Analysis
-
max time kernel
175s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 03:47
Static task
static1
Behavioral task
behavioral1
Sample
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe
Resource
win10v2004-20220414-en
General
-
Target
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe
-
Size
836KB
-
MD5
415bafcf36a22df02e56a9e582f39b24
-
SHA1
2cf9b2825d4e26eef6ba8fe1906d22788c55bc7f
-
SHA256
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b
-
SHA512
85dc4a0107b3b975a66d299290fc504210cc2af87e363338da2c11dc8bef04a59cfe7d3101a57f34153b15bec08e0ca91abc768b309993a65023a70dd7c4d035
Malware Config
Extracted
remcos
2.0.2 Pro
Victim
www.suchfamily.eu:5563
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
winsoft.exe
-
copy_folder
System32
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
BKKDNKDNODNDKNDIODNKDNK-FF5VJY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
windonw
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
Wire Transfer;Payment Slips;Bank Login;Bitcoins;Shares
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
winsoft.exewinsoft.exepid process 4532 winsoft.exe 4420 winsoft.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exewinsoft.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windonw = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\winsoft.exe\"" 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run\ winsoft.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windonw = "\"C:\\Users\\Admin\\AppData\\Roaming\\System32\\winsoft.exe\"" winsoft.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exewinsoft.exewinsoft.exepid process 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 4532 winsoft.exe 4420 winsoft.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exeWScript.execmd.exewinsoft.exedescription pid process target process PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3364 wrote to memory of 3240 3364 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe PID 3240 wrote to memory of 3592 3240 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe WScript.exe PID 3240 wrote to memory of 3592 3240 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe WScript.exe PID 3240 wrote to memory of 3592 3240 3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe WScript.exe PID 3592 wrote to memory of 4764 3592 WScript.exe cmd.exe PID 3592 wrote to memory of 4764 3592 WScript.exe cmd.exe PID 3592 wrote to memory of 4764 3592 WScript.exe cmd.exe PID 4764 wrote to memory of 4532 4764 cmd.exe winsoft.exe PID 4764 wrote to memory of 4532 4764 cmd.exe winsoft.exe PID 4764 wrote to memory of 4532 4764 cmd.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe PID 4532 wrote to memory of 4420 4532 winsoft.exe winsoft.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe"C:\Users\Admin\AppData\Local\Temp\3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe"C:\Users\Admin\AppData\Local\Temp\3d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\System32\winsoft.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System32\winsoft.exeC:\Users\Admin\AppData\Roaming\System32\winsoft.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\System32\winsoft.exeC:\Users\Admin\AppData\Roaming\System32\winsoft.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
424B
MD55643fb2a18890c974d7c6e5a15d5fcd5
SHA1c2bc62799a01aed6c5ac18f8ec03a3c57ebb7486
SHA25639fa039816b2557dd53ddfd64f53794ea53c48888c738da4d7eaf8f6b99c6240
SHA5121d699c95f4d323f4455056cb84eabcda5216721a0ac512275926e424aa1cebcb920f234aba0e1c8f7735ded9d42a129f91b7c86632af762b7532adaaed5c5fb5
-
C:\Users\Admin\AppData\Roaming\System32\winsoft.exeFilesize
836KB
MD5415bafcf36a22df02e56a9e582f39b24
SHA12cf9b2825d4e26eef6ba8fe1906d22788c55bc7f
SHA2563d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b
SHA51285dc4a0107b3b975a66d299290fc504210cc2af87e363338da2c11dc8bef04a59cfe7d3101a57f34153b15bec08e0ca91abc768b309993a65023a70dd7c4d035
-
C:\Users\Admin\AppData\Roaming\System32\winsoft.exeFilesize
836KB
MD5415bafcf36a22df02e56a9e582f39b24
SHA12cf9b2825d4e26eef6ba8fe1906d22788c55bc7f
SHA2563d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b
SHA51285dc4a0107b3b975a66d299290fc504210cc2af87e363338da2c11dc8bef04a59cfe7d3101a57f34153b15bec08e0ca91abc768b309993a65023a70dd7c4d035
-
C:\Users\Admin\AppData\Roaming\System32\winsoft.exeFilesize
836KB
MD5415bafcf36a22df02e56a9e582f39b24
SHA12cf9b2825d4e26eef6ba8fe1906d22788c55bc7f
SHA2563d3c288fcea8c0ae627a42c9378871cfab1ac04ed9d62e861c84d4196691e74b
SHA51285dc4a0107b3b975a66d299290fc504210cc2af87e363338da2c11dc8bef04a59cfe7d3101a57f34153b15bec08e0ca91abc768b309993a65023a70dd7c4d035
-
memory/3240-136-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3240-137-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3240-139-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3240-134-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3240-133-0x0000000000000000-mapping.dmp
-
memory/3364-132-0x00000000022A0000-0x00000000022A6000-memory.dmpFilesize
24KB
-
memory/3364-135-0x00000000022A0000-0x00000000022A6000-memory.dmpFilesize
24KB
-
memory/3592-138-0x0000000000000000-mapping.dmp
-
memory/4420-147-0x0000000000000000-mapping.dmp
-
memory/4420-150-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4420-151-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4420-152-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/4532-142-0x0000000000000000-mapping.dmp
-
memory/4764-141-0x0000000000000000-mapping.dmp