Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
BILLING STATEMENT -AUGUST 2020.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
BILLING STATEMENT -AUGUST 2020.PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
BILLING STATEMENT -AUGUST 2020.PDF.exe
-
Size
1023KB
-
MD5
3775ac940d19237a62423250306b271d
-
SHA1
7012449e1235171eefb2cf0e5cb30146701eadd5
-
SHA256
bd7123082ebc1bc656abbb0de0e4b2eac5d29d37e4497470d7e7be5a99e3fb25
-
SHA512
53e8924c89838d6b638475336b3eb1eedd01ccc27bead38cd36892886e9296df4ffea4dee69558e95cb10917edf85a7a8db6d26f478d7d24b1713764b9034907
Malware Config
Extracted
remcos
2.5.1 Pro
AUGUST-BLESS-ME
officer170.webredirect.org:2404
chidera12345.ddns.net:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-T7VXCL
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
-
Executes dropped EXE 3 IoCs
Processes:
wxut.pifwxut.pifRegSvcs.exepid process 3228 wxut.pif 4308 wxut.pif 2068 RegSvcs.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BILLING STATEMENT -AUGUST 2020.PDF.exewxut.pifWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation BILLING STATEMENT -AUGUST 2020.PDF.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation wxut.pif Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
wxut.pifwxut.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wxut.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\71189588\\wxut.pif c:\\71189588\\OMBGMV~1.QSF" wxut.pif Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wxut.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "c:\\71189588\\wxut.pif c:\\71189588\\OMBGMV~1.QSF" wxut.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wxut.pifdescription pid process target process PID 4308 set thread context of 2068 4308 wxut.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
wxut.pifdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings wxut.pif -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
wxut.pifwxut.pifpid process 3228 wxut.pif 3228 wxut.pif 3228 wxut.pif 3228 wxut.pif 3228 wxut.pif 3228 wxut.pif 3228 wxut.pif 3228 wxut.pif 3228 wxut.pif 3228 wxut.pif 3228 wxut.pif 3228 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif 4308 wxut.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 2068 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
BILLING STATEMENT -AUGUST 2020.PDF.exewxut.pifWScript.exewxut.pifdescription pid process target process PID 1564 wrote to memory of 3228 1564 BILLING STATEMENT -AUGUST 2020.PDF.exe wxut.pif PID 1564 wrote to memory of 3228 1564 BILLING STATEMENT -AUGUST 2020.PDF.exe wxut.pif PID 1564 wrote to memory of 3228 1564 BILLING STATEMENT -AUGUST 2020.PDF.exe wxut.pif PID 3228 wrote to memory of 2272 3228 wxut.pif WScript.exe PID 3228 wrote to memory of 2272 3228 wxut.pif WScript.exe PID 3228 wrote to memory of 2272 3228 wxut.pif WScript.exe PID 2272 wrote to memory of 4308 2272 WScript.exe wxut.pif PID 2272 wrote to memory of 4308 2272 WScript.exe wxut.pif PID 2272 wrote to memory of 4308 2272 WScript.exe wxut.pif PID 4308 wrote to memory of 2068 4308 wxut.pif RegSvcs.exe PID 4308 wrote to memory of 2068 4308 wxut.pif RegSvcs.exe PID 4308 wrote to memory of 2068 4308 wxut.pif RegSvcs.exe PID 4308 wrote to memory of 2068 4308 wxut.pif RegSvcs.exe PID 4308 wrote to memory of 2068 4308 wxut.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BILLING STATEMENT -AUGUST 2020.PDF.exe"C:\Users\Admin\AppData\Local\Temp\BILLING STATEMENT -AUGUST 2020.PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\71189588\wxut.pif"C:\71189588\wxut.pif" ombgmvign.qsf2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\71189588\run.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\71189588\wxut.pif"C:\71189588\wxut.pif" ombgmvign.qsf4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\71189588\ombgmvign.qsfFilesize
192.4MB
MD5ed381ffca3192ee6af6800537155c2e1
SHA1542f736593e2e8eea38a248c014311f2e9e790d7
SHA256be42f42b66c7c1d0b1371c3db16408f99aabcfd97980bc4d621e834116c008a2
SHA512439e3cc289283b6d3e5870f39fd585a722cf72529283fbd0b9c25c5017a4aa48f2769c74ea2bc84cf51785b7fcc45a15a6629730913272c58c093c9c132163f1
-
C:\71189588\run.vbsFilesize
90B
MD5d73acc6db3425ba8543587214a6f6c30
SHA1e319fe04dca21c9ff2e0d630d664e14af1b94657
SHA256d3db41b90687b7d8577136c030ae54d5688077bbd35de2e2ae7f8b5fc8ac2c1a
SHA512c58b0787eee705771fb934ceb00e19de36275ec291123e1e690b06b7a3b919e94c84b90fa4e95e80a1be67b7933fee01717f27f2194b1751aa6b03350fc022b3
-
C:\71189588\tflbjoosws.binFilesize
312KB
MD5264c07e27662260fb0e594d107e6f183
SHA1e8d5097f3b325e9bc72ad90f2d50de6bcb2a5d20
SHA256eb42b510e2a69f5bf1105f483aafde8d643c789c4bbedb235b64197ddb44d3b0
SHA51273a789f46e5320c01094ab9025404c6cce5c0955821b9287032542d2569ec0c6ff8792f912c05ad247268391819a173ef71cd6ade66137542e1cc4a81040c66d
-
C:\71189588\wxut.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\71189588\wxut.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\71189588\wxut.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
memory/2068-140-0x0000000000613B74-mapping.dmp
-
memory/2068-139-0x0000000000600000-0x0000000000B68000-memory.dmpFilesize
5.4MB
-
memory/2068-143-0x0000000000600000-0x0000000000B68000-memory.dmpFilesize
5.4MB
-
memory/2068-144-0x0000000000600000-0x0000000000B68000-memory.dmpFilesize
5.4MB
-
memory/2272-135-0x0000000000000000-mapping.dmp
-
memory/3228-130-0x0000000000000000-mapping.dmp
-
memory/4308-137-0x0000000000000000-mapping.dmp