Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
-
Size
1.0MB
-
MD5
10bd35143e96d238c1c877dd2876da0a
-
SHA1
44b3c0d42a56605de95f9953432b6f6b9486300c
-
SHA256
b85ba05f52b6a5c66037d81e9b5bfd046202ce5de9136e4995822b2fe6405175
-
SHA512
2d47ee630f6f9912cd3acc455344c753248f1f0f2f62676aa94d9e4112a08f88dd6b6219260367bfdbc57724e4d3eb4a567ea5da14bfa503cdf05cb40d4826ab
Malware Config
Extracted
remcos
2.5.1 Pro
AUGUST-BLESS-ME
officer170.webredirect.org:2404
chidera12345.ddns.net:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-T7VXCL
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
-
Executes dropped EXE 2 IoCs
Processes:
asku.pifRegSvcs.exepid process 1292 asku.pif 1532 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
asku.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run asku.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\99809826\\asku.pif c:\\99809826\\IDWUOP~1.EXM" asku.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
asku.pifdescription pid process target process PID 1292 set thread context of 1532 1292 asku.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
asku.pifpid process 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif 1292 asku.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1532 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exeasku.pifdescription pid process target process PID 2388 wrote to memory of 1292 2388 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe asku.pif PID 2388 wrote to memory of 1292 2388 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe asku.pif PID 2388 wrote to memory of 1292 2388 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe asku.pif PID 1292 wrote to memory of 1532 1292 asku.pif RegSvcs.exe PID 1292 wrote to memory of 1532 1292 asku.pif RegSvcs.exe PID 1292 wrote to memory of 1532 1292 asku.pif RegSvcs.exe PID 1292 wrote to memory of 1532 1292 asku.pif RegSvcs.exe PID 1292 wrote to memory of 1532 1292 asku.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe"C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\99809826\asku.pif"C:\99809826\asku.pif" idwuopbrak.exm2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\99809826\asku.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\99809826\asku.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\99809826\idwuopbrak.exmFilesize
213.5MB
MD5473814d436865cb8793a4203c6f2fbe1
SHA15c624c51bb373b84e6507ccfbe0ec9167a35b0c5
SHA256c2e1f2c3cc59cf159240757253a48a3716c3b469e105f2ba70f7cd5fc017a81b
SHA512db32f5b88216862902f1abd6c7f9a267ae3b19104abb38aec8d6c404f0d26cb563f4131f60c43f0db25402c50057019b694063663e0f7130bbd16f26c1449087
-
C:\99809826\itbq.datFilesize
303KB
MD5d98ac636e189c4c686dd58ae8a9bac4a
SHA19b92bc50854c88da6131ecd12f8a8713b82e9dcc
SHA2562fda035718648f3834a04737aafeae5a612101c13f6965dcc58b5df334401b48
SHA512430be4fa29518324799dac332e0c0043fd95107d9c7976a6ae9cbe29703fe683c7434d92dae21272935afe6d3c06109739dfa92254689409b5372a212d2a8e37
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/1292-130-0x0000000000000000-mapping.dmp
-
memory/1532-135-0x0000000000B00000-0x0000000001045000-memory.dmpFilesize
5.3MB
-
memory/1532-136-0x0000000000B13B74-mapping.dmp
-
memory/1532-139-0x0000000000B00000-0x0000000001045000-memory.dmpFilesize
5.3MB
-
memory/1532-140-0x0000000000B00000-0x0000000001045000-memory.dmpFilesize
5.3MB