon for persistence
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exe"C:\Users\Admin\AppData\Roaming\MAINPROC.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exe"C:\Users\Admin\AppData\Roaming\MAINPROC.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exe"C:\Users\Admin\AppData\Local\Temp\SMSS.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exe"C:\Users\Admin\AppData\Local\Temp\SMSS.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\SMSS.exeMD5
0e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\SMSS.txtMD5
2cc01c6c43c8be64782188dbdf80db9f
SHA1fddff8acdfe4d4c9e38caa2ebe8b4614e73257fc
SHA256db4a8da7ba601edf9201cf3659a2292edbaa48ae7436fa20716f07b409667d84
SHA512bd23aa6267bd95899c22f3feb650053e1d0f4678023e6235f6717ed7ac5d4bfbb752b87b659cfdcac037e572ed3fff15682ce4dd2119192b9ee8118bb7d494df
-
C:\Users\Admin\AppData\Local\Temp\SMSS.txtMD5
758b7631385bd96fbc2213656fb92f2d
SHA1d54e3eace7d6392929b3a3070b29058b24c9e9a1
SHA256723a564b48d90c9931161e44d56b9e2102f88b7299cda66d0abfe8798d6d6909
SHA512c6c221eb7d05c0e692e77b1e88ca8ba40b194292037ac0a9ac8a30dc1651ab596cb6fe37cb5b8b087da093a9eca9aa196150c62465c56edb3076ee18413a10a2
-
C:\Users\Admin\AppData\Local\Temp\SMSS.txtMD5
f9ad8270c8a348da7c35d81709bf811e
SHA19fef1c8bdabf9b36b530f16f1a04e57c7b38d14f
SHA25657e652bcdc6aa0fa6faab7b6ca66c13b504234e533a8a4c0c67ddf29d5c5e27f
SHA512b6ca32a956b1c8999b4a2fa22f6ccf462b28c63c258a4b5ca3903e8f069cc3645d775243822ce73b8c78effbfefd5a609873e940c37176e6a91c45b3df5e5416
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exeMD5
d4ab0233615eac735996a239124e9dbe
SHA1eae1a6445bd76e829261323fb1718fa7402f0a7c
SHA256396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
SHA512446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exeMD5
d4ab0233615eac735996a239124e9dbe
SHA1eae1a6445bd76e829261323fb1718fa7402f0a7c
SHA256396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
SHA512446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062
-
C:\Users\Admin\AppData\Roaming\MAINPROC.exeMD5
d4ab0233615eac735996a239124e9dbe
SHA1eae1a6445bd76e829261323fb1718fa7402f0a7c
SHA256396cf088fe2062cc9b2d2ae6d33ff965264bb9828fbde907bcaff37e5bfde6b9
SHA512446e601c3a4fcaf072bef519cd4039781418dcf98dc1b503e805aadf2a0c33d2fa18535dce1031e43b3c1effc0bcb2db643ad600accd2eac289ff1c0d57de062
-
memory/1732-144-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1732-147-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1732-145-0x000000000042FC39-mapping.dmp
-
memory/2056-151-0x0000000000740000-0x0000000000741000-memory.dmpFilesize
4KB
-
memory/2056-148-0x0000000000000000-mapping.dmp
-
memory/2764-155-0x0000000000000000-mapping.dmp
-
memory/4360-141-0x0000000005BD1000-0x0000000005BD2000-memory.dmpFilesize
4KB
-
memory/4360-128-0x0000000000000000-mapping.dmp
-
memory/4360-142-0x0000000007480000-0x000000000748B000-memory.dmpFilesize
44KB
-
memory/4360-143-0x0000000009AA0000-0x0000000009AA1000-memory.dmpFilesize
4KB
-
memory/4360-140-0x0000000005BD0000-0x0000000005BD1000-memory.dmpFilesize
4KB
-
memory/4388-124-0x0000000006990000-0x0000000006991000-memory.dmpFilesize
4KB
-
memory/4388-127-0x0000000005D91000-0x0000000005D92000-memory.dmpFilesize
4KB
-
memory/4388-115-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/4388-123-0x00000000069C0000-0x00000000069C1000-memory.dmpFilesize
4KB
-
memory/4388-122-0x0000000006900000-0x0000000006921000-memory.dmpFilesize
132KB
-
memory/4388-121-0x0000000005D90000-0x0000000005D91000-memory.dmpFilesize
4KB
-
memory/4388-120-0x0000000005C90000-0x0000000005C91000-memory.dmpFilesize
4KB
-
memory/4388-119-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/4388-118-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/4388-117-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/4436-126-0x0000000000000000-mapping.dmp
-
memory/4444-125-0x0000000000000000-mapping.dmp