Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:24
Static task
static1
Behavioral task
behavioral1
Sample
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
-
Size
969KB
-
MD5
6a8addc2fd26cab55567eba884e377d5
-
SHA1
2fba0e16b023e47ff5c866325c5208a2d49f9da2
-
SHA256
86c92d4b2244153a1f601168307d0c60f413631574d9c0ed3fe4c6fa890d6c26
-
SHA512
024fc7aafc4ce64f0ddeefc0351fc0684fc9eb0a0d38f1b07152b19397da10edc5d0f99ffadb0632fc89d145ea872751ae10762f667d893fa26ed0dd223adb4a
Malware Config
Extracted
remcos
2.5.1 Pro
AUGUST-BLESS-ME
officer170.webredirect.org:2404
chidera12345.ddns.net:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-T7VXCL
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
-
Executes dropped EXE 2 IoCs
Processes:
qmhdteswu.pifRegSvcs.exepid process 1964 qmhdteswu.pif 940 RegSvcs.exe -
Loads dropped DLL 5 IoCs
Processes:
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exeqmhdteswu.pifpid process 1580 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe 1580 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe 1580 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe 1580 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe 1964 qmhdteswu.pif -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
qmhdteswu.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run qmhdteswu.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\70555416\\QMHDTE~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\70555416\\ujcr.qlu" qmhdteswu.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qmhdteswu.pifdescription pid process target process PID 1964 set thread context of 940 1964 qmhdteswu.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
qmhdteswu.pifpid process 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif 1964 qmhdteswu.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 940 RegSvcs.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exeqmhdteswu.pifdescription pid process target process PID 1580 wrote to memory of 1964 1580 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe qmhdteswu.pif PID 1580 wrote to memory of 1964 1580 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe qmhdteswu.pif PID 1580 wrote to memory of 1964 1580 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe qmhdteswu.pif PID 1580 wrote to memory of 1964 1580 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe qmhdteswu.pif PID 1964 wrote to memory of 940 1964 qmhdteswu.pif RegSvcs.exe PID 1964 wrote to memory of 940 1964 qmhdteswu.pif RegSvcs.exe PID 1964 wrote to memory of 940 1964 qmhdteswu.pif RegSvcs.exe PID 1964 wrote to memory of 940 1964 qmhdteswu.pif RegSvcs.exe PID 1964 wrote to memory of 940 1964 qmhdteswu.pif RegSvcs.exe PID 1964 wrote to memory of 940 1964 qmhdteswu.pif RegSvcs.exe PID 1964 wrote to memory of 940 1964 qmhdteswu.pif RegSvcs.exe PID 1964 wrote to memory of 940 1964 qmhdteswu.pif RegSvcs.exe PID 1964 wrote to memory of 940 1964 qmhdteswu.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe"C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif"C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif" ujcr.qlu2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\Users\Admin\AppData\Roaming\70555416\ujcr.qluFilesize
153.1MB
MD555de4daf609f11745b70ccff788cf6b7
SHA1d3310c9191064bc293789730bd224dcc6f28b1b8
SHA256d4de2f550e34ad7032b387ed80a4c89ba0c135a03afe67cbc256d0c79bdd7ddd
SHA512dff151c5eec3468dc31a4b8ea359bd9fa3ed5e84eabd056f2702f4c193b2e556592dcd2ab67af1399074cba7290a065a10412a11e62a52b5d78fbe95831756a8
-
C:\Users\Admin\AppData\Roaming\70555416\unmgj.pptFilesize
303KB
MD55f85ab2afe7c7ccf97de9233f833aa5d
SHA14118e24542d053fd15f2f0b2d0d85d02cfc16572
SHA256f50fa734c516bb80b7970f575e6da935b8ef378f53fbce0f03d29b27c6488cd9
SHA512a0405f16da41defbe38155ef5b8489cbb1a4b617621fa850f7990bea0c0af04a1dc59eb9d13951e5ef393d7c531d8b5d6a42083267cbbb532e041ca136b0d84a
-
\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
memory/940-65-0x0000000000260000-0x00000000007B4000-memory.dmpFilesize
5.3MB
-
memory/940-67-0x0000000000260000-0x00000000007B4000-memory.dmpFilesize
5.3MB
-
memory/940-68-0x0000000000273B74-mapping.dmp
-
memory/940-72-0x0000000000260000-0x00000000007B4000-memory.dmpFilesize
5.3MB
-
memory/940-73-0x0000000000260000-0x00000000007B4000-memory.dmpFilesize
5.3MB
-
memory/1580-54-0x0000000076811000-0x0000000076813000-memory.dmpFilesize
8KB
-
memory/1964-59-0x0000000000000000-mapping.dmp