Analysis
-
max time kernel
161s -
max time network
164s -
platform
windows10-1703_x64 -
resource
win10-20220718-en -
resource tags
arch:x64arch:x86image:win10-20220718-enlocale:en-usos:windows10-1703-x64system -
submitted
06-08-2022 07:40
Static task
static1
Behavioral task
behavioral1
Sample
6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe
Resource
win10-20220718-en
General
-
Target
6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe
-
Size
914KB
-
MD5
2c423d03a39192e874aab20c14d1883b
-
SHA1
023cf31791a48de9cc1ac9e2b98e47393f1d0e3b
-
SHA256
6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d
-
SHA512
479d80a09d6792340f1999b51d02e59a5a578734ae6af1102dc54a0fa79040f43d6878fbd8acfd1fd57cb3751077b65c4ac1bd64a04e8f39c9dc213166cc1b5c
Malware Config
Extracted
remcos
1.7 Pro
ceo_nasco
194.5.98.28:7006
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_zxeqqeixcisywfn
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Blocklisted process makes network request 20 IoCs
Processes:
cmd.exeflow pid process 10 4820 cmd.exe 12 4820 cmd.exe 16 4820 cmd.exe 17 4820 cmd.exe 18 4820 cmd.exe 19 4820 cmd.exe 20 4820 cmd.exe 21 4820 cmd.exe 22 4820 cmd.exe 24 4820 cmd.exe 25 4820 cmd.exe 26 4820 cmd.exe 27 4820 cmd.exe 28 4820 cmd.exe 29 4820 cmd.exe 30 4820 cmd.exe 31 4820 cmd.exe 32 4820 cmd.exe 33 4820 cmd.exe 34 4820 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2848962218-3794400400-3934119819-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zhcexw = "C:\\Users\\Public\\Libraries\\wxechZ.url" 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exepid process 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
cmd.exepid process 4820 cmd.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
cmd.exepid process 4820 cmd.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exedescription pid process target process PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe PID 2424 wrote to memory of 4820 2424 6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe"C:\Users\Admin\AppData\Local\Temp\6e4597db411c7c93428ddc24f95c2d4a16c91263c12344923c04aceae016834d.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2424-117-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-118-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-119-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-120-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-121-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-122-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-123-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-124-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-125-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-127-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-126-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-128-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-129-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-131-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-132-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-133-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-134-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-135-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-136-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-137-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-138-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-139-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-140-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-141-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-142-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-144-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-146-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-148-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-149-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-151-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-154-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-155-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-157-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-158-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-156-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-153-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-152-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-150-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-147-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-145-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-143-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-130-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-159-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-160-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-161-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-162-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-163-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-164-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-165-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-166-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-167-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-168-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-169-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-170-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-171-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-172-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-173-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-174-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-175-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-176-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-177-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-178-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-179-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/2424-180-0x00000000779D0000-0x0000000077B5E000-memory.dmpFilesize
1.6MB
-
memory/4820-754-0x0000000000000000-mapping.dmp
-
memory/4820-788-0x00000000505A0000-0x00000000505C7000-memory.dmpFilesize
156KB
-
memory/4820-836-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4820-837-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB