Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:24
Static task
static1
Behavioral task
behavioral1
Sample
POEA LIST OF DELISTED AGENCIES.PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
POEA LIST OF DELISTED AGENCIES.PDF.exe
Resource
win10v2004-20220414-en
General
-
Target
POEA LIST OF DELISTED AGENCIES.PDF.exe
-
Size
985KB
-
MD5
42f2b26bcd9ad840f1445785726449f1
-
SHA1
d5861e7a6217dc6f1f5c2309bd617b5f0ca371dc
-
SHA256
10bd3e2c0e8caf01756c71de42d8656875a64daae61ec1b8175a84fb064c94e4
-
SHA512
b57e1cd214c91159449aac8304033aa104001fd4c53e0dae659e883cd9aa1709cf6a42b0cd175ccc1e4f432b131eeea4fe4b46ea14a73c40ad2de15c0116edb7
Malware Config
Extracted
remcos
2.5.1 Pro
JULY-LOGS
alhabib4rec.freeddns.org:2404
alhabib4rec.ddns.net:2404
alhabib4rec.duckdns.org:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-5YOI67
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
suricata: ET MALWARE Remcos RAT Checkin 23
suricata: ET MALWARE Remcos RAT Checkin 23
-
Executes dropped EXE 2 IoCs
Processes:
tlpmgdweq.pifRegSvcs.exepid process 2224 tlpmgdweq.pif 5088 RegSvcs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
POEA LIST OF DELISTED AGENCIES.PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation POEA LIST OF DELISTED AGENCIES.PDF.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tlpmgdweq.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run tlpmgdweq.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\59909268\\TLPMGD~1.PIF C:\\Users\\Admin\\AppData\\Roaming\\59909268\\nlncgw.ath" tlpmgdweq.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tlpmgdweq.pifdescription pid process target process PID 2224 set thread context of 5088 2224 tlpmgdweq.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tlpmgdweq.pifpid process 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif 2224 tlpmgdweq.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 5088 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
POEA LIST OF DELISTED AGENCIES.PDF.exetlpmgdweq.pifdescription pid process target process PID 2896 wrote to memory of 2224 2896 POEA LIST OF DELISTED AGENCIES.PDF.exe tlpmgdweq.pif PID 2896 wrote to memory of 2224 2896 POEA LIST OF DELISTED AGENCIES.PDF.exe tlpmgdweq.pif PID 2896 wrote to memory of 2224 2896 POEA LIST OF DELISTED AGENCIES.PDF.exe tlpmgdweq.pif PID 2224 wrote to memory of 5088 2224 tlpmgdweq.pif RegSvcs.exe PID 2224 wrote to memory of 5088 2224 tlpmgdweq.pif RegSvcs.exe PID 2224 wrote to memory of 5088 2224 tlpmgdweq.pif RegSvcs.exe PID 2224 wrote to memory of 5088 2224 tlpmgdweq.pif RegSvcs.exe PID 2224 wrote to memory of 5088 2224 tlpmgdweq.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\POEA LIST OF DELISTED AGENCIES.PDF.exe"C:\Users\Admin\AppData\Local\Temp\POEA LIST OF DELISTED AGENCIES.PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif"C:\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pif" nlncgw.ath2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Roaming\59909268\nlncgw.athFilesize
185.0MB
MD5914ef797d945f434361d12e0fe005782
SHA15caac973d566840580e960a64423c551b660becf
SHA25674e401773c87cc279e1e55192408043e2d61e78e8cdbfa625f3b755f6ffa372b
SHA512318a31cb84c3dc58193f4895aef2227410345993fe5d89424676e67d7cdbdcabd186736599ea922008c29cbd992e3c2b1486eded6481edfb80d070ff96022ee1
-
C:\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pifFilesize
647KB
MD59fc46b6036032a8d8a89e3567a3dcec3
SHA142dcd68b4a35686b000a18efb4c2b2ae07d5cc94
SHA2560e96860caa7e17fdcacac170b59189eb500761d5a80954d92e7f7b0ecb6b9534
SHA51245c10d083b1abc6cfcb54cd5d1a5343c1f8b25ac89c3800b173634073204a94cc7bbbe52caa2c465af739a438cc0df7daf2a62defc5220b2b72e507dbae0be3d
-
C:\Users\Admin\AppData\Roaming\59909268\tlpmgdweq.pifFilesize
647KB
MD59fc46b6036032a8d8a89e3567a3dcec3
SHA142dcd68b4a35686b000a18efb4c2b2ae07d5cc94
SHA2560e96860caa7e17fdcacac170b59189eb500761d5a80954d92e7f7b0ecb6b9534
SHA51245c10d083b1abc6cfcb54cd5d1a5343c1f8b25ac89c3800b173634073204a94cc7bbbe52caa2c465af739a438cc0df7daf2a62defc5220b2b72e507dbae0be3d
-
C:\Users\Admin\AppData\Roaming\59909268\tnblkocel.binFilesize
301KB
MD51db5057da63cb0c1e451f2afec2993df
SHA1104400efd20a63fd4f19816c7de44b13e8dcea64
SHA256b8f7e2ab29a5037ea36d11387cf6260d71a23721f03275ccb863e8ca2bee9d6a
SHA512b44d6ffdeb0063d2016840f9538d5b818cacc167cf22cffc0878ff857d251096a31155bf53c00637f3f34ab627cab54f27b23858d3ed10503df935b8e169c1dd
-
memory/2224-130-0x0000000000000000-mapping.dmp
-
memory/5088-136-0x0000000000713B74-mapping.dmp
-
memory/5088-135-0x0000000000700000-0x0000000000CD4000-memory.dmpFilesize
5.8MB
-
memory/5088-139-0x0000000000700000-0x0000000000CD4000-memory.dmpFilesize
5.8MB
-
memory/5088-140-0x0000000000700000-0x0000000000CD4000-memory.dmpFilesize
5.8MB