Overview

overview

10

Static

static

10

PancakeSwa...er.exe

windows7_x64

10

PancakeSwa...er.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    191s
  • max time network
    175s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    04-02-2022 08:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PancakeSwap-dApp-2.2.5-installer.exe

  • Size

    118.7MB

  • MD5

    28a9f33f966af6696de57d9958cabde6

  • SHA1

    bd95f99f1466b9102a5d25fabc585de603ad0808

  • SHA256

    05f15a90fcfca1d556a05f9425082d57bc0fa86fef3726545de6c96094aa9312

  • SHA512

    7b8b0bc593fd1424c22965a32bbfa30d92d43a76c7a3853687e501d1c2115ce4f1ad4b2ed1b411e1bbe3c46718074525715ee6a7459d0cfbca202bda4d6c091d

Score
10/10
babadedaremcossys32crypterloaderrat

Malware Config

Extracted

Family

remcos

Botnet

Sys32

C2

157.90.1.54:4783

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Logs

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Sys-PVUZ63

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • Babadeda

    Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

    loadercrypterbabadeda
  • Babadeda Crypter 2 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 23 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PancakeSwap-dApp-2.2.5-installer.exe
    "C:\Users\Admin\AppData\Local\Temp\PancakeSwap-dApp-2.2.5-installer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Users\Admin\AppData\Local\Temp\is-9TIV7.tmp\PancakeSwap-dApp-2.2.5-installer.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-9TIV7.tmp\PancakeSwap-dApp-2.2.5-installer.tmp" /SL5="$C014E,123590384,907264,C:\Users\Admin\AppData\Local\Temp\PancakeSwap-dApp-2.2.5-installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1320
      • C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe
        "C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe"
        3⤵
        • Executes dropped EXE
        PID:776
      • C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe
        "C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1072

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1072-109-0x0000000004DE0000-0x0000000008DE0000-memory.dmp

    Filesize

    64.0MB

    Download

  • memory/1072-110-0x0000000002340000-0x00000000023B7000-memory.dmp

    Filesize

    476KB

    Download

  • memory/1320-63-0x0000000074691000-0x0000000074693000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1320-61-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1444-55-0x0000000075831000-0x0000000075833000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1444-56-0x0000000000400000-0x00000000004EB000-memory.dmp

    Filesize

    940KB

    Download