Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01-10-2022 03:03
Behavioral task
behavioral1
Sample
0x000a000000012319-56.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0x000a000000012319-56.exe
Resource
win10v2004-20220812-en
General
-
Target
0x000a000000012319-56.exe
-
Size
469KB
-
MD5
a0c98858ea96edb2386c86e1786f3419
-
SHA1
461ece495d357885b8ab78341374d830ad88cb76
-
SHA256
269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950
-
SHA512
0d0f7ac9a4450be50e66ca6595870118a28cefe1d4fb4289be6f0e7747a90bfad7e899ae93ae78d8effdbdf156b313e40f18db633cd8c1b763c4ccb7d974febb
-
SSDEEP
12288:Wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSvn9:uiLJbpI7I2WhQqZ7v9
Malware Config
Extracted
remcos
Firefox
elew3le3lanle.freeddns.org:20309
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Firefox
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-Z26APQ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Firefox
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1604-79-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/1604-81-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1868-78-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1468-77-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1868-78-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1604-79-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/1604-81-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
remcos.exeremcos.exeremcos.exeremcos.exepid process 1964 remcos.exe 1868 remcos.exe 1604 remcos.exe 1468 remcos.exe -
Deletes itself 1 IoCs
Processes:
WScript.exepid process 1020 WScript.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1968 cmd.exe 1968 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
remcos.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts remcos.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
0x000a000000012319-56.exeremcos.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 0x000a000000012319-56.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Firefox = "\"C:\\ProgramData\\Firefox\\remcos.exe\"" 0x000a000000012319-56.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ 0x000a000000012319-56.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Firefox = "\"C:\\ProgramData\\Firefox\\remcos.exe\"" 0x000a000000012319-56.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Firefox = "\"C:\\ProgramData\\Firefox\\remcos.exe\"" remcos.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ remcos.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Firefox = "\"C:\\ProgramData\\Firefox\\remcos.exe\"" remcos.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
remcos.exedescription pid process target process PID 1964 set thread context of 908 1964 remcos.exe svchost.exe PID 1964 set thread context of 1868 1964 remcos.exe remcos.exe PID 1964 set thread context of 1604 1964 remcos.exe remcos.exe PID 1964 set thread context of 1468 1964 remcos.exe remcos.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
remcos.exepid process 1868 remcos.exe 1868 remcos.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
remcos.exepid process 1964 remcos.exe 1964 remcos.exe 1964 remcos.exe 1964 remcos.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
remcos.exedescription pid process Token: SeDebugPrivilege 1468 remcos.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
remcos.exepid process 1964 remcos.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
0x000a000000012319-56.exeWScript.execmd.exeremcos.exedescription pid process target process PID 1824 wrote to memory of 1020 1824 0x000a000000012319-56.exe WScript.exe PID 1824 wrote to memory of 1020 1824 0x000a000000012319-56.exe WScript.exe PID 1824 wrote to memory of 1020 1824 0x000a000000012319-56.exe WScript.exe PID 1824 wrote to memory of 1020 1824 0x000a000000012319-56.exe WScript.exe PID 1020 wrote to memory of 1968 1020 WScript.exe cmd.exe PID 1020 wrote to memory of 1968 1020 WScript.exe cmd.exe PID 1020 wrote to memory of 1968 1020 WScript.exe cmd.exe PID 1020 wrote to memory of 1968 1020 WScript.exe cmd.exe PID 1968 wrote to memory of 1964 1968 cmd.exe remcos.exe PID 1968 wrote to memory of 1964 1968 cmd.exe remcos.exe PID 1968 wrote to memory of 1964 1968 cmd.exe remcos.exe PID 1968 wrote to memory of 1964 1968 cmd.exe remcos.exe PID 1964 wrote to memory of 908 1964 remcos.exe svchost.exe PID 1964 wrote to memory of 908 1964 remcos.exe svchost.exe PID 1964 wrote to memory of 908 1964 remcos.exe svchost.exe PID 1964 wrote to memory of 908 1964 remcos.exe svchost.exe PID 1964 wrote to memory of 908 1964 remcos.exe svchost.exe PID 1964 wrote to memory of 1868 1964 remcos.exe remcos.exe PID 1964 wrote to memory of 1868 1964 remcos.exe remcos.exe PID 1964 wrote to memory of 1868 1964 remcos.exe remcos.exe PID 1964 wrote to memory of 1868 1964 remcos.exe remcos.exe PID 1964 wrote to memory of 1604 1964 remcos.exe remcos.exe PID 1964 wrote to memory of 1604 1964 remcos.exe remcos.exe PID 1964 wrote to memory of 1604 1964 remcos.exe remcos.exe PID 1964 wrote to memory of 1604 1964 remcos.exe remcos.exe PID 1964 wrote to memory of 1468 1964 remcos.exe remcos.exe PID 1964 wrote to memory of 1468 1964 remcos.exe remcos.exe PID 1964 wrote to memory of 1468 1964 remcos.exe remcos.exe PID 1964 wrote to memory of 1468 1964 remcos.exe remcos.