Analysis
-
max time kernel
152s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:03
Static task
static1
Behavioral task
behavioral1
Sample
3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe
Resource
win10-en-20211208
General
-
Target
3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe
-
Size
984KB
-
MD5
d337ab73b6eb182db46e2cf94239e523
-
SHA1
dc0b25884c0379f1b3058b5da1d6ff3df735ef03
-
SHA256
3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3
-
SHA512
2a2b7df94ad54ed096db69fab0dee6bdc364956fff6ba1b0baadb2e1a7657b0d7b2399641bdffd7aa006593b854f32158b670e40b3b29e5c898266744d9e6084
Malware Config
Extracted
remcos
2.5.1 Pro
zzzzzzzzzzzzZZZZZZZZZZZZZZZZZZZZSUMO
dominoduck2100.duckdns.org:9598
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Chrome.exe
-
copy_folder
Chrome
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
system
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-CQKCYO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
cmd.exeflow pid process 3 908 cmd.exe 4 908 cmd.exe 6 908 cmd.exe 7 908 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 268 rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Tasks\setupugc.job cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 268 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 268 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 908 cmd.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exerundll32.exedescription pid process target process PID 828 wrote to memory of 268 828 3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe rundll32.exe PID 828 wrote to memory of 268 828 3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe rundll32.exe PID 828 wrote to memory of 268 828 3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe rundll32.exe PID 828 wrote to memory of 268 828 3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe rundll32.exe PID 828 wrote to memory of 268 828 3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe rundll32.exe PID 828 wrote to memory of 268 828 3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe rundll32.exe PID 828 wrote to memory of 268 828 3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe rundll32.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe PID 268 wrote to memory of 908 268 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe"C:\Users\Admin\AppData\Local\Temp\3f33700e15ff9a8943e2a67c3a435278290931183d6189095c50a33822f5e1f3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe Discomfiture,Piggins2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ClomipheneMD5
a0c78a0f5bcb482dddcf5887a672a979
SHA15db86d70cba8ff53d350c739b900d28945dd6288
SHA25647d370f0301f3c2d559493ce30f7fa46cbdb0cfaae18aa98fafa0c4963c2df92
SHA512dfab747100f07e2febba90fc4d8cf2deeb59e34b52da12b2e1e7e0d958a657814df5120b152bcbd6c7a29ce852c82967388ecb70aaf473e0c499700122d81b5e
-
C:\Users\Admin\AppData\Local\Temp\Discomfiture.DLLMD5
8fa1a02d0f265c2f04daf196e14f4fbf
SHA12880c448cfca9affcdae455db69062de4a552ee5
SHA256dd78cc40cfff39aa47189f911cbe56da634f39318163f16bc2c6b1046ab767d2
SHA512f61c688585d7189acff1dbbe48c23559694a8f409b2e6a77cdd5155f981c5d0d8070a51ed24fe1a4ca3835a5b93d632c2c22a8bf2468215c45a538ef77640692
-
\Users\Admin\AppData\Local\Temp\Discomfiture.dllMD5
8fa1a02d0f265c2f04daf196e14f4fbf
SHA12880c448cfca9affcdae455db69062de4a552ee5
SHA256dd78cc40cfff39aa47189f911cbe56da634f39318163f16bc2c6b1046ab767d2
SHA512f61c688585d7189acff1dbbe48c23559694a8f409b2e6a77cdd5155f981c5d0d8070a51ed24fe1a4ca3835a5b93d632c2c22a8bf2468215c45a538ef77640692
-
memory/268-60-0x0000000000140000-0x0000000000143000-memory.dmpFilesize
12KB
-
memory/268-61-0x0000000075D20000-0x0000000075D55000-memory.dmpFilesize
212KB
-
memory/268-62-0x0000000077260000-0x0000000077409000-memory.dmpFilesize
1.7MB
-
memory/828-55-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/908-64-0x0000000000090000-0x0000000000096000-memory.dmpFilesize
24KB
-
memory/908-65-0x0000000077260000-0x0000000077409000-memory.dmpFilesize
1.7MB
-
memory/908-70-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB