Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:24
Static task
static1
Behavioral task
behavioral1
Sample
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
-
Size
969KB
-
MD5
6a8addc2fd26cab55567eba884e377d5
-
SHA1
2fba0e16b023e47ff5c866325c5208a2d49f9da2
-
SHA256
86c92d4b2244153a1f601168307d0c60f413631574d9c0ed3fe4c6fa890d6c26
-
SHA512
024fc7aafc4ce64f0ddeefc0351fc0684fc9eb0a0d38f1b07152b19397da10edc5d0f99ffadb0632fc89d145ea872751ae10762f667d893fa26ed0dd223adb4a
Malware Config
Extracted
remcos
2.5.1 Pro
AUGUST-BLESS-ME
officer170.webredirect.org:2404
chidera12345.ddns.net:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-T7VXCL
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
-
Executes dropped EXE 2 IoCs
Processes:
qmhdteswu.pifRegSvcs.exepid process 4360 qmhdteswu.pif 1904 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
qmhdteswu.pifdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\70555416\\QMHDTE~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\70555416\\ujcr.qlu" qmhdteswu.pif Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run qmhdteswu.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
qmhdteswu.pifdescription pid process target process PID 4360 set thread context of 1904 4360 qmhdteswu.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
qmhdteswu.pifpid process 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif 4360 qmhdteswu.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 1904 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exeqmhdteswu.pifdescription pid process target process PID 64 wrote to memory of 4360 64 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe qmhdteswu.pif PID 64 wrote to memory of 4360 64 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe qmhdteswu.pif PID 64 wrote to memory of 4360 64 POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe qmhdteswu.pif PID 4360 wrote to memory of 1904 4360 qmhdteswu.pif RegSvcs.exe PID 4360 wrote to memory of 1904 4360 qmhdteswu.pif RegSvcs.exe PID 4360 wrote to memory of 1904 4360 qmhdteswu.pif RegSvcs.exe PID 4360 wrote to memory of 1904 4360 qmhdteswu.pif RegSvcs.exe PID 4360 wrote to memory of 1904 4360 qmhdteswu.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe"C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif"C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif" ujcr.qlu2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pifFilesize
712KB
MD543e7db53ce5c130179aef5b47dcf7608
SHA15398e207d9ad301860b570d87601c1664ada9c0a
SHA2569c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1
SHA512a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4
-
C:\Users\Admin\AppData\Roaming\70555416\ujcr.qluFilesize
153MB
MD555de4daf609f11745b70ccff788cf6b7
SHA1d3310c9191064bc293789730bd224dcc6f28b1b8
SHA256d4de2f550e34ad7032b387ed80a4c89ba0c135a03afe67cbc256d0c79bdd7ddd
SHA512dff151c5eec3468dc31a4b8ea359bd9fa3ed5e84eabd056f2702f4c193b2e556592dcd2ab67af1399074cba7290a065a10412a11e62a52b5d78fbe95831756a8
-
C:\Users\Admin\AppData\Roaming\70555416\unmgj.pptFilesize
303KB
MD55f85ab2afe7c7ccf97de9233f833aa5d
SHA14118e24542d053fd15f2f0b2d0d85d02cfc16572
SHA256f50fa734c516bb80b7970f575e6da935b8ef378f53fbce0f03d29b27c6488cd9
SHA512a0405f16da41defbe38155ef5b8489cbb1a4b617621fa850f7990bea0c0af04a1dc59eb9d13951e5ef393d7c531d8b5d6a42083267cbbb532e041ca136b0d84a
-
memory/1904-135-0x0000000000900000-0x0000000000F99000-memory.dmpFilesize
6MB
-
memory/1904-136-0x0000000000913B74-mapping.dmp
-
memory/1904-139-0x0000000000900000-0x0000000000F99000-memory.dmpFilesize
6MB
-
memory/1904-140-0x0000000000900000-0x0000000000F99000-memory.dmpFilesize
6MB
-
memory/4360-130-0x0000000000000000-mapping.dmp