Analysis
-
max time kernel
147s -
max time network
66s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 03:47
Static task
static1
Behavioral task
behavioral1
Sample
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe
Resource
win10v2004-20220414-en
General
-
Target
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe
-
Size
836KB
-
MD5
415bafcf36a22df02e56a9e582f39b24
-
SHA1
2cf9b2825d4e26eef6ba8fe1906d22788c55bc7f
-
SHA256
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b
-
SHA512
85dc4a0107b3b975a66d299290fc504210cc2af87e363338da2c11dc8bef04a59cfe7d3101a57f34153b15bec08e0ca91abc768b309993a65023a70dd7c4d035
Malware Config
Extracted
remcos
2.0.2 Pro
Victim
www.suchfamily.eu:5563
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
winsoft.exe
-
copy_folder
System32
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
BKKDNKDNODNDKNDIODNKDNK-FF5VJY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
windonw
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
Wire Transfer;Payment Slips;Bank Login;Bitcoins;Shares
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
winsoft.exewinsoft.exepid process 268 winsoft.exe 580 winsoft.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 320 cmd.exe 320 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
winsoft.exe3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\ winsoft.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\windonw = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\winsoft.exe\"" winsoft.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\windonw = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\winsoft.exe\"" 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exewinsoft.exewinsoft.exepid process 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 268 winsoft.exe 580 winsoft.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exeWScript.execmd.exewinsoft.exedescription pid process target process PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 2036 wrote to memory of 1880 2036 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 1880 wrote to memory of 1704 1880 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe WScript.exe PID 1880 wrote to memory of 1704 1880 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe WScript.exe PID 1880 wrote to memory of 1704 1880 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe WScript.exe PID 1880 wrote to memory of 1704 1880 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe WScript.exe PID 1704 wrote to memory of 320 1704 WScript.exe cmd.exe PID 1704 wrote to memory of 320 1704 WScript.exe cmd.exe PID 1704 wrote to memory of 320 1704 WScript.exe cmd.exe PID 1704 wrote to memory of 320 1704 WScript.exe cmd.exe PID 320 wrote to memory of 268 320 cmd.exe winsoft.exe PID 320 wrote to memory of 268 320 cmd.exe winsoft.exe PID 320 wrote to memory of 268 320 cmd.exe winsoft.exe PID 320 wrote to memory of 268 320 cmd.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe PID 268 wrote to memory of 580 268 winsoft.exe winsoft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe"C:\Users\Admin\AppData\Local\Temp\3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe"C:\Users\Admin\AppData\Local\Temp\3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\winsoft.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System32\winsoft.exeC:\Users\Admin\AppData\Roaming\System32\winsoft.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System32\winsoft.exeC:\Users\Admin\AppData\Roaming\System32\winsoft.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
424B
MD55643fb2a18890c974d7c6e5a15d5fcd5
SHA1c2bc62799a01aed6c5ac18f8ec03a3c57ebb7486
SHA25639fa039816b2557dd53ddfd64f53794ea53c48888c738da4d7eaf8f6b99c6240
SHA5121d699c95f4d323f4455056cb84eabcda5216721a0ac512275926e424aa1cebcb920f234aba0e1c8f7735ded9d42a129f91b7c86632af762b7532adaaed5c5fb5
-
C:\Users\Admin\AppData\Roaming\System32\winsoft.exeFilesize
836KB
MD5415bafcf36a22df02e56a9e582f39b24
SHA12cf9b2825d4e26eef6ba8fe1906d22788c55bc7f
SHA2563d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b
SHA51285dc4a0107b3b975a66d299290fc504210cc2af87e363338da2c11dc8bef04a59cfe7d3101a57f34153b15bec08e0ca91abc768b309993a65023a70dd7c4d035
-
C:\Users\Admin\AppData\Roaming\System32\winsoft.exeFilesize
836KB
MD5415bafcf36a22df02e56a9e582f39b24
SHA12cf9b2825d4e26eef6ba8fe1906d22788c55bc7f
SHA2563d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b
SHA51285dc4a0107b3b975a66d299290fc504210cc2af87e363338da2c11dc8bef04a59cfe7d3101a57f34153b15bec08e0ca91abc768b309993a65023a70dd7c4d035
-
C:\Users\Admin\AppData\Roaming\System32\winsoft.exeFilesize
836KB
MD5415bafcf36a22df02e56a9e582f39b24
SHA12cf9b2825d4e26eef6ba8fe1906d22788c55bc7f
SHA2563d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b
SHA51285dc4a0107b3b975a66d299290fc504210cc2af87e363338da2c11dc8bef04a59cfe7d3101a57f34153b15bec08e0ca91abc768b309993a65023a70dd7c4d035
-
\Users\Admin\AppData\Roaming\System32\winsoft.exeFilesize
836KB
MD5415bafcf36a22df02e56a9e582f39b24
SHA12cf9b2825d4e26eef6ba8fe1906d22788c55bc7f
SHA2563d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b
SHA51285dc4a0107b3b975a66d299290fc504210cc2af87e363338da2c11dc8bef04a59cfe7d3101a57f34153b15bec08e0ca91abc768b309993a65023a70dd7c4d035
-
\Users\Admin\AppData\Roaming\System32\winsoft.exeFilesize
836KB
MD5415bafcf36a22df02e56a9e582f39b24
SHA12cf9b2825d4e26eef6ba8fe1906d22788c55bc7f
SHA2563d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b
SHA51285dc4a0107b3b975a66d299290fc504210cc2af87e363338da2c11dc8bef04a59cfe7d3101a57f34153b15bec08e0ca91abc768b309993a65023a70dd7c4d035
-
memory/268-72-0x0000000000000000-mapping.dmp
-
memory/320-68-0x0000000000000000-mapping.dmp
-
memory/580-77-0x0000000000000000-mapping.dmp
-
memory/580-83-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/580-82-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/580-81-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1704-64-0x0000000000000000-mapping.dmp
-
memory/1880-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1880-58-0x0000000000000000-mapping.dmp
-
memory/1880-60-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1880-62-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1880-65-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2036-59-0x00000000002F0000-0x00000000002F6000-memory.dmpFilesize
24KB
-
memory/2036-57-0x0000000075C01000-0x0000000075C03000-memory.dmpFilesize
8KB
-
memory/2036-56-0x00000000002F0000-0x00000000002F6000-memory.dmpFilesize
24KB