Analysis
-
max time kernel
135s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 21:03
Static task
static1
Behavioral task
behavioral1
Sample
31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe
Resource
win7-20220414-en
General
-
Target
31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe
-
Size
448KB
-
MD5
4b1ae298f40f00471728ac6ce32d601d
-
SHA1
fc0dc529ace67350a5f94f231ee988d6af9f0539
-
SHA256
31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d
-
SHA512
42fad8dd08370b697dfde1eb6534876d2b18fd5ff5ce28f33d14a465a456430f99bb989682539ee62584e839e73a0a3a3be81ee479b5d3a82054d08f526960f6
Malware Config
Extracted
remcos
2.5.1 Pro
BUSINESS
anotherlevel.ddns.net:7213
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-L9741X
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exedescription pid process target process PID 2196 set thread context of 5072 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 220 5072 WerFault.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exepid process 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exedescription pid process Token: SeDebugPrivilege 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exedescription pid process target process PID 2196 wrote to memory of 5112 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe schtasks.exe PID 2196 wrote to memory of 5112 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe schtasks.exe PID 2196 wrote to memory of 5112 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe schtasks.exe PID 2196 wrote to memory of 4524 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 4524 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 4524 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 5072 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 5072 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 5072 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 5072 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 5072 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 5072 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 5072 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 5072 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 5072 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe PID 2196 wrote to memory of 5072 2196 31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe"C:\Users\Admin\AppData\Local\Temp\31661e8e9ab89af4cac4a30a0fe3f8b896e5a4140eb0fb4003cf22521a25010d.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DOGdvdFzLjUsb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5DFE.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 5003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5072 -ip 50721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5DFE.tmpFilesize
1KB
MD5bc2bd91093559e822433a1f7c9b721d5
SHA1127886d013095d9692749a4c0453b2ef7fcd44ad
SHA2567292374fdaaebb94364d3b986a0cba455d4a1c3c0c0e6fd8607791d17cc96564
SHA5120ba47d4bd0e1161bd8e30df41d3102f5f81df375fa385d152aefd297f2fecbd1193d7b53c53689da70f1656b4542d29b4dd978e83d817d0afe7ced6f0535aebe
-
memory/2196-130-0x0000000000AB0000-0x0000000000B26000-memory.dmpFilesize
472KB
-
memory/2196-131-0x0000000005AA0000-0x0000000006044000-memory.dmpFilesize
5.6MB
-
memory/2196-132-0x00000000054F0000-0x0000000005582000-memory.dmpFilesize
584KB
-
memory/2196-133-0x00000000054D0000-0x00000000054DA000-memory.dmpFilesize
40KB
-
memory/2196-134-0x0000000007EA0000-0x0000000007F3C000-memory.dmpFilesize
624KB
-
memory/4524-137-0x0000000000000000-mapping.dmp
-
memory/5072-138-0x0000000000000000-mapping.dmp
-
memory/5072-139-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5072-141-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5072-143-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/5112-135-0x0000000000000000-mapping.dmp