Analysis
-
max time kernel
155s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:06
Static task
static1
Behavioral task
behavioral1
Sample
b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe
Resource
win10-en-20211208
General
-
Target
b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe
-
Size
968KB
-
MD5
27e81492a2fd7e0f93fdf0cfb319eca9
-
SHA1
d3a22ffbc3ab0384083cf158e2fce9cc28605280
-
SHA256
b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2
-
SHA512
2463cc4382234a87edc8d7cd2b5493dd541f5207dc9254864fa70d0afabc49555108e10c2205b4c0a45a74cf4c52cf685e842347392a015916f98e7cca503c04
Malware Config
Extracted
remcos
2.5.1 Pro
zzzzzzzzzzzzZZZZZZZZZZZZNUEVAMENTE
dominoduck2095.duckdns.org:9597
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Chrome.exe
-
copy_folder
Chrome
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
system
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-NUTDL6
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
cmd.exeflow pid process 3 572 cmd.exe 4 572 cmd.exe 5 572 cmd.exe 7 572 cmd.exe 8 572 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 680 rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Tasks\rasautou.job cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 680 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 680 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 572 cmd.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exerundll32.exedescription pid process target process PID 320 wrote to memory of 680 320 b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe rundll32.exe PID 320 wrote to memory of 680 320 b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe rundll32.exe PID 320 wrote to memory of 680 320 b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe rundll32.exe PID 320 wrote to memory of 680 320 b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe rundll32.exe PID 320 wrote to memory of 680 320 b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe rundll32.exe PID 320 wrote to memory of 680 320 b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe rundll32.exe PID 320 wrote to memory of 680 320 b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe rundll32.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe PID 680 wrote to memory of 572 680 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe"C:\Users\Admin\AppData\Local\Temp\b7fc2c96f3385d388315dfbb4c06bec55adf81dad51fc5116b90270541a198c2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe SkylabDewar,Hemlock2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SkylabDewar.DLLMD5
3e6e2a7f230850309d450cf1cdfb5d04
SHA1963e67d0921079fd79937ce954718f926cc81a9c
SHA2569747d0196e1e19f32c53e1b7df0d64f2328e5fc492596a85ff3a931c55d748ef
SHA512fae57f1c7390e95411d2445e88e1702376aee7710cd4fae0e62740388467a610340697a23a81d80b44e2979fca59c75ea8a5a8901b1e11e4491201a82868d4a9
-
C:\Users\Admin\AppData\Local\Temp\TaboretMD5
467285dd701478d4e4b734676a23ad41
SHA1964e17c9699b577e79bb180add2139713aa47a1e
SHA256049ec8eb1a3161b4363babb6490d34f31175442c83cd98b0df16fac271cbbe25
SHA5121b68548acd2513150d620a7c36a3ae7e9be883d93211cbb23234d2516cc4d4ccbff3900cef510422dcf2d3496ef9cacfbf95a9ee65127a5840ca8c5f2005acce
-
\Users\Admin\AppData\Local\Temp\SkylabDewar.dllMD5
3e6e2a7f230850309d450cf1cdfb5d04
SHA1963e67d0921079fd79937ce954718f926cc81a9c
SHA2569747d0196e1e19f32c53e1b7df0d64f2328e5fc492596a85ff3a931c55d748ef
SHA512fae57f1c7390e95411d2445e88e1702376aee7710cd4fae0e62740388467a610340697a23a81d80b44e2979fca59c75ea8a5a8901b1e11e4491201a82868d4a9
-
memory/320-55-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/572-64-0x0000000077260000-0x0000000077409000-memory.dmpFilesize
1.7MB
-
memory/572-67-0x0000000000090000-0x0000000000096000-memory.dmpFilesize
24KB
-
memory/572-70-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/680-60-0x0000000000170000-0x0000000000172000-memory.dmpFilesize
8KB
-
memory/680-61-0x0000000075D20000-0x0000000075D55000-memory.dmpFilesize
212KB
-
memory/680-62-0x0000000077260000-0x0000000077409000-memory.dmpFilesize
1.7MB