Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2022 16:28
Static task
static1
Behavioral task
behavioral1
Sample
Scanned PO N402201321.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Scanned PO N402201321.exe
Resource
win10v2004-20220812-en
General
-
Target
Scanned PO N402201321.exe
-
Size
1.1MB
-
MD5
be5a3dcd8ac544cc9a5eac17daf5d813
-
SHA1
aa1317d65deca8bd330018e85000069288ce6afc
-
SHA256
70deba92a46f6f3913b10be9eeacfe0c0b89177d4ca6041012bc446ca9bd0acf
-
SHA512
77f0f34476d41108d2bb8d1009c08eb61d906cd13aad9bc3f397ad9d6d96a5f8bcd55181c90b231c707b71a175d531a952649bed9f302d658fb0338754ac5909
-
SSDEEP
24576:QSbKwOzzwHsOzj4j85M1hUQDAxzJX44ws8:QSnJsOzj4jGM1aK4FXys
Malware Config
Extracted
remcos
RemoteHost
harjahwool.ddnsfree.com:8372
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-EGNT8M
-
screenshot_crypt
true
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\ganmuio.exe," reg.exe -
Executes dropped EXE 3 IoCs
Processes:
ganmuio.exegreUgKja.exegreUgKja.exepid process 2548 ganmuio.exe 3204 greUgKja.exe 4092 greUgKja.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ganmuio.exegreUgKja.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ganmuio.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation greUgKja.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ganmuio.exedescription pid process target process PID 2548 set thread context of 3944 2548 ganmuio.exe AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 4036 PING.EXE 3532 PING.EXE 1040 PING.EXE -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
Scanned PO N402201321.exeganmuio.exegreUgKja.exegreUgKja.exepid process 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 4140 Scanned PO N402201321.exe 2548 ganmuio.exe 2548 ganmuio.exe 2548 ganmuio.exe 3204 greUgKja.exe 4092 greUgKja.exe 4092 greUgKja.exe 4092 greUgKja.exe 2548 ganmuio.exe 2548 ganmuio.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Scanned PO N402201321.exeganmuio.exeAUDIODG.EXEgreUgKja.exegreUgKja.exedescription pid process Token: SeDebugPrivilege 4140 Scanned PO N402201321.exe Token: SeDebugPrivilege 2548 ganmuio.exe Token: 33 4424 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4424 AUDIODG.EXE Token: SeDebugPrivilege 3204 greUgKja.exe Token: SeDebugPrivilege 4092 greUgKja.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AddInProcess32.exepid process 3944 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
Scanned PO N402201321.execmd.execmd.exeganmuio.exegreUgKja.exedescription pid process target process PID 4140 wrote to memory of 3432 4140 Scanned PO N402201321.exe cmd.exe PID 4140 wrote to memory of 3432 4140 Scanned PO N402201321.exe cmd.exe PID 4140 wrote to memory of 3432 4140 Scanned PO N402201321.exe cmd.exe PID 3432 wrote to memory of 3532 3432 cmd.exe PING.EXE PID 3432 wrote to memory of 3532 3432 cmd.exe PING.EXE PID 3432 wrote to memory of 3532 3432 cmd.exe PING.EXE PID 4140 wrote to memory of 4332 4140 Scanned PO N402201321.exe cmd.exe PID 4140 wrote to memory of 4332 4140 Scanned PO N402201321.exe cmd.exe PID 4140 wrote to memory of 4332 4140 Scanned PO N402201321.exe cmd.exe PID 4332 wrote to memory of 1040 4332 cmd.exe PING.EXE PID 4332 wrote to memory of 1040 4332 cmd.exe PING.EXE PID 4332 wrote to memory of 1040 4332 cmd.exe PING.EXE PID 3432 wrote to memory of 2080 3432 cmd.exe reg.exe PID 3432 wrote to memory of 2080 3432 cmd.exe reg.exe PID 3432 wrote to memory of 2080 3432 cmd.exe reg.exe PID 4332 wrote to memory of 4036 4332 cmd.exe PING.EXE PID 4332 wrote to memory of 4036 4332 cmd.exe PING.EXE PID 4332 wrote to memory of 4036 4332 cmd.exe PING.EXE PID 4332 wrote to memory of 2548 4332 cmd.exe ganmuio.exe PID 4332 wrote to memory of 2548 4332 cmd.exe ganmuio.exe PID 4332 wrote to memory of 2548 4332 cmd.exe ganmuio.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3944 2548 ganmuio.exe AddInProcess32.exe PID 2548 wrote to memory of 3204 2548 ganmuio.exe greUgKja.exe PID 2548 wrote to memory of 3204 2548 ganmuio.exe greUgKja.exe PID 2548 wrote to memory of 3204 2548 ganmuio.exe greUgKja.exe PID 3204 wrote to memory of 4092 3204 greUgKja.exe greUgKja.exe PID 3204 wrote to memory of 4092 3204 greUgKja.exe greUgKja.exe PID 3204 wrote to memory of 4092 3204 greUgKja.exe greUgKja.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scanned PO N402201321.exe"C:\Users\Admin\AppData\Local\Temp\Scanned PO N402201321.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 6 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\ganmuio.exe,"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 63⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\ganmuio.exe,"3⤵
