Analysis
-
max time kernel
51s -
max time network
54s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2022 06:30
Static task
static1
Behavioral task
behavioral1
Sample
58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe
Resource
win10v2004-20220722-en
General
-
Target
58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe
-
Size
385KB
-
MD5
e8fcccc14df4c8fbde4223b16fdb4e63
-
SHA1
6bb4317b855e9f07c9f63b33455eeaa7335bfade
-
SHA256
58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a
-
SHA512
8cb6aab343972ef7384c6e8e4d2418e168c35e448a4e1183d650776762c407239d265838fe1c03bd10cf4415238c4e7b08ed9a9d95a62f70bcc4f50561b01c1c
Malware Config
Extracted
remcos
2.0.5 Pro
RemoteHost
79.172.242.28:2404
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-6PPTSU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 4276 svhost.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exedescription ioc process File created C:\Windows\assembly\Desktop.ini 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe File opened for modification C:\Windows\assembly\Desktop.ini 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exesvhost.exedescription pid process target process PID 4232 set thread context of 4276 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe svhost.exe PID 4276 set thread context of 4420 4276 svhost.exe iexplore.exe -
Drops file in Windows directory 3 IoCs
Processes:
58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exedescription ioc process File opened for modification C:\Windows\assembly 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe File created C:\Windows\assembly\Desktop.ini 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe File opened for modification C:\Windows\assembly\Desktop.ini 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NTFS ADS 1 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Local\Temp\8778\name.exe:Zone.Identifier cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exepid process 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exedescription pid process Token: SeDebugPrivilege 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe Token: 33 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe Token: SeIncBasePriorityPrivilege 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.execmd.exesvhost.exedescription pid process target process PID 4232 wrote to memory of 3532 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe cmd.exe PID 4232 wrote to memory of 3532 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe cmd.exe PID 4232 wrote to memory of 3532 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe cmd.exe PID 3532 wrote to memory of 4204 3532 cmd.exe reg.exe PID 3532 wrote to memory of 4204 3532 cmd.exe reg.exe PID 3532 wrote to memory of 4204 3532 cmd.exe reg.exe PID 4232 wrote to memory of 4276 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe svhost.exe PID 4232 wrote to memory of 4276 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe svhost.exe PID 4232 wrote to memory of 4276 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe svhost.exe PID 4232 wrote to memory of 4276 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe svhost.exe PID 4232 wrote to memory of 4276 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe svhost.exe PID 4232 wrote to memory of 4276 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe svhost.exe PID 4232 wrote to memory of 4276 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe svhost.exe PID 4232 wrote to memory of 4276 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe svhost.exe PID 4232 wrote to memory of 4276 4232 58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe svhost.exe PID 4276 wrote to memory of 4420 4276 svhost.exe iexplore.exe PID 4276 wrote to memory of 4420 4276 svhost.exe iexplore.exe PID 4276 wrote to memory of 4420 4276 svhost.exe iexplore.exe PID 4276 wrote to memory of 4420 4276 svhost.exe iexplore.exe PID 4276 wrote to memory of 4420 4276 svhost.exe iexplore.exe PID 4276 wrote to memory of 4420 4276 svhost.exe iexplore.exe PID 4276 wrote to memory of 4420 4276 svhost.exe iexplore.exe PID 4276 wrote to memory of 4420 4276 svhost.exe iexplore.exe PID 4276 wrote to memory of 4420 4276 svhost.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe"C:\Users\Admin\AppData\Local\Temp\58cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a.exe"1⤵
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\8778\name.exe.lnk" /f3⤵
-
C:\Users\Admin\AppData\Local\Temp\svhost.exe"C:\Users\Admin\AppData\Local\Temp\svhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8778\name.exeFilesize
385KB
MD5e8fcccc14df4c8fbde4223b16fdb4e63
SHA16bb4317b855e9f07c9f63b33455eeaa7335bfade
SHA25658cb07fecced83dfe6a4999921297ad94248f47935568913aa2a1a60de1d330a
SHA5128cb6aab343972ef7384c6e8e4d2418e168c35e448a4e1183d650776762c407239d265838fe1c03bd10cf4415238c4e7b08ed9a9d95a62f70bcc4f50561b01c1c
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD51c9ff7df71493896054a91bee0322ebf
SHA138f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab
-
C:\Users\Admin\AppData\Local\Temp\svhost.exeFilesize
1.6MB
MD51c9ff7df71493896054a91bee0322ebf
SHA138f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab
-
memory/3532-133-0x0000000000000000-mapping.dmp
-
memory/4204-134-0x0000000000000000-mapping.dmp
-
memory/4232-132-0x0000000075290000-0x0000000075841000-memory.dmpFilesize
5.7MB
-
memory/4232-144-0x0000000075290000-0x0000000075841000-memory.dmpFilesize
5.7MB
-
memory/4276-136-0x0000000000000000-mapping.dmp
-
memory/4276-137-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4276-141-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/4276-143-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB