Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-05-2022 12:09
Static task
static1
Behavioral task
behavioral1
Sample
CMR AND PACKINGLIST.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
CMR AND PACKINGLIST.exe
Resource
win10v2004-20220414-en
General
-
Target
CMR AND PACKINGLIST.exe
-
Size
1.1MB
-
MD5
04fb2ce6e058a87f0a13bbb214a427bf
-
SHA1
ae2199326c3fb6e541645820cfcbc3904dabb65d
-
SHA256
0591c0db7c2e5d407339e854e5c10adbd63c890c72e6709256829a2001b4f164
-
SHA512
09bbc925672a60aaf19ec3405ebe072896fd73f4fa65d6954d519129ed93637e0dfcd554bc42a9bf1306c36d0a8ea94f502af679155bf7eaf8d7e256e9f95dc0
Malware Config
Extracted
remcos
3.3.2 Pro
dreamchaser
naninani11.ddns.net:7070
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
windows.exe
-
copy_folder
file
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-413F1M
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CMR AND PACKINGLIST.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation CMR AND PACKINGLIST.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CMR AND PACKINGLIST.exedescription pid process target process PID 2764 set thread context of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
CMR AND PACKINGLIST.exepowershell.exepowershell.exepid process 2764 CMR AND PACKINGLIST.exe 4068 powershell.exe 3472 powershell.exe 2764 CMR AND PACKINGLIST.exe 4068 powershell.exe 3472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
CMR AND PACKINGLIST.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2764 CMR AND PACKINGLIST.exe Token: SeDebugPrivilege 3472 powershell.exe Token: SeDebugPrivilege 4068 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CMR AND PACKINGLIST.exepid process 752 CMR AND PACKINGLIST.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
CMR AND PACKINGLIST.exeCMR AND PACKINGLIST.exedescription pid process target process PID 2764 wrote to memory of 3472 2764 CMR AND PACKINGLIST.exe powershell.exe PID 2764 wrote to memory of 3472 2764 CMR AND PACKINGLIST.exe powershell.exe PID 2764 wrote to memory of 3472 2764 CMR AND PACKINGLIST.exe powershell.exe PID 2764 wrote to memory of 4068 2764 CMR AND PACKINGLIST.exe powershell.exe PID 2764 wrote to memory of 4068 2764 CMR AND PACKINGLIST.exe powershell.exe PID 2764 wrote to memory of 4068 2764 CMR AND PACKINGLIST.exe powershell.exe PID 2764 wrote to memory of 1600 2764 CMR AND PACKINGLIST.exe schtasks.exe PID 2764 wrote to memory of 1600 2764 CMR AND PACKINGLIST.exe schtasks.exe PID 2764 wrote to memory of 1600 2764 CMR AND PACKINGLIST.exe schtasks.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 2764 wrote to memory of 752 2764 CMR AND PACKINGLIST.exe CMR AND PACKINGLIST.exe PID 752 wrote to memory of 5056 752 CMR AND PACKINGLIST.exe svchost.exe PID 752 wrote to memory of 5056 752 CMR AND PACKINGLIST.exe svchost.exe PID 752 wrote to memory of 5056 752 CMR AND PACKINGLIST.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mWYdFKE.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mWYdFKE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp19B2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"C:\Users\Admin\AppData\Local\Temp\CMR AND PACKINGLIST.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5791e71ba7bcb8bb9c6aab36ecc35db06
SHA106cec711e333af20bd230b03ef4104930bf354c0
SHA2563684afbfc80b5b422e6199b32bd80d3fa87c34b828c758ada15bb9258f73b17a
SHA512493488f434eaf9c12303fae2b93a92bbe1dec57470004a3fa04f4cccb3978abe852b43d2306b21da21a652bce773b9d788f315a3c9bed662883f16e68ad02d95
-
C:\Users\Admin\AppData\Local\Temp\tmp19B2.tmpFilesize
1KB
MD5f09987669cb375652e445100adb97ef1
SHA1899f6be8b5efc3804f7266f1015e1c8a0d975551
SHA256883e3970b8b2d90101dd30fa1e337dc0d261f108354c3a3aa093e8872655d564
SHA512731aa6b30c5b8497838e1883d94a5966b77445bf845548a400ef76e73b52d023b13cae8767baa0017af141eb0765214b47f27b939311c9fd7358d2c8a61b4216
-
memory/752-151-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/752-147-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/752-145-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/752-146-0x0000000000400000-0x000000000047B000-memory.dmpFilesize
492KB
-
memory/752-144-0x0000000000000000-mapping.dmp
-
memory/1600-138-0x0000000000000000-mapping.dmp
-
memory/2764-135-0x0000000009C10000-0x0000000009C76000-memory.dmpFilesize
408KB
-
memory/2764-131-0x0000000005BE0000-0x0000000006184000-memory.dmpFilesize
5.6MB
-
memory/2764-130-0x0000000000A30000-0x0000000000B52000-memory.dmpFilesize
1.1MB
-
memory/2764-132-0x0000000005500000-0x0000000005592000-memory.dmpFilesize
584KB
-
memory/2764-133-0x00000000055A0000-0x00000000055AA000-memory.dmpFilesize
40KB
-
memory/2764-134-0x0000000009100000-0x000000000919C000-memory.dmpFilesize
624KB
-
memory/3472-136-0x0000000000000000-mapping.dmp
-
memory/3472-158-0x0000000006DA0000-0x0000000006DAA000-memory.dmpFilesize
40KB
-
memory/3472-140-0x0000000004C80000-0x00000000052A8000-memory.dmpFilesize
6.2MB
-
memory/3472-162-0x0000000007050000-0x0000000007058000-memory.dmpFilesize
32KB
-
memory/3472-161-0x0000000007070000-0x000000000708A000-memory.dmpFilesize
104KB
-
memory/3472-150-0x0000000005A10000-0x0000000005A2E000-memory.dmpFilesize
120KB
-
memory/3472-143-0x0000000004BF0000-0x0000000004C56000-memory.dmpFilesize
408KB
-
memory/3472-152-0x0000000006BE0000-0x0000000006C12000-memory.dmpFilesize
200KB
-
memory/3472-153-0x0000000073680000-0x00000000736CC000-memory.dmpFilesize
304KB
-
memory/3472-160-0x0000000006F60000-0x0000000006F6E000-memory.dmpFilesize
56KB
-
memory/3472-155-0x0000000005FE0000-0x0000000005FFE000-memory.dmpFilesize
120KB
-
memory/3472-156-0x0000000007370000-0x00000000079EA000-memory.dmpFilesize
6.5MB
-
memory/3472-159-0x0000000006FB0000-0x0000000007046000-memory.dmpFilesize
600KB
-
memory/3472-139-0x0000000004480000-0x00000000044B6000-memory.dmpFilesize
216KB
-
memory/4068-157-0x0000000006E00000-0x0000000006E1A000-memory.dmpFilesize
104KB
-
memory/4068-154-0x0000000073680000-0x00000000736CC000-memory.dmpFilesize
304KB
-
memory/4068-149-0x0000000005B00000-0x0000000005B1E000-memory.dmpFilesize
120KB
-
memory/4068-142-0x0000000004B50000-0x0000000004B72000-memory.dmpFilesize
136KB
-
memory/4068-137-0x0000000000000000-mapping.dmp
-
memory/5056-148-0x0000000000000000-mapping.dmp