Analysis
-
max time kernel
81s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 22:41
Static task
static1
Behavioral task
behavioral1
Sample
ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
Resource
win7-20220718-en
General
-
Target
ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
-
Size
340KB
-
MD5
77e6c7f57c85396bcc9cb835a24107d1
-
SHA1
6a243d09ed09f339935577c746d0326c0dff2e38
-
SHA256
ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80
-
SHA512
0f8203d8d710244728939b8b5ebc9053e3e0c3c1a9ba3de136fbf2dd8860ca74e277d067e13ccd2eca25ead0deeb782fd2b8ff345b2161ba4ee9720337348abd
Malware Config
Extracted
remcos
GOLD
sub.thebest1jewels.waw.pl:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-TP8KCR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Extracted
remcos
2.5.0 Pro
GOLD
sub.thebest1jewels.waw.pl:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-TP8KCR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exedescription pid process target process PID 1836 set thread context of 2768 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1116 2768 WerFault.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exedescription pid process target process PID 1836 wrote to memory of 3324 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe schtasks.exe PID 1836 wrote to memory of 3324 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe schtasks.exe PID 1836 wrote to memory of 3324 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe schtasks.exe PID 1836 wrote to memory of 2768 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe PID 1836 wrote to memory of 2768 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe PID 1836 wrote to memory of 2768 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe PID 1836 wrote to memory of 2768 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe PID 1836 wrote to memory of 2768 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe PID 1836 wrote to memory of 2768 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe PID 1836 wrote to memory of 2768 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe PID 1836 wrote to memory of 2768 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe PID 1836 wrote to memory of 2768 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe PID 1836 wrote to memory of 2768 1836 ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe"C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ooPeZfpRVlcO" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBBAA.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe"C:\Users\Admin\AppData\Local\Temp\ec8fa728e1b4e4eea17cfe7cf17828bd0e42a061911adbdea8525db622c3cf80.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 5003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2768 -ip 27681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBBAA.tmpFilesize
1KB
MD57694e4380a8c5d67af550436fa859977
SHA1497c0b3697a7238a320bd1d7394e8ac060745c0a
SHA25646f2731ee546eb2bec477116a85be01c9e21cd92d3ede18c7da4f8ef1d67e2ba
SHA5121a06fd092ee0783bc60233411c4220f6ab6ab64fc1c7d76dd0cc3cd6199acae4a7245735e203ec5e7f64c88dbb2474d7177afc13add6464798c8ad075cf2816f
-
memory/1836-132-0x00000000748C0000-0x0000000074E71000-memory.dmpFilesize
5.7MB
-
memory/1836-133-0x00000000748C0000-0x0000000074E71000-memory.dmpFilesize
5.7MB
-
memory/1836-147-0x00000000748C0000-0x0000000074E71000-memory.dmpFilesize
5.7MB
-
memory/2768-136-0x0000000000000000-mapping.dmp
-
memory/2768-138-0x0000000000720000-0x0000000000740000-memory.dmpFilesize
128KB
-
memory/2768-142-0x0000000000720000-0x0000000000740000-memory.dmpFilesize
128KB
-
memory/2768-146-0x0000000000720000-0x0000000000740000-memory.dmpFilesize
128KB
-
memory/3324-134-0x0000000000000000-mapping.dmp