Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05-10-2022 03:24
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 2290.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
RFQ 2290.exe
Resource
win10v2004-20220812-en
General
-
Target
RFQ 2290.exe
-
Size
1.3MB
-
MD5
85e8ae98556d7927fa40c5cba4e4a16a
-
SHA1
3013724dbc0bedda4bc2528ba01c7495f26614b1
-
SHA256
f851ccd89ef8f8e28648ff600789364e9caf5c522a5e7238cee619a229cc821d
-
SHA512
25e6158d69a61945d1513d0a12ffe1d1178a5c9e2ffeb032791b2dadc294d4f1e6b4d73242183b1ce0059e7421c9a9eea62cca6a3683002ee841e42cedce9969
-
SSDEEP
24576:WqHo1sfbYnNTHIsxcb5V9zpn8jte3q/3uASeA8vOE/dkJw1:WqIafENUkcb5rpn8Y3q/eAYU
Malware Config
Extracted
remcos
NEW REM STUB
valvesco.duckdns.org:5050
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-48V73L
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
RFQ 2290.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions RFQ 2290.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
RFQ 2290.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools RFQ 2290.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
RFQ 2290.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RFQ 2290.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RFQ 2290.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
RFQ 2290.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum RFQ 2290.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 RFQ 2290.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ 2290.exedescription pid process target process PID 1056 set thread context of 1148 1056 RFQ 2290.exe RFQ 2290.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RFQ 2290.exepowershell.exepowershell.exepid process 1056 RFQ 2290.exe 1056 RFQ 2290.exe 320 powershell.exe 1444 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RFQ 2290.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1056 RFQ 2290.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeDebugPrivilege 1444 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RFQ 2290.exepid process 1148 RFQ 2290.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
RFQ 2290.exedescription pid process target process PID 1056 wrote to memory of 320 1056 RFQ 2290.exe powershell.exe PID 1056 wrote to memory of 320 1056 RFQ 2290.exe powershell.exe PID 1056 wrote to memory of 320 1056 RFQ 2290.exe powershell.exe PID 1056 wrote to memory of 320 1056 RFQ 2290.exe powershell.exe PID 1056 wrote to memory of 1444 1056 RFQ 2290.exe powershell.exe PID 1056 wrote to memory of 1444 1056 RFQ 2290.exe powershell.exe PID 1056 wrote to memory of 1444 1056 RFQ 2290.exe powershell.exe PID 1056 wrote to memory of 1444 1056 RFQ 2290.exe powershell.exe PID 1056 wrote to memory of 540 1056 RFQ 2290.exe schtasks.exe PID 1056 wrote to memory of 540 1056 RFQ 2290.exe schtasks.exe PID 1056 wrote to memory of 540 1056 RFQ 2290.exe schtasks.exe PID 1056 wrote to memory of 540 1056 RFQ 2290.exe schtasks.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe PID 1056 wrote to memory of 1148 1056 RFQ 2290.exe RFQ 2290.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iDKZenUzizmrGT.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iDKZenUzizmrGT" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"C:\Users\Admin\AppData\Local\Temp\RFQ 2290.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpDDB3.tmpFilesize
1KB
MD5b12843f75ff19d128f5e075cc6206a4f
SHA1f14ddbd34478e65d8012b2e3c69bc47c7e65a636
SHA25683481a3662bb3e5bc731d9f289eacf5d78a7e7f893d1e02e3ddde8cf38c5fb47
SHA5123eb9b95928577ecbff7b34f8a1e73deecd21490af6df8a3dd4e3e0e9940d41bd81a11ec881df105c02b1a498de3fb4d5addf8fbb659e59d5a3c9e5ba644bc797
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD557787efe8d9108c8b1c9388202ff6754
SHA196346007d4fdbe375aab48b96ee4e682ffef3207
SHA25610275b10a249365182c702882fb8fb38bca78a409cbf1cfd1d33255c85454e83
SHA5128d777a045a99ce77d2044f8f7da3c0410971053e04800c4871f0ea51ed3e576ed106ac66d04cf13ced790385b3213434395d36ac8ea63706d80a75a03f7f9adf
-
memory/320-59-0x0000000000000000-mapping.dmp
-
memory/320-87-0x000000006F930000-0x000000006FEDB000-memory.dmpFilesize
5.7MB
-
memory/320-84-0x000000006F930000-0x000000006FEDB000-memory.dmpFilesize
5.7MB
-
memory/540-62-0x0000000000000000-mapping.dmp
-
memory/1056-54-0x0000000000940000-0x0000000000A98000-memory.dmpFilesize
1.3MB
-
memory/1056-55-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/1056-56-0x0000000000470000-0x0000000000484000-memory.dmpFilesize
80KB
-
memory/1056-57-0x0000000000660000-0x000000000066C000-memory.dmpFilesize
48KB
-
memory/1056-58-0x0000000008090000-0x000000000819E000-memory.dmpFilesize
1.1MB
-
memory/1056-66-0x0000000008AC0000-0x0000000008B7C000-memory.dmpFilesize
752KB
-
memory/1148-72-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1148-79-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1148-68-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1148-74-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1148-73-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1148-75-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1148-77-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1148-70-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1148-80-0x00000000004327A4-mapping.dmp
-
memory/1148-83-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1148-67-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1148-89-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1148-86-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1444-61-0x0000000000000000-mapping.dmp
-
memory/1444-88-0x000000006F930000-0x000000006FEDB000-memory.dmpFilesize
5.7MB
-
memory/1444-85-0x000000006F930000-0x000000006FEDB000-memory.dmpFilesize
5.7MB