Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-12-2021 12:22
Static task
static1
Behavioral task
behavioral1
Sample
Request for quotation,pdf.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Request for quotation,pdf.exe
Resource
win10-en-20211208
General
-
Target
Request for quotation,pdf.exe
-
Size
607KB
-
MD5
0d8326f60911be3f5c0662eb33d52f25
-
SHA1
d4a33d7c5998e076f5fe4b16544c87fd6f82b144
-
SHA256
e3c4caeafd8e19662239571bd3eee795d2ffb003953ce5eb06026a1be72b32e0
-
SHA512
8dfb7853f4f54940baeaf1389b393fcc5e3ed5116ce586b50827f851ac9a72fb8200ab54f0100a8e54d341e182a0a0521fd8721433deb0a9dd4ee07c2cd9cb07
Malware Config
Extracted
remcos
3.2.0 Pro
ZUBBY
newlogs.ddns.net:4312
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-8UKXGF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
PasswordOnWakeSettingFlyout.exePasswordOnWakeSettingFlyout.exepid process 2040 PasswordOnWakeSettingFlyout.exe 1992 PasswordOnWakeSettingFlyout.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Request for quotation,pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fopvpkxy = "C:\\Users\\Admin\\yxkpvpoF.url" Request for quotation,pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Request for quotation,pdf.execmd.execmd.exedescription pid process target process PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1120 1652 Request for quotation,pdf.exe logagent.exe PID 1652 wrote to memory of 1756 1652 Request for quotation,pdf.exe cmd.exe PID 1652 wrote to memory of 1756 1652 Request for quotation,pdf.exe cmd.exe PID 1652 wrote to memory of 1756 1652 Request for quotation,pdf.exe cmd.exe PID 1652 wrote to memory of 1756 1652 Request for quotation,pdf.exe cmd.exe PID 1756 wrote to memory of 1028 1756 cmd.exe cmd.exe PID 1756 wrote to memory of 1028 1756 cmd.exe cmd.exe PID 1756 wrote to memory of 1028 1756 cmd.exe cmd.exe PID 1756 wrote to memory of 1028 1756 cmd.exe cmd.exe PID 1028 wrote to memory of 2000 1028 cmd.exe PING.EXE PID 1028 wrote to memory of 2000 1028 cmd.exe PING.EXE PID 1028 wrote to memory of 2000 1028 cmd.exe PING.EXE PID 1028 wrote to memory of 2000 1028 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request for quotation,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request for quotation,pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\logagent.exeC:\Windows\System32\logagent.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\Fopvpkxyt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\FopvpkxyO.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows \System32\PasswordOnWakeSettingFlyout.exe"C:\Windows \System32\PasswordOnWakeSettingFlyout.exe"4⤵
- Executes dropped EXE
-
C:\Windows \System32\PasswordOnWakeSettingFlyout.exe"C:\Windows \System32\PasswordOnWakeSettingFlyout.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 64⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\FopvpkxyO.batMD5
9d129b87ea5d68b76a8a6f098ee239bb
SHA1e23837a4d7cc3235b8d876c9a61ad26468a026b0
SHA256828f0819e547b8b60afa2a6124bee209a87a18be0680006d3ac1bfeafe6c1b4f
SHA5128fd03fbc363dfff504209ef8a547ebb021824d74bfa0a1401955f388b371f19246392db825e6ea26566195d1bb096e58490c09565d6fc6871833ab4a11e53d11
-
C:\Users\Admin\Fopvpkxyt.batMD5
7e5eca360524bcaec0544eb4e4c8e820
SHA197b74eab8c9b15b4b67754c4a4fb54c257a546ef
SHA2565b37de69c447d8292c720c8cf645a2ef503653017f4c3c87bf119d99732e752f
SHA512bd68beca3b2386a1ca5280cc61b0c0efd37193dc736fd9a30d9bb1b1e747d36ce682c2edc80b076f4564ad0ca77cd01e5a391557535d4b7a33df1052f9d86429
-
C:\Users\Admin\KDECO.batMD5
213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
C:\Users\Admin\PasswordOnWakeSettingFlyout.exeMD5
591a98c65f624c52882c2b238d6cd4c4
SHA1c960d08c19d777069cf265dcc281807fbd8502d7
SHA2565e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06
SHA5121999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074
-
C:\Users\Admin\uxtheme.dllMD5
64854e08792b761b973556cdf1522f26
SHA1851cd539768c26b407e3ba8cc75d87ed1dd8423d
SHA256c264b40c7308aad3df416c750c64a5fb80540095ac725002686dd25c4dbf2b17
SHA5129508f59a05165068601f5961d7031b5c78257d682eb6fd7dae3dd41b6ec9f9679855260944fe38b3e05aaeef938a03a8a11a81bf97985743456c8acd5d665bb6
-
C:\Windows \System32\PasswordOnWakeSettingFlyout.exeMD5
591a98c65f624c52882c2b238d6cd4c4
SHA1c960d08c19d777069cf265dcc281807fbd8502d7
SHA2565e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06
SHA5121999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074
-
C:\Windows \System32\PasswordOnWakeSettingFlyout.exeMD5
591a98c65f624c52882c2b238d6cd4c4
SHA1c960d08c19d777069cf265dcc281807fbd8502d7
SHA2565e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06
SHA5121999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074
-
memory/1028-85-0x00000000022A0000-0x00000000022A1000-memory.dmpFilesize
4KB
-
memory/1028-77-0x0000000000000000-mapping.dmp
-
memory/1120-67-0x0000000072600000-0x000000007267C000-memory.dmpFilesize
496KB
-
memory/1120-75-0x0000000072600000-0x000000007267C000-memory.dmpFilesize
496KB
-
memory/1120-74-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/1120-72-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1120-73-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1120-57-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1120-58-0x0000000000000000-mapping.dmp
-
memory/1120-87-0x0000000000470000-0x00000000004E9000-memory.dmpFilesize
484KB
-
memory/1652-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1652-56-0x00000000004F1000-0x0000000000505000-memory.dmpFilesize
80KB
-
memory/1652-55-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/1756-70-0x0000000000000000-mapping.dmp
-
memory/2000-86-0x0000000000000000-mapping.dmp