Analysis
-
max time kernel
69s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
03-02-2022 12:47
Static task
static1
Behavioral task
behavioral1
Sample
a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe
Resource
win10v2004-en-20220113
General
-
Target
a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe
-
Size
1.1MB
-
MD5
86e5451f3367e6580295e46b33d3d8ea
-
SHA1
b27ac49886349182a8f3cb9cdd7eaed0438ba3a3
-
SHA256
a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49
-
SHA512
1b0bfc3df08ef499b2c1d7d24f9e31a027c98592645512d73cd58b50f12d52fda4a1287a7a61e6e7ce63a418db393c3546586ea6bf043e8a9de873a2e0ac85eb
Malware Config
Extracted
remcos
2.7.0 Pro
10
duckdne7832732.duckdns.org:1718
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-RN68N0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exedescription pid process target process PID 1288 set thread context of 668 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe RegSvcs.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 4160 svchost.exe Token: SeCreatePagefilePrivilege 4160 svchost.exe Token: SeShutdownPrivilege 4160 svchost.exe Token: SeCreatePagefilePrivilege 4160 svchost.exe Token: SeShutdownPrivilege 4160 svchost.exe Token: SeCreatePagefilePrivilege 4160 svchost.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exedescription pid process target process PID 1288 wrote to memory of 3396 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe schtasks.exe PID 1288 wrote to memory of 3396 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe schtasks.exe PID 1288 wrote to memory of 3396 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe schtasks.exe PID 1288 wrote to memory of 668 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe RegSvcs.exe PID 1288 wrote to memory of 668 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe RegSvcs.exe PID 1288 wrote to memory of 668 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe RegSvcs.exe PID 1288 wrote to memory of 668 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe RegSvcs.exe PID 1288 wrote to memory of 668 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe RegSvcs.exe PID 1288 wrote to memory of 668 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe RegSvcs.exe PID 1288 wrote to memory of 668 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe RegSvcs.exe PID 1288 wrote to memory of 668 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe RegSvcs.exe PID 1288 wrote to memory of 668 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe RegSvcs.exe PID 1288 wrote to memory of 668 1288 a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe"C:\Users\Admin\AppData\Local\Temp\a1477a2f05552a89c24ca286f54cdded4b87694302d3d8af2f5cf9dbd7d3ae49.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VuYmmGpWGSWON" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55C9.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 23b0e09585a9b1f12d0c71f381bc70d8 zIqyfjkp1UaTvPJr2iUtfw.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp55C9.tmpMD5
bfaedf5e714bb3f9e4d14c529f4b1125
SHA1b1ebcaf45d889844bbfb50ae14bb1595dea4621d
SHA256bc78cf7895fbd31c2fc7f3a8e9080b3d257a05a968e5addbdfa88252ac1df711
SHA512e5c47088ae5e8dd58410c0dcf35757b465a2cf9ff746bc73a1f27349d0331d79331b33a54d1a7c19b20cf33544adfcd0b3bbf2a3ab9b801b53455edb02bf6c7a
-
memory/668-141-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1288-130-0x0000000000060000-0x0000000000172000-memory.dmpFilesize
1.1MB
-
memory/1288-131-0x0000000004B30000-0x0000000004BCC000-memory.dmpFilesize
624KB
-
memory/1288-132-0x0000000005180000-0x0000000005724000-memory.dmpFilesize
5.6MB
-
memory/1288-133-0x0000000004C70000-0x0000000004D02000-memory.dmpFilesize
584KB
-
memory/1288-134-0x0000000004BD0000-0x0000000004BDA000-memory.dmpFilesize
40KB
-
memory/1288-135-0x0000000004E00000-0x0000000004E56000-memory.dmpFilesize
344KB
-
memory/1288-136-0x0000000004BD0000-0x0000000005174000-memory.dmpFilesize
5.6MB
-
memory/4160-137-0x000001C0FD530000-0x000001C0FD540000-memory.dmpFilesize
64KB
-
memory/4160-138-0x000001C0FD590000-0x000001C0FD5A0000-memory.dmpFilesize
64KB
-
memory/4160-139-0x000001C0FE270000-0x000001C0FE274000-memory.dmpFilesize
16KB