Analysis
-
max time kernel
175s -
max time network
200s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:22
Static task
static1
Behavioral task
behavioral1
Sample
0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe
Resource
win10-en-20211208
General
-
Target
0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe
-
Size
1.0MB
-
MD5
49b50b8de454c9bc22545d7a3d4f8129
-
SHA1
a4fd08d1823e3192673d706fc7ed204c6d90862b
-
SHA256
0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366
-
SHA512
704775c7ebb0fed8e56f50de7156eaec04c4aa51a220907327e5af20e8657d7f177a60befdca7a44975a2ae56b17499cd8c7175f78504d8ce2b267c20763d040
Malware Config
Extracted
remcos
2.5.0 Pro
VEINTITRES
veintitressisisi.duckdns.org:1011
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-BP758C
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
cmd.exeflow pid process 22 3052 cmd.exe 25 3052 cmd.exe 26 3052 cmd.exe 28 3052 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 780 rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Tasks\cliconfg.job cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 780 rundll32.exe 780 rundll32.exe 780 rundll32.exe 780 rundll32.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
rundll32.exepid process 780 rundll32.exe 780 rundll32.exe 780 rundll32.exe 780 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 3052 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exerundll32.exedescription pid process target process PID 2808 wrote to memory of 780 2808 0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe rundll32.exe PID 2808 wrote to memory of 780 2808 0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe rundll32.exe PID 2808 wrote to memory of 780 2808 0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe rundll32.exe PID 780 wrote to memory of 1868 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1868 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1868 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1868 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1868 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1868 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1868 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1868 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1868 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1428 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1428 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1428 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1428 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1428 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1428 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1428 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1428 780 rundll32.exe cmd.exe PID 780 wrote to memory of 1428 780 rundll32.exe cmd.exe PID 780 wrote to memory of 784 780 rundll32.exe cmd.exe PID 780 wrote to memory of 784 780 rundll32.exe cmd.exe PID 780 wrote to memory of 784 780 rundll32.exe cmd.exe PID 780 wrote to memory of 784 780 rundll32.exe cmd.exe PID 780 wrote to memory of 784 780 rundll32.exe cmd.exe PID 780 wrote to memory of 784 780 rundll32.exe cmd.exe PID 780 wrote to memory of 784 780 rundll32.exe cmd.exe PID 780 wrote to memory of 784 780 rundll32.exe cmd.exe PID 780 wrote to memory of 784 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe PID 780 wrote to memory of 3052 780 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe"C:\Users\Admin\AppData\Local\Temp\0f3ab84f5722d1b9e3fe4d1798a0d7a140fbe473c77bd77744a03e6752851366.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe Transport,Pretor2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Transport.DLLMD5
870f4c154b412997a3d564d3d1d9cd2e
SHA134faecd6d4336c422cc361264cab4e87a9f7f0fa
SHA256dca83f20a61e619807fc6ac98d11fde2df618d1d9a0db2143fd295516c143448
SHA512f756a342ce8684b3f2a7ce5a18da08fac3451a516490a58241ff4e4dcf1d358818eb4d96e539ee38e4f0711cdf36161f6a95c955d9b5e3ca858b4303ea7e14c0
-
C:\Users\Admin\AppData\Local\Temp\UpriseMD5
6a54dccf3dba42037818820856852a00
SHA1dc0495d0a951305c5c03a2371bfd9053e42b8b5d
SHA256204f8d3ef40b086b1f482674c1f6dd324c488b684a6b53b5d0d63a2811480406
SHA512967ad475aaa60432e6b4bef9c2be7a85182e6f5205d11898e52fd6441b81abf421abbe1757afeea3c16ee4a2bfb2e6944a879a075a6cf03763d7064220b4695a
-
\Users\Admin\AppData\Local\Temp\Transport.dllMD5
870f4c154b412997a3d564d3d1d9cd2e
SHA134faecd6d4336c422cc361264cab4e87a9f7f0fa
SHA256dca83f20a61e619807fc6ac98d11fde2df618d1d9a0db2143fd295516c143448
SHA512f756a342ce8684b3f2a7ce5a18da08fac3451a516490a58241ff4e4dcf1d358818eb4d96e539ee38e4f0711cdf36161f6a95c955d9b5e3ca858b4303ea7e14c0
-
memory/780-121-0x0000000003350000-0x0000000003352000-memory.dmpFilesize
8KB
-
memory/780-122-0x0000000077010000-0x0000000077077000-memory.dmpFilesize
412KB
-
memory/780-123-0x00007FFCF1320000-0x00007FFCF14FB000-memory.dmpFilesize
1.9MB
-
memory/3052-127-0x0000000077369000-0x000000007736A000-memory.dmpFilesize
4KB
-
memory/3052-133-0x00007FFCF1320000-0x00007FFCF14FB000-memory.dmpFilesize
1.9MB
-
memory/3052-143-0x0000000000980000-0x0000000000986000-memory.dmpFilesize
24KB
-
memory/3052-159-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB