Analysis
-
max time kernel
159s -
max time network
159s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
30-01-2022 17:03
Static task
static1
Behavioral task
behavioral1
Sample
3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe
Resource
win10-en-20211208
General
-
Target
3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe
-
Size
1.0MB
-
MD5
5e6d13bdc554cba4e186e5751fa8aec6
-
SHA1
7d825bb744de912c78bbf61122fd98fae5424ace
-
SHA256
3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8
-
SHA512
8014c0d995eba62eef2cea14b37e44ccc5feaef8797e063ffc11b235fd93b86c56df223f13fe4a18165caae36294e0d65c4cf652b9b54aac983f66f490ab3e87
Malware Config
Extracted
remcos
3.3.2 Light
RemoteHost
91.243.44.75:1703
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-W5VMG1
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
Sento.exe.comSento.exe.comSento.exe.compid process 1736 Sento.exe.com 1652 Sento.exe.com 968 Sento.exe.com -
Processes:
resource yara_rule behavioral1/memory/968-67-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/968-72-0x0000000000400000-0x0000000000479000-memory.dmp upx behavioral1/memory/968-71-0x0000000000400000-0x0000000000479000-memory.dmp upx -
Loads dropped DLL 3 IoCs
Processes:
cmd.exeSento.exe.comSento.exe.compid process 580 cmd.exe 1736 Sento.exe.com 1652 Sento.exe.com -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Sento.exe.comdescription pid process target process PID 1652 set thread context of 968 1652 Sento.exe.com Sento.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Sento.exe.comSento.exe.compid process 1736 Sento.exe.com 1736 Sento.exe.com 1736 Sento.exe.com 1652 Sento.exe.com 1652 Sento.exe.com 1652 Sento.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Sento.exe.comSento.exe.compid process 1736 Sento.exe.com 1736 Sento.exe.com 1736 Sento.exe.com 1652 Sento.exe.com 1652 Sento.exe.com 1652 Sento.exe.com -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.execmd.execmd.exeSento.exe.comSento.exe.comdescription pid process target process PID 1568 wrote to memory of 520 1568 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe rundll32.exe PID 1568 wrote to memory of 520 1568 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe rundll32.exe PID 1568 wrote to memory of 520 1568 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe rundll32.exe PID 1568 wrote to memory of 520 1568 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe rundll32.exe PID 1568 wrote to memory of 520 1568 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe rundll32.exe PID 1568 wrote to memory of 520 1568 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe rundll32.exe PID 1568 wrote to memory of 520 1568 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe rundll32.exe PID 1568 wrote to memory of 768 1568 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe cmd.exe PID 1568 wrote to memory of 768 1568 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe cmd.exe PID 1568 wrote to memory of 768 1568 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe cmd.exe PID 1568 wrote to memory of 768 1568 3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe cmd.exe PID 768 wrote to memory of 580 768 cmd.exe cmd.exe PID 768 wrote to memory of 580 768 cmd.exe cmd.exe PID 768 wrote to memory of 580 768 cmd.exe cmd.exe PID 768 wrote to memory of 580 768 cmd.exe cmd.exe PID 580 wrote to memory of 672 580 cmd.exe findstr.exe PID 580 wrote to memory of 672 580 cmd.exe findstr.exe PID 580 wrote to memory of 672 580 cmd.exe findstr.exe PID 580 wrote to memory of 672 580 cmd.exe findstr.exe PID 580 wrote to memory of 1736 580 cmd.exe Sento.exe.com PID 580 wrote to memory of 1736 580 cmd.exe Sento.exe.com PID 580 wrote to memory of 1736 580 cmd.exe Sento.exe.com PID 580 wrote to memory of 1736 580 cmd.exe Sento.exe.com PID 580 wrote to memory of 1092 580 cmd.exe PING.EXE PID 580 wrote to memory of 1092 580 cmd.exe PING.EXE PID 580 wrote to memory of 1092 580 cmd.exe PING.EXE PID 580 wrote to memory of 1092 580 cmd.exe PING.EXE PID 1736 wrote to memory of 1652 1736 Sento.exe.com Sento.exe.com PID 1736 wrote to memory of 1652 1736 Sento.exe.com Sento.exe.com PID 1736 wrote to memory of 1652 1736 Sento.exe.com Sento.exe.com PID 1736 wrote to memory of 1652 1736 Sento.exe.com Sento.exe.com PID 1652 wrote to memory of 968 1652 Sento.exe.com Sento.exe.com PID 1652 wrote to memory of 968 1652 Sento.exe.com Sento.exe.com PID 1652 wrote to memory of 968 1652 Sento.exe.com Sento.exe.com PID 1652 wrote to memory of 968 1652 Sento.exe.com Sento.exe.com PID 1652 wrote to memory of 968 1652 Sento.exe.com Sento.exe.com PID 1652 wrote to memory of 968 1652 Sento.exe.com Sento.exe.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe"C:\Users\Admin\AppData\Local\Temp\3c0b4145b0beaf05da8f190e8199b8294f20503421368bddb8770c7b46fe8cb8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\rundll32.exerundll322⤵PID:520
