Analysis
-
max time kernel
157s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:36
Static task
static1
Behavioral task
behavioral1
Sample
99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe
Resource
win10-en-20211208
General
-
Target
99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe
-
Size
1.1MB
-
MD5
9f56eea3d0b23e1e3cf30ea12008a33e
-
SHA1
812a407516f9712c80b70a14d6cdf282c88938c1
-
SHA256
99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec
-
SHA512
b552d1c7ddd1a778fc438ad27fa79cbbafc83ccf35ac60663410dd099a848c7f7b703b73399a8626300264327fbb865353a923d6a86dd3d9e377ab226ef7f332
Malware Config
Extracted
remcos
2.5.1 Pro
zzzzzzzzzzzzZZZZZZZZZZZZZZZZMORNINGSTAR
dominoduck2098.duckdns.org:9599
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Chrome.exe
-
copy_folder
Chrome
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
system
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-ZUH30K
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
cmd.exeflow pid process 23 4008 cmd.exe 26 4008 cmd.exe 27 4008 cmd.exe 29 4008 cmd.exe 30 4008 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3636 rundll32.exe -
Drops file in Windows directory 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Windows\Tasks\icsunattend.job cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 3636 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 3636 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 4008 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exerundll32.exedescription pid process target process PID 3708 wrote to memory of 3636 3708 99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe rundll32.exe PID 3708 wrote to memory of 3636 3708 99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe rundll32.exe PID 3708 wrote to memory of 3636 3708 99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe rundll32.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe PID 3636 wrote to memory of 4008 3636 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe"C:\Users\Admin\AppData\Local\Temp\99da8843bd007d2487d2251d6f62007ca6ee50884e2f54c13aae98a23b35e8ec.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe Galvanometry,Pickaninny2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FirebugMD5
556a16a1f32d0f6236c0ef23f0d7ced5
SHA105df67f9f7755c65bbb8d951cc3a70da7e57e092
SHA256ec540a9eee23a6473964eb4772e3a92bdd03da4aac90aee8692600d3318613fc
SHA5124b62d0c131717237dfe738975a71c28283a6a4497e1bfb309a6c77187558d397dd3af71ba5e8559c347db55156d9f51fe17fa5d9be25f2e72a33487af8c5ce85
-
C:\Users\Admin\AppData\Local\Temp\Galvanometry.DLLMD5
bc2c79b3780c12c0d508b4fbf37ef15c
SHA15b2328a38ff40d57c78a8174ebdc9a7f5553c35f
SHA256c0852f62db36c97bb577b840dd58eafd4cd579d09114e2f5c5cbd5858378b598
SHA5129c73429153d6a9b546ff210ec1ef13d2302687992bab26192bb735e9557bec94fc4d6f2ba790afc32933277c1a720cd2015aa19e6522c00150f32fe95cc95136
-
\Users\Admin\AppData\Local\Temp\Galvanometry.dllMD5
bc2c79b3780c12c0d508b4fbf37ef15c
SHA15b2328a38ff40d57c78a8174ebdc9a7f5553c35f
SHA256c0852f62db36c97bb577b840dd58eafd4cd579d09114e2f5c5cbd5858378b598
SHA5129c73429153d6a9b546ff210ec1ef13d2302687992bab26192bb735e9557bec94fc4d6f2ba790afc32933277c1a720cd2015aa19e6522c00150f32fe95cc95136
-
memory/3636-121-0x0000000073CE0000-0x0000000073D8D000-memory.dmpFilesize
692KB
-
memory/3636-123-0x0000000001010000-0x000000000115A000-memory.dmpFilesize
1.3MB
-
memory/3636-122-0x0000000074DC0000-0x0000000074E27000-memory.dmpFilesize
412KB
-
memory/3636-124-0x00007FFB7D340000-0x00007FFB7D51B000-memory.dmpFilesize
1.9MB
-
memory/4008-125-0x0000000077C79000-0x0000000077C7A000-memory.dmpFilesize
4KB
-
memory/4008-131-0x00007FFB7D340000-0x00007FFB7D51B000-memory.dmpFilesize
1.9MB
-
memory/4008-151-0x0000000003240000-0x0000000003246000-memory.dmpFilesize
24KB
-
memory/4008-157-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB