Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
-
Size
1.0MB
-
MD5
10bd35143e96d238c1c877dd2876da0a
-
SHA1
44b3c0d42a56605de95f9953432b6f6b9486300c
-
SHA256
b85ba05f52b6a5c66037d81e9b5bfd046202ce5de9136e4995822b2fe6405175
-
SHA512
2d47ee630f6f9912cd3acc455344c753248f1f0f2f62676aa94d9e4112a08f88dd6b6219260367bfdbc57724e4d3eb4a567ea5da14bfa503cdf05cb40d4826ab
Malware Config
Extracted
remcos
2.5.1 Pro
AUGUST-BLESS-ME
officer170.webredirect.org:2404
chidera12345.ddns.net:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-T7VXCL
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
-
Executes dropped EXE 2 IoCs
Processes:
asku.pifRegSvcs.exepid process 1920 asku.pif 948 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exeasku.pifpid process 388 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe 388 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe 388 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe 388 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe 1920 asku.pif -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
asku.pifdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\99809826\\asku.pif c:\\99809826\\IDWUOP~1.EXM" asku.pif Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run asku.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
asku.pifdescription pid process target process PID 1920 set thread context of 948 1920 asku.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
asku.pifpid process 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif 1920 asku.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 948 RegSvcs.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exeasku.pifdescription pid process target process PID 388 wrote to memory of 1920 388 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe asku.pif PID 388 wrote to memory of 1920 388 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe asku.pif PID 388 wrote to memory of 1920 388 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe asku.pif PID 388 wrote to memory of 1920 388 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe asku.pif PID 1920 wrote to memory of 948 1920 asku.pif RegSvcs.exe PID 1920 wrote to memory of 948 1920 asku.pif RegSvcs.exe PID 1920 wrote to memory of 948 1920 asku.pif RegSvcs.exe PID 1920 wrote to memory of 948 1920 asku.pif RegSvcs.exe PID 1920 wrote to memory of 948 1920 asku.pif RegSvcs.exe PID 1920 wrote to memory of 948 1920 asku.pif RegSvcs.exe PID 1920 wrote to memory of 948 1920 asku.pif RegSvcs.exe PID 1920 wrote to memory of 948 1920 asku.pif RegSvcs.exe PID 1920 wrote to memory of 948 1920 asku.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe"C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\99809826\asku.pif"C:\99809826\asku.pif" idwuopbrak.exm2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\99809826\asku.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\99809826\idwuopbrak.exmFilesize
213.5MB
MD5473814d436865cb8793a4203c6f2fbe1
SHA15c624c51bb373b84e6507ccfbe0ec9167a35b0c5
SHA256c2e1f2c3cc59cf159240757253a48a3716c3b469e105f2ba70f7cd5fc017a81b
SHA512db32f5b88216862902f1abd6c7f9a267ae3b19104abb38aec8d6c404f0d26cb563f4131f60c43f0db25402c50057019b694063663e0f7130bbd16f26c1449087
-
C:\99809826\itbq.datFilesize
303KB
MD5d98ac636e189c4c686dd58ae8a9bac4a
SHA19b92bc50854c88da6131ecd12f8a8713b82e9dcc
SHA2562fda035718648f3834a04737aafeae5a612101c13f6965dcc58b5df334401b48
SHA512430be4fa29518324799dac332e0c0043fd95107d9c7976a6ae9cbe29703fe683c7434d92dae21272935afe6d3c06109739dfa92254689409b5372a212d2a8e37
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\99809826\asku.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\99809826\asku.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\99809826\asku.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\99809826\asku.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/388-54-0x0000000076C81000-0x0000000076C83000-memory.dmpFilesize
8KB
-
memory/948-65-0x00000000002D0000-0x00000000008CD000-memory.dmpFilesize
6.0MB
-
memory/948-67-0x00000000002D0000-0x00000000008CD000-memory.dmpFilesize
6.0MB
-
memory/948-68-0x00000000002E3B74-mapping.dmp
-
memory/948-72-0x00000000002D0000-0x00000000008CD000-memory.dmpFilesize
6.0MB
-
memory/948-73-0x00000000002D0000-0x00000000008CD000-memory.dmpFilesize
6.0MB
-
memory/1920-59-0x0000000000000000-mapping.dmp