Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
Order Inquiry.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Order Inquiry.exe
Resource
win10v2004-20220812-en
General
-
Target
Order Inquiry.exe
-
Size
1.1MB
-
MD5
bd87ed67a08d2e9e4cec6526666b563e
-
SHA1
6ec0878c6a65ec969617287f19fde458bf0c5461
-
SHA256
7bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1
-
SHA512
236f79f09a7b150c68fc899d08d620fa64ccaeb4ef21c85401296047d3b179a818d33abd22ac38d8018b7f4bc13f2a5419bbf9b1de5570ace87cc1babc815f22
-
SSDEEP
24576:OGmYbj/2yjk37WwHsOzj4j85M1hUQDAxzJX44qxpWo:OGmY2OghsOzj4jGM1aK4FXo
Malware Config
Extracted
remcos
RemoteHost
harjahwool.ddnsfree.com:8372
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-EGNT8M
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dygjhkm.exe," reg.exe -
Executes dropped EXE 3 IoCs
Processes:
dygjhkm.exedygjhkmffffhh.exedygjhkmffffhh.exepid process 2328 dygjhkm.exe 880 dygjhkmffffhh.exe 4300 dygjhkmffffhh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
dygjhkm.exedygjhkmffffhh.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dygjhkm.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dygjhkmffffhh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dygjhkm.exedescription pid process target process PID 2328 set thread context of 3824 2328 dygjhkm.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 920 PING.EXE 2652 PING.EXE 3488 PING.EXE -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
Order Inquiry.exedygjhkm.exedygjhkmffffhh.exedygjhkmffffhh.exepid process 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 1416 Order Inquiry.exe 2328 dygjhkm.exe 2328 dygjhkm.exe 2328 dygjhkm.exe 880 dygjhkmffffhh.exe 4300 dygjhkmffffhh.exe 4300 dygjhkmffffhh.exe 4300 dygjhkmffffhh.exe 2328 dygjhkm.exe 2328 dygjhkm.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Order Inquiry.exedygjhkm.exeAUDIODG.EXEdygjhkmffffhh.exedygjhkmffffhh.exedescription pid process Token: SeDebugPrivilege 1416 Order Inquiry.exe Token: SeDebugPrivilege 2328 dygjhkm.exe Token: 33 3516 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3516 AUDIODG.EXE Token: SeDebugPrivilege 880 dygjhkmffffhh.exe Token: SeDebugPrivilege 4300 dygjhkmffffhh.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AddInProcess32.exepid process 3824 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
Order Inquiry.execmd.execmd.exedygjhkm.exedygjhkmffffhh.exedescription pid process target process PID 1416 wrote to memory of 2308 1416 Order Inquiry.exe cmd.exe PID 1416 wrote to memory of 2308 1416 Order Inquiry.exe cmd.exe PID 1416 wrote to memory of 2308 1416 Order Inquiry.exe cmd.exe PID 2308 wrote to memory of 3488 2308 cmd.exe PING.EXE PID 2308 wrote to memory of 3488 2308 cmd.exe PING.EXE PID 2308 wrote to memory of 3488 2308 cmd.exe PING.EXE PID 1416 wrote to memory of 1164 1416 Order Inquiry.exe cmd.exe PID 1416 wrote to memory of 1164 1416 Order Inquiry.exe cmd.exe PID 1416 wrote to memory of 1164 1416 Order Inquiry.exe cmd.exe PID 1164 wrote to memory of 920 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 920 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 920 1164 cmd.exe PING.EXE PID 2308 wrote to memory of 4744 2308 cmd.exe reg.exe PID 2308 wrote to memory of 4744 2308 cmd.exe reg.exe PID 2308 wrote to memory of 4744 2308 cmd.exe reg.exe PID 1164 wrote to memory of 2652 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 2652 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 2652 1164 cmd.exe PING.EXE PID 1164 wrote to memory of 2328 1164 cmd.exe dygjhkm.exe PID 1164 wrote to memory of 2328 1164 cmd.exe dygjhkm.exe PID 1164 wrote to memory of 2328 1164 cmd.exe dygjhkm.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 3824 2328 dygjhkm.exe AddInProcess32.exe PID 2328 wrote to memory of 880 2328 dygjhkm.exe dygjhkmffffhh.exe PID 2328 wrote to memory of 880 2328 dygjhkm.exe dygjhkmffffhh.exe PID 2328 wrote to memory of 880 2328 dygjhkm.exe dygjhkmffffhh.exe PID 880 wrote to memory of 4300 880 dygjhkmffffhh.exe dygjhkmffffhh.exe PID 880 wrote to memory of 4300 880 dygjhkmffffhh.exe dygjhkmffffhh.exe PID 880 wrote to memory of 4300 880 dygjhkmffffhh.exe dygjhkmffffhh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dygjhkm.exe,"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 63⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dygjhkm.exe,"3⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 18 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe" "C:\Users\Admin\AppData\Roaming\dygjhkm.exe" && ping 127.0.0.1 -n 18 > nul && "C:\Users\Admin\AppData\Roaming\dygjhkm.