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Alzata.wmv2⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\cmd.execmd3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^jKnxbCNjZAMaeHfxSCDabwINSZBwDVebdLnYwlYMoSNQqSzOBrbOtgKkeLBnwLJrbgwdpsaIDRpFhRNqFMAmngzeqjW$" Giudichera.wmv4⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.comSento.exe.com L4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.com L5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.com6⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 304⤵
- Runs ping.exe
PID:1092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Alzata.wmvMD5
9ef65ef6b665024d5c6ede2da4676625
SHA10f7b27e87e4aa16528184c47a50945f6e73ce30e
SHA256e14ebb1b371057dd46b8d1ec815e3ed216f29731773eedd271f8534b3fcdc19e
SHA51248c52f14d62ff720adef0943ef9e9250456e59d5ca76815fc6b60f0cdfe7248095dc6005a055a41471bcda8d8fccc544e81188b35046b847c05e35e2c341bbdd
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Giudichera.wmvMD5
72eb17261d022e6d9f713e8ad1960b4b
SHA1d920146226e7818c151f2f0b34b7c1af50ba1c06
SHA256a5bc8c641d0c8c8a59d36f308ee77d9d08b18cf50c52efe0500c2e0a17289082
SHA51282478f1c1a35a0b97516784855b7f11788f4aea6fb2be3c4c59937fc487b3022338182d962c1335b20d12a3933cf2794c75d663fd022a07d4a61eed3b1d7ab5c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LMD5
2230c81075c9b0fc32046c3a5b491c12
SHA1915c0ed60bd52758f896da416d26ba817f88899b
SHA256495011f71a52dbbf3819ce6693f1bea00513208db38d70471e30eb0d3714de73
SHA512440f68735e20a53b40a2b2ff43328f0975cd09c4ffd274bb0ee9b6ee4d80d35e8642bcaa3cee5bed813137134c4d8c2d4670142bd77e4dc3c38af6f6fca16829
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mia.wmvMD5
2230c81075c9b0fc32046c3a5b491c12
SHA1915c0ed60bd52758f896da416d26ba817f88899b
SHA256495011f71a52dbbf3819ce6693f1bea00513208db38d70471e30eb0d3714de73
SHA512440f68735e20a53b40a2b2ff43328f0975cd09c4ffd274bb0ee9b6ee4d80d35e8642bcaa3cee5bed813137134c4d8c2d4670142bd77e4dc3c38af6f6fca16829
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.comMD5
ce2797f5c8d43d08a41645d706569d22
SHA1f8b412bc15829da6e4f16b89112bd67076481424
SHA256fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075
SHA512ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.comMD5
ce2797f5c8d43d08a41645d706569d22
SHA1f8b412bc15829da6e4f16b89112bd67076481424
SHA256fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075
SHA512ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.comMD5
ce2797f5c8d43d08a41645d706569d22
SHA1f8b412bc15829da6e4f16b89112bd67076481424
SHA256fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075
SHA512ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.comMD5
ce2797f5c8d43d08a41645d706569d22
SHA1f8b412bc15829da6e4f16b89112bd67076481424
SHA256fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075
SHA512ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.comMD5
ce2797f5c8d43d08a41645d706569d22
SHA1f8b412bc15829da6e4f16b89112bd67076481424
SHA256fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075
SHA512ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.comMD5
ce2797f5c8d43d08a41645d706569d22
SHA1f8b412bc15829da6e4f16b89112bd67076481424
SHA256fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075
SHA512ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sento.exe.comMD5
ce2797f5c8d43d08a41645d706569d22
SHA1f8b412bc15829da6e4f16b89112bd67076481424
SHA256fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075
SHA512ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9
-
memory/520-54-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB
-
memory/968-67-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/968-72-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/968-71-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB