Analysis
-
max time kernel
157s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:45
Static task
static1
Behavioral task
behavioral1
Sample
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
Resource
win7-en-20211208
General
-
Target
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe
-
Size
1.6MB
-
MD5
983199bbc9855444da45fd3470542c93
-
SHA1
6358b2bf1dc6e8aff646ad6ab919be865fa19870
-
SHA256
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729
-
SHA512
9d48594222420487bc7a8d0e888806edbd5bac819669504d2a854912d403b22fb761f0e4e0a220412e2a18165ee8d20afe4fa21bea6f73a908428a2116557684
Malware Config
Extracted
remcos
Ene20
amsdkjeduejfhdgerop.duckdns.org:2223
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
AdminShell
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
NQUjfd3E3e5dje-JHD8X5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
cmd.exeflow pid process 3 1192 cmd.exe 4 1192 cmd.exe 5 1192 cmd.exe 7 1192 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
plier.exepid process 376 plier.exe -
Loads dropped DLL 3 IoCs
Processes:
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exeplier.exepid process 1960 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe 1960 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe 376 plier.exe -
Drops file in Windows directory 2 IoCs
Processes:
plier.execmd.exedescription ioc process File opened for modification C:\Windows\win.ini plier.exe File created C:\Windows\Tasks\diskshadow.job cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
plier.exepid process 376 plier.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
plier.exepid process 376 plier.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 1192 cmd.exe -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exeplier.exeDllHost.execmd.exedescription pid process target process PID 1960 wrote to memory of 376 1960 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe plier.exe PID 1960 wrote to memory of 376 1960 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe plier.exe PID 1960 wrote to memory of 376 1960 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe plier.exe PID 1960 wrote to memory of 376 1960 31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe plier.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 376 wrote to memory of 1192 376 plier.exe cmd.exe PID 308 wrote to memory of 2016 308 DllHost.exe cmd.exe PID 308 wrote to memory of 2016 308 DllHost.exe cmd.exe PID 308 wrote to memory of 2016 308 DllHost.exe cmd.exe PID 308 wrote to memory of 2016 308 DllHost.exe cmd.exe PID 2016 wrote to memory of 916 2016 cmd.exe reg.exe PID 2016 wrote to memory of 916 2016 cmd.exe reg.exe PID 2016 wrote to memory of 916 2016 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe"C:\Users\Admin\AppData\Local\Temp\31c0d26c2edd1b2d59a360ce272eb19ffed3b630757e94336a75c2e1e6a3f729.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\plier.exeC:\Users\Admin\AppData\Local\Temp\plier.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat" /t REG_DWORD /d 0"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat" /t REG_DWORD /d 03⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CornhuskMD5
32604f4797fafd34895f707137146e3a
SHA186bb7be89f74c85a1f77e52879ab1354af5b00be
SHA256f4e553e609fd70e9e21f5ea68adaa120bd93df0ad5befb3d2889db38bdb2211a
SHA512e391f0f16b668d5b07a53e13178f105f35f517fa189764eef811a521d292e16a6f738efe0f1992f98f393ec463f486719f80777dd4967fd1787e561005e62721
-
C:\Users\Admin\AppData\Local\Temp\Umbellule.DLLMD5
6000783aeacd1836db8f8d7c10330a3b
SHA1ba0176243cc0568dd0d10a1762ab69498e1dcb44
SHA256573eca694d4fde714b97227d2a71950021fa8bb038f35ba998a448a5c8264f65
SHA512954da3704d60acb61ff3bf0949141f2ec95858906b1bca792d98075a9841bb77372de168ba44972e6b53e103ef4bfc3d166e791390981e32db808dfce12bc248
-
C:\Users\Admin\AppData\Local\Temp\plier.exeMD5
11c8f037f0e1a68ff1c74cbcac6e3c6e
SHA1bb50ac196dfd3a194b7b7161947a012a0d49886c
SHA256aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34
SHA51205da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b
-
\Users\Admin\AppData\Local\Temp\Umbellule.dllMD5
6000783aeacd1836db8f8d7c10330a3b
SHA1ba0176243cc0568dd0d10a1762ab69498e1dcb44
SHA256573eca694d4fde714b97227d2a71950021fa8bb038f35ba998a448a5c8264f65
SHA512954da3704d60acb61ff3bf0949141f2ec95858906b1bca792d98075a9841bb77372de168ba44972e6b53e103ef4bfc3d166e791390981e32db808dfce12bc248
-
\Users\Admin\AppData\Local\Temp\plier.exeMD5
11c8f037f0e1a68ff1c74cbcac6e3c6e
SHA1bb50ac196dfd3a194b7b7161947a012a0d49886c
SHA256aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34
SHA51205da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b
-
\Users\Admin\AppData\Local\Temp\plier.exeMD5
11c8f037f0e1a68ff1c74cbcac6e3c6e
SHA1bb50ac196dfd3a194b7b7161947a012a0d49886c
SHA256aed09c9a90b38e324fa49b4b8b5b6e263413b49768d5b38f921c2ee4245a6b34
SHA51205da2d9cd1ce41a11d4ba0f82512790357139c815894f1be4468df137680ecd577660807c368d9c9c6e95aad10e2caa0f00cf1c5739b36644c75a2e8eeae6c2b
-
memory/376-67-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/376-62-0x00000000003E0000-0x00000000003E7000-memory.dmpFilesize
28KB
-
memory/376-66-0x00000000003A0000-0x00000000003A4000-memory.dmpFilesize
16KB
-
memory/376-69-0x00000000778D0000-0x0000000077A79000-memory.dmpFilesize
1.7MB
-
memory/376-70-0x0000000000420000-0x0000000000442000-memory.dmpFilesize
136KB
-
memory/1192-71-0x00000000778D0000-0x0000000077A79000-memory.dmpFilesize
1.7MB
-
memory/1192-73-0x0000000000090000-0x0000000000096000-memory.dmpFilesize
24KB
-
memory/1192-78-0x0000000000080000-0x0000000000083000-memory.dmpFilesize
12KB
-
memory/1192-80-0x0000000074840000-0x0000000074A80000-memory.dmpFilesize
2.2MB
-
memory/1960-55-0x0000000076511000-0x0000000076513000-memory.dmpFilesize
8KB