Analysis
-
max time kernel
186s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
BILLING STATEMENT -AUGUST 2020.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
BILLING STATEMENT -AUGUST 2020.PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
BILLING STATEMENT -AUGUST 2020.PDF.exe
-
Size
1023KB
-
MD5
3775ac940d19237a62423250306b271d
-
SHA1
7012449e1235171eefb2cf0e5cb30146701eadd5
-
SHA256
bd7123082ebc1bc656abbb0de0e4b2eac5d29d37e4497470d7e7be5a99e3fb25
-
SHA512
53e8924c89838d6b638475336b3eb1eedd01ccc27bead38cd36892886e9296df4ffea4dee69558e95cb10917edf85a7a8db6d26f478d7d24b1713764b9034907
Malware Config
Extracted
remcos
2.5.1 Pro
AUGUST-BLESS-ME
officer170.webredirect.org:2404
chidera12345.ddns.net:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-T7VXCL
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
-
Executes dropped EXE 3 IoCs
Processes:
wxut.pifwxut.pifRegSvcs.exepid process 2028 wxut.pif 1080 wxut.pif 1164 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
BILLING STATEMENT -AUGUST 2020.PDF.exewxut.pifpid process 968 BILLING STATEMENT -AUGUST 2020.PDF.exe 968 BILLING STATEMENT -AUGUST 2020.PDF.exe 968 BILLING STATEMENT -AUGUST 2020.PDF.exe 968 BILLING STATEMENT -AUGUST 2020.PDF.exe 1080 wxut.pif -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wxut.pifwxut.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wxut.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\71189588\\wxut.pif c:\\71189588\\OMBGMV~1.QSF" wxut.pif Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wxut.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\71189588\\wxut.pif c:\\71189588\\OMBGMV~1.QSF" wxut.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wxut.pifdescription pid process target process PID 1080 set thread context of 1164 1080 wxut.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wxut.pifwxut.pifpid process 2028 wxut.pif 2028 wxut.pif 2028 wxut.pif 2028 wxut.pif 2028 wxut.pif 2028 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif 1080 wxut.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1164 RegSvcs.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
BILLING STATEMENT -AUGUST 2020.PDF.exewxut.pifWScript.exewxut.pifdescription pid process target process PID 968 wrote to memory of 2028 968 BILLING STATEMENT -AUGUST 2020.PDF.exe wxut.pif PID 968 wrote to memory of 2028 968 BILLING STATEMENT -AUGUST 2020.PDF.exe wxut.pif PID 968 wrote to memory of 2028 968 BILLING STATEMENT -AUGUST 2020.PDF.exe wxut.pif PID 968 wrote to memory of 2028 968 BILLING STATEMENT -AUGUST 2020.PDF.exe wxut.pif PID 2028 wrote to memory of 1952 2028 wxut.pif WScript.exe PID 2028 wrote to memory of 1952 2028 wxut.pif WScript.exe PID 2028 wrote to memory of 1952 2028 wxut.pif WScript.exe PID 2028 wrote to memory of 1952 2028 wxut.pif WScript.exe PID 1952 wrote to memory of 1080 1952 WScript.exe wxut.pif PID 1952 wrote to memory of 1080 1952 WScript.exe wxut.pif PID 1952 wrote to memory of 1080 1952 WScript.exe wxut.pif PID 1952 wrote to memory of 1080 1952 WScript.exe wxut.pif PID 1080 wrote to memory of 1164 1080 wxut.pif RegSvcs.exe PID 1080 wrote to memory of 1164 1080 wxut.pif RegSvcs.exe PID 1080 wrote to memory of 1164 1080 wxut.pif RegSvcs.exe PID 1080 wrote to memory of 1164 1080 wxut.pif RegSvcs.exe PID 1080 wrote to memory of 1164 1080 wxut.pif RegSvcs.exe PID 1080 wrote to memory of 1164 1080 wxut.pif RegSvcs.exe PID 1080 wrote to memory of 1164 1080 wxut.pif RegSvcs.exe PID 1080 wrote to memory of 1164 1080 wxut.pif RegSvcs.exe PID 1080 wrote to memory of 1164 1080 wxut.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BILLING STATEMENT -AUGUST 2020.PDF.exe"C:\Users\Admin\AppData\Local\Temp\BILLING STATEMENT -AUGUST 2020.PDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\71189588\wxut.pif"C:\71189588\wxut.pif" ombgmvign.qsf2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\71189588\run.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\71189588\wxut.pif"C:\71189588\wxut.pif" ombgmvign.qsf4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\71189588\ombgmvign.qsfFilesize
192.4MB
MD5ed381ffca3192ee6af6800537155c2e1
SHA1542f736593e2e8eea38a248c014311f2e9e790d7
SHA256be42f42b66c7c1d0b1371c3db16408f99aabcfd97980bc4d621e834116c008a2
SHA512439e3cc289283b6d3e5870f39fd585a722cf72529283fbd0b9c25c5017a4aa48f2769c74ea2bc84cf51785b7fcc45a15a6629730913272c58c093c9c132163f1
-
C:\71189588\run.vbsFilesize
90B
MD5d73acc6db3425ba8543587214a6f6c30
SHA1e319fe04dca21c9ff2e0d630d664e14af1b94657
SHA256d3db41b90687b7d8577136c030ae54d5688077bbd35de2e2ae7f8b5fc8ac2c1a
SHA512c58b0787eee705771fb934ceb00e19de36275ec291123e1e690b06b7a3b919e94c84b90fa4e95e80a1be67b7933fee01717f27f2194b1751aa6b03350fc022b3
-
C:\71189588\tflbjoosws.binFilesize
312KB
MD5264c07e27662260fb0e594d107e6f183
SHA1e8d5097f3b325e9bc72ad90f2d50de6bcb2a5d20
SHA256eb42b510e2a69f5bf1105f483aafde8d643c789c4bbedb235b64197ddb44d3b0
SHA51273a789f46e5320c01094ab9025404c6cce5c0955821b9287032542d2569ec0c6ff8792f912c05ad247268391819a173ef71cd6ade66137542e1cc4a81040c66d
-
C:\71189588\wxut.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\71189588\wxut.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\71189588\wxut.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\71189588\wxut.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\71189588\wxut.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\71189588\wxut.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\71189588\wxut.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/968-54-0x0000000075E51000-0x0000000075E53000-memory.dmpFilesize
8KB
-
memory/1080-68-0x0000000000000000-mapping.dmp
-
memory/1164-72-0x0000000000390000-0x0000000000921000-memory.dmpFilesize
5.6MB
-
memory/1164-74-0x0000000000390000-0x0000000000921000-memory.dmpFilesize
5.6MB
-
memory/1164-75-0x00000000003A3B74-mapping.dmp
-
memory/1164-79-0x0000000000390000-0x0000000000921000-memory.dmpFilesize
5.6MB
-
memory/1164-80-0x0000000000390000-0x0000000000921000-memory.dmpFilesize
5.6MB
-
memory/1952-64-0x0000000000000000-mapping.dmp
-
memory/2028-59-0x0000000000000000-mapping.dmp