General
Target

POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe

Filesize

969KB

Completed

21-05-2022 18:26

Task

behavioral2

Score
10/10
MD5

6a8addc2fd26cab55567eba884e377d5

SHA1

2fba0e16b023e47ff5c866325c5208a2d49f9da2

SHA256

86c92d4b2244153a1f601168307d0c60f413631574d9c0ed3fe4c6fa890d6c26

SHA256

024fc7aafc4ce64f0ddeefc0351fc0684fc9eb0a0d38f1b07152b19397da10edc5d0f99ffadb0632fc89d145ea872751ae10762f667d893fa26ed0dd223adb4a

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

AUGUST-BLESS-ME

C2

officer170.webredirect.org:2404

chidera12345.ddns.net:2404

Attributes
audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-T7VXCL
screenshot_crypt
false
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;
Signatures 10

Filter: none

Defense Evasion
Discovery
Persistence
  • Remcos

    Description

    Remcos is a closed-source remote control and surveillance software.

    Tags

  • suricata: ET MALWARE Remcos RAT Checkin 23

    Description

    suricata: ET MALWARE Remcos RAT Checkin 23

    Tags

  • Executes dropped EXE
    qmhdteswu.pifRegSvcs.exe

    Reported IOCs

    pidprocess
    4360qmhdteswu.pif
    1904RegSvcs.exe
  • Checks computer location settings
    POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\NationPOEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
  • Adds Run key to start application
    qmhdteswu.pif

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\70555416\\QMHDTE~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\70555416\\ujcr.qlu"qmhdteswu.pif
    Key created\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Runqmhdteswu.pif
  • Suspicious use of SetThreadContext
    qmhdteswu.pif

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4360 set thread context of 19044360qmhdteswu.pifRegSvcs.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious behavior: EnumeratesProcesses
    qmhdteswu.pif

    Reported IOCs

    pidprocess
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
    4360qmhdteswu.pif
  • Suspicious use of SetWindowsHookEx
    RegSvcs.exe

    Reported IOCs

    pidprocess
    1904RegSvcs.exe
  • Suspicious use of WriteProcessMemory
    POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exeqmhdteswu.pif

    Reported IOCs

    descriptionpidprocesstarget process
    PID 64 wrote to memory of 436064POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exeqmhdteswu.pif
    PID 64 wrote to memory of 436064POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exeqmhdteswu.pif
    PID 64 wrote to memory of 436064POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exeqmhdteswu.pif
    PID 4360 wrote to memory of 19044360qmhdteswu.pifRegSvcs.exe
    PID 4360 wrote to memory of 19044360qmhdteswu.pifRegSvcs.exe
    PID 4360 wrote to memory of 19044360qmhdteswu.pifRegSvcs.exe
    PID 4360 wrote to memory of 19044360qmhdteswu.pifRegSvcs.exe
    PID 4360 wrote to memory of 19044360qmhdteswu.pifRegSvcs.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe"
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:64
    • C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif
      "C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif" ujcr.qlu
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        PID:1904
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

                      MD5

                      9d352bc46709f0cb5ec974633a0c3c94

                      SHA1

                      1969771b2f022f9a86d77ac4d4d239becdf08d07

                      SHA256

                      2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

                      SHA512

                      13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

                    • C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif

                      MD5

                      43e7db53ce5c130179aef5b47dcf7608

                      SHA1

                      5398e207d9ad301860b570d87601c1664ada9c0a

                      SHA256

                      9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

                      SHA512

                      a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

                    • C:\Users\Admin\AppData\Roaming\70555416\qmhdteswu.pif

                      MD5

                      43e7db53ce5c130179aef5b47dcf7608

                      SHA1

                      5398e207d9ad301860b570d87601c1664ada9c0a

                      SHA256

                      9c04aab5734e2e0eea44af2584333ecc093b27ef36a586fb8873b5d4cadcd7f1

                      SHA512

                      a79f8094152f4f0cb5f0763bc4cdfdc9061af322dfee1bac043de0ac7581f2a7b35841924fe224ecc73b6bda1fba6811045e513d45e8f3598ca6ec313b7103f4

                    • C:\Users\Admin\AppData\Roaming\70555416\ujcr.qlu

                      MD5

                      55de4daf609f11745b70ccff788cf6b7

                      SHA1

                      d3310c9191064bc293789730bd224dcc6f28b1b8

                      SHA256

                      d4de2f550e34ad7032b387ed80a4c89ba0c135a03afe67cbc256d0c79bdd7ddd

                      SHA512

                      dff151c5eec3468dc31a4b8ea359bd9fa3ed5e84eabd056f2702f4c193b2e556592dcd2ab67af1399074cba7290a065a10412a11e62a52b5d78fbe95831756a8

                    • C:\Users\Admin\AppData\Roaming\70555416\unmgj.ppt

                      MD5

                      5f85ab2afe7c7ccf97de9233f833aa5d

                      SHA1

                      4118e24542d053fd15f2f0b2d0d85d02cfc16572

                      SHA256

                      f50fa734c516bb80b7970f575e6da935b8ef378f53fbce0f03d29b27c6488cd9

                      SHA512

                      a0405f16da41defbe38155ef5b8489cbb1a4b617621fa850f7990bea0c0af04a1dc59eb9d13951e5ef393d7c531d8b5d6a42083267cbbb532e041ca136b0d84a

                    • memory/1904-136-0x0000000000913B74-mapping.dmp

                    • memory/1904-135-0x0000000000900000-0x0000000000F99000-memory.dmp

                    • memory/1904-139-0x0000000000900000-0x0000000000F99000-memory.dmp

                    • memory/1904-140-0x0000000000900000-0x0000000000F99000-memory.dmp

                    • memory/4360-130-0x0000000000000000-mapping.dmp