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000a000000012319-56.exe"C:\Users\Admin\AppData\Local\Temp\0x000a000000012319-56.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Firefox\remcos.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Firefox\remcos.exeC:\ProgramData\Firefox\remcos.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
-
C:\ProgramData\Firefox\remcos.exeC:\ProgramData\Firefox\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\cbnbcpxpyakvvtno"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\Firefox\remcos.exeC:\ProgramData\Firefox\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppffeaskiqueigxefcxngu"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Firefox\remcos.exeC:\ProgramData\Firefox\remcos.exe /stext "C:\Users\Admin\AppData\Local\Temp\evaudiiimicafzjsosl"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Firefox\remcos.exeFilesize
469KB
MD5a0c98858ea96edb2386c86e1786f3419
SHA1461ece495d357885b8ab78341374d830ad88cb76
SHA256269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950
SHA5120d0f7ac9a4450be50e66ca6595870118a28cefe1d4fb4289be6f0e7747a90bfad7e899ae93ae78d8effdbdf156b313e40f18db633cd8c1b763c4ccb7d974febb
-
C:\ProgramData\Firefox\remcos.exeFilesize
469KB
MD5a0c98858ea96edb2386c86e1786f3419
SHA1461ece495d357885b8ab78341374d830ad88cb76
SHA256269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950
SHA5120d0f7ac9a4450be50e66ca6595870118a28cefe1d4fb4289be6f0e7747a90bfad7e899ae93ae78d8effdbdf156b313e40f18db633cd8c1b763c4ccb7d974febb
-
C:\ProgramData\Firefox\remcos.exeFilesize
469KB
MD5a0c98858ea96edb2386c86e1786f3419
SHA1461ece495d357885b8ab78341374d830ad88cb76
SHA256269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950
SHA5120d0f7ac9a4450be50e66ca6595870118a28cefe1d4fb4289be6f0e7747a90bfad7e899ae93ae78d8effdbdf156b313e40f18db633cd8c1b763c4ccb7d974febb
-
C:\ProgramData\Firefox\remcos.exeFilesize
469KB
MD5a0c98858ea96edb2386c86e1786f3419
SHA1461ece495d357885b8ab78341374d830ad88cb76
SHA256269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950
SHA5120d0f7ac9a4450be50e66ca6595870118a28cefe1d4fb4289be6f0e7747a90bfad7e899ae93ae78d8effdbdf156b313e40f18db633cd8c1b763c4ccb7d974febb
-
C:\ProgramData\Firefox\remcos.exeFilesize
469KB
MD5a0c98858ea96edb2386c86e1786f3419
SHA1461ece495d357885b8ab78341374d830ad88cb76
SHA256269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950
SHA5120d0f7ac9a4450be50e66ca6595870118a28cefe1d4fb4289be6f0e7747a90bfad7e899ae93ae78d8effdbdf156b313e40f18db633cd8c1b763c4ccb7d974febb
-
C:\Users\Admin\AppData\Local\Temp\cbnbcpxpyakvvtnoFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
542B
MD5a2fb356030b424d6942480d68d3637c1
SHA16f0c46fe28f9547702db198ad1615dc7fa5a69a6
SHA256b2790e93aca2e185e266ba4221f0a5aeb74a84fc9b60649caa9efca7af835116
SHA512fd2fcb0f40b16b7f6f05aaa397a90da9a904aaf54c22323d5a652fd66a99b24daaf4070be492fbeb6ddaf80f443d082652c902d812d38da54aefd55b7e051f42
-
\ProgramData\Firefox\remcos.exeFilesize
469KB
MD5a0c98858ea96edb2386c86e1786f3419
SHA1461ece495d357885b8ab78341374d830ad88cb76
SHA256269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950
SHA5120d0f7ac9a4450be50e66ca6595870118a28cefe1d4fb4289be6f0e7747a90bfad7e899ae93ae78d8effdbdf156b313e40f18db633cd8c1b763c4ccb7d974febb
-
\ProgramData\Firefox\remcos.exeFilesize
469KB
MD5a0c98858ea96edb2386c86e1786f3419
SHA1461ece495d357885b8ab78341374d830ad88cb76
SHA256269546bd718741529021774e7032cf8da5075e2d18852ee0859c3c7a854f5950
SHA5120d0f7ac9a4450be50e66ca6595870118a28cefe1d4fb4289be6f0e7747a90bfad7e899ae93ae78d8effdbdf156b313e40f18db633cd8c1b763c4ccb7d974febb
-
memory/908-65-0x00000000000B27A4-mapping.dmp
-
memory/908-67-0x0000000000080000-0x00000000000FF000-memory.dmpFilesize
508KB
-
memory/1020-55-0x0000000000000000-mapping.dmp
-
memory/1468-73-0x0000000000422206-mapping.dmp
-
memory/1468-77-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1604-70-0x0000000000455238-mapping.dmp
-
memory/1604-79-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1604-81-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1824-54-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/1868-68-0x0000000000476274-mapping.dmp
-
memory/1868-78-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1964-62-0x0000000000000000-mapping.dmp
-
memory/1968-58-0x0000000000000000-mapping.dmp