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 183⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 183⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\dygjhkm.exe"C:\Users\Admin\AppData\Roaming\dygjhkm.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe"C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe"C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x408 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dygjhkmffffhh.exe.logFilesize
1KB
MD57dca233df92b3884663fa5a40db8d49c
SHA1208b8f27b708c4e06ac37f974471cc7b29c29b60
SHA25690c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c
SHA512d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07
-
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.txtFilesize
55B
MD58060b3c73a211494afb6e647d8f3c341
SHA1f39f681d82226c633c7e45b8e6107a636c36bafa
SHA256e21698159b10c0963faf1fee0752b1c8a5d8e80e373f8c03dcd4f0e943910237
SHA512cb007c29e0844189e9823c43f626f2f1a3a5de06ea9f74a6fd3998813417eba8553dbb3210f61f916715cf25b09d7d49e3f05b8e2c56e8199b41c502d35ec376
-
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.txtFilesize
56B
MD5a41f5d301efdeba487fc71e557636575
SHA1e27042abeb6d2d588eaa5d687e5e640cd24c40bf
SHA256da900694a7afdf00c46ec924eaffe4eefd0c82d973674e3669205771748f937c
SHA5128c0f4f766e1d8fb0841756e0f3616aaa89a8e63c08e7b8668a05411b3f066d8ec1d0f8e0e3b7111c12897ac9df9411c495c84a87edaf5931f4fc9de324efdebf
-
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.txtFilesize
56B
MD5a41f5d301efdeba487fc71e557636575
SHA1e27042abeb6d2d588eaa5d687e5e640cd24c40bf
SHA256da900694a7afdf00c46ec924eaffe4eefd0c82d973674e3669205771748f937c
SHA5128c0f4f766e1d8fb0841756e0f3616aaa89a8e63c08e7b8668a05411b3f066d8ec1d0f8e0e3b7111c12897ac9df9411c495c84a87edaf5931f4fc9de324efdebf
-
C:\Users\Admin\AppData\Roaming\dygjhkm.exeFilesize
1.1MB
MD5bd87ed67a08d2e9e4cec6526666b563e
SHA16ec0878c6a65ec969617287f19fde458bf0c5461
SHA2567bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1
SHA512236f79f09a7b150c68fc899d08d620fa64ccaeb4ef21c85401296047d3b179a818d33abd22ac38d8018b7f4bc13f2a5419bbf9b1de5570ace87cc1babc815f22
-
C:\Users\Admin\AppData\Roaming\dygjhkm.exeFilesize
1.1MB
MD5bd87ed67a08d2e9e4cec6526666b563e
SHA16ec0878c6a65ec969617287f19fde458bf0c5461
SHA2567bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1
SHA512236f79f09a7b150c68fc899d08d620fa64ccaeb4ef21c85401296047d3b179a818d33abd22ac38d8018b7f4bc13f2a5419bbf9b1de5570ace87cc1babc815f22
-
memory/880-155-0x00000000009B0000-0x00000000009CA000-memory.dmpFilesize
104KB
-
memory/880-152-0x0000000000000000-mapping.dmp
-
memory/920-140-0x0000000000000000-mapping.dmp
-
memory/1164-139-0x0000000000000000-mapping.dmp
-
memory/1416-134-0x0000000005440000-0x00000000054DC000-memory.dmpFilesize
624KB
-
memory/1416-135-0x00000000066F0000-0x0000000006C94000-memory.dmpFilesize
5.6MB
-
memory/1416-133-0x00000000053A0000-0x0000000005432000-memory.dmpFilesize
584KB
-
memory/1416-136-0x0000000006420000-0x000000000642A000-memory.dmpFilesize
40KB
-
memory/1416-132-0x0000000000730000-0x000000000085A000-memory.dmpFilesize
1.2MB
-
memory/2308-137-0x0000000000000000-mapping.dmp
-
memory/2328-146-0x0000000000AD0000-0x0000000000BFA000-memory.dmpFilesize
1.2MB
-
memory/2328-143-0x0000000000000000-mapping.dmp
-
memory/2652-142-0x0000000000000000-mapping.dmp
-
memory/3488-138-0x0000000000000000-mapping.dmp
-
memory/3824-149-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3824-162-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3824-151-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3824-150-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3824-148-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3824-147-0x0000000000000000-mapping.dmp
-
memory/4300-157-0x0000000000000000-mapping.dmp
-
memory/4744-141-0x0000000000000000-mapping.dmp