Analysis
-
max time kernel
168s -
max time network
180s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-01-2022 16:21
Static task
static1
Behavioral task
behavioral1
Sample
532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe
Resource
win7-en-20211208
General
-
Target
532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe
-
Size
803KB
-
MD5
b4a7a1d5deedceb08f6e2989072217d1
-
SHA1
13a5c261c2b59fc416ac4b4af004a858e272df2f
-
SHA256
532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b
-
SHA512
e5a01750459bc31a01b05d8f7e96316f1340f2314b079b72a836d4cde18c78b912943e0711c627c435dadc01386e6a64205b0bc301da6852825bb08297d91be6
Malware Config
Extracted
remcos
2.5.0 Pro
CUARENTA
cuarentarem.duckdns.org:1010
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-JV2JVP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
cmd.exeflow pid process 20 2908 cmd.exe 27 2908 cmd.exe 28 2908 cmd.exe 30 2908 cmd.exe 31 2908 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3672 rundll32.exe -
Drops file in Windows directory 2 IoCs
Processes:
532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.execmd.exedescription ioc process File opened for modification C:\Windows\ 532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe File created C:\Windows\Tasks\verifier.job cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 3672 rundll32.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 3672 rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 2908 cmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exerundll32.exedescription pid process target process PID 1312 wrote to memory of 3672 1312 532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe rundll32.exe PID 1312 wrote to memory of 3672 1312 532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe rundll32.exe PID 1312 wrote to memory of 3672 1312 532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe rundll32.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe PID 3672 wrote to memory of 2908 3672 rundll32.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe"C:\Users\Admin\AppData\Local\Temp\532fab96d96c8458789ee349f59d1fcf9e4d34334445643d6ecee3aed5300b4b.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe Nightmare,Piggins2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Nightmare.DLLMD5
7df838fef098a5c92d1ee3c3fe292207
SHA1759e7b6d569bba72c3daea62d7f8f5abee4bd6b5
SHA25640f4f9c8639a9f232ae1f9ad8bcfd9cc45afeac0cc10bcd771e15980a5451371
SHA512dbe692db96bf69f1ff77233170799c3180e03fb36ac86d2839565aeeb482fb8d380903e970589617e06f2f5fdca2a976fc95d9580e8d65c355b522d9b0a044d8
-
C:\Users\Admin\AppData\Local\Temp\StiltMD5
b28841fbb75e22b0737b93bdc157e9f4
SHA1bcd4846db2897c547dae4bc77e83727ed0a69f8e
SHA256fc1baf22b5128dd9695304dfc7aa133391ab54f4fe39cfe1752d12f20f3dcb65
SHA512c251b53de6d4d2e880192cd006de9775b321c386facb4b2c7f666f193663629bd890d89da36273648e7a46eff0123eb910f126b427fa180d2a6eae75ea6e3b5d
-
\Users\Admin\AppData\Local\Temp\Nightmare.dllMD5
7df838fef098a5c92d1ee3c3fe292207
SHA1759e7b6d569bba72c3daea62d7f8f5abee4bd6b5
SHA25640f4f9c8639a9f232ae1f9ad8bcfd9cc45afeac0cc10bcd771e15980a5451371
SHA512dbe692db96bf69f1ff77233170799c3180e03fb36ac86d2839565aeeb482fb8d380903e970589617e06f2f5fdca2a976fc95d9580e8d65c355b522d9b0a044d8
-
memory/2908-123-0x00000000770B9000-0x00000000770BA000-memory.dmpFilesize
4KB
-
memory/2908-129-0x00007FFBACF00000-0x00007FFBAD0DB000-memory.dmpFilesize
1.9MB
-
memory/2908-140-0x0000000000B20000-0x0000000000B26000-memory.dmpFilesize
24KB
-
memory/2908-155-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3672-120-0x0000000074060000-0x00000000740C7000-memory.dmpFilesize
412KB
-
memory/3672-121-0x00007FFBACF00000-0x00007FFBAD0DB000-memory.dmpFilesize
1.9MB
-
memory/3672-122-0x0000000002D80000-0x0000000002D83000-memory.dmpFilesize
12KB