- Modifies WinLogon for persistence
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Scanned PO N402201321.exe" "C:\Users\Admin\AppData\Roaming\ganmuio.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\AppData\Roaming\ganmuio.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 133⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 133⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\ganmuio.exe"C:\Users\Admin\AppData\Roaming\ganmuio.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\greUgKja.exe"C:\Users\Admin\AppData\Local\Temp\greUgKja.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\greUgKja.exe"C:\Users\Admin\AppData\Local\Temp\greUgKja.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x394 0x3701⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\greUgKja.exe.logFilesize
1KB
MD57dca233df92b3884663fa5a40db8d49c
SHA1208b8f27b708c4e06ac37f974471cc7b29c29b60
SHA25690c83311e35da0b5f8aa65aa2109745feb68ee9540e863f4ed909872e9c6a84c
SHA512d134b96fd33c79c85407608f76afc5a9f937bff453b1c90727a3ed992006c7d4c8329be6a2b5ba6b11da1a32f7cd60e9bc380be388b586d6cd5c2e6b1f57bd07
-
C:\Users\Admin\AppData\Local\Temp\greUgKja.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\greUgKja.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\greUgKja.exeFilesize
76KB
MD50e362e7005823d0bec3719b902ed6d62
SHA1590d860b909804349e0cdc2f1662b37bd62f7463
SHA2562d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
SHA512518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3
-
C:\Users\Admin\AppData\Local\Temp\greUgKja.txtMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\greUgKja.txtFilesize
56B
MD515da1382b6023bc625946c2c58ce8e7a
SHA1ba9120e8d170d6ac75345686adf4341ee888eaf2
SHA2562dbe8e4d62e2be1d145ddccece831e44749d4957792f1cff94d6a02863e51451
SHA5121985da52ed5c487a1be29f853a8f34887cb7e0e8d502f85eccd03523fac364fd8b2f8b682c45124b2488ce74d69879496b2ec1e74927597bd311b264c05fc797
-
C:\Users\Admin\AppData\Local\Temp\greUgKja.txtFilesize
56B
MD515da1382b6023bc625946c2c58ce8e7a
SHA1ba9120e8d170d6ac75345686adf4341ee888eaf2
SHA2562dbe8e4d62e2be1d145ddccece831e44749d4957792f1cff94d6a02863e51451
SHA5121985da52ed5c487a1be29f853a8f34887cb7e0e8d502f85eccd03523fac364fd8b2f8b682c45124b2488ce74d69879496b2ec1e74927597bd311b264c05fc797
-
C:\Users\Admin\AppData\Roaming\ganmuio.exeFilesize
1.1MB
MD5be5a3dcd8ac544cc9a5eac17daf5d813
SHA1aa1317d65deca8bd330018e85000069288ce6afc
SHA25670deba92a46f6f3913b10be9eeacfe0c0b89177d4ca6041012bc446ca9bd0acf
SHA51277f0f34476d41108d2bb8d1009c08eb61d906cd13aad9bc3f397ad9d6d96a5f8bcd55181c90b231c707b71a175d531a952649bed9f302d658fb0338754ac5909
-
C:\Users\Admin\AppData\Roaming\ganmuio.exeFilesize
1.1MB
MD5be5a3dcd8ac544cc9a5eac17daf5d813
SHA1aa1317d65deca8bd330018e85000069288ce6afc
SHA25670deba92a46f6f3913b10be9eeacfe0c0b89177d4ca6041012bc446ca9bd0acf
SHA51277f0f34476d41108d2bb8d1009c08eb61d906cd13aad9bc3f397ad9d6d96a5f8bcd55181c90b231c707b71a175d531a952649bed9f302d658fb0338754ac5909
-
memory/1040-140-0x0000000000000000-mapping.dmp
-
memory/2080-141-0x0000000000000000-mapping.dmp
-
memory/2548-146-0x00000000001B0000-0x00000000002C8000-memory.dmpFilesize
1.1MB
-
memory/2548-143-0x0000000000000000-mapping.dmp
-
memory/3204-155-0x0000000000AF0000-0x0000000000B0A000-memory.dmpFilesize
104KB
-
memory/3204-152-0x0000000000000000-mapping.dmp
-
memory/3432-137-0x0000000000000000-mapping.dmp
-
memory/3532-138-0x0000000000000000-mapping.dmp
-
memory/3944-148-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3944-150-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3944-151-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3944-162-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3944-149-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3944-147-0x0000000000000000-mapping.dmp
-
memory/4036-142-0x0000000000000000-mapping.dmp
-
memory/4092-157-0x0000000000000000-mapping.dmp
-
memory/4140-132-0x0000000000700000-0x0000000000818000-memory.dmpFilesize
1.1MB
-
memory/4140-136-0x0000000005B50000-0x0000000005B5A000-memory.dmpFilesize
40KB
-
memory/4140-135-0x0000000005B80000-0x0000000005C12000-memory.dmpFilesize
584KB
-
memory/4140-134-0x0000000005F50000-0x00000000064F4000-memory.dmpFilesize
5.6MB
-
memory/4140-133-0x0000000004CC0000-0x0000000004D5C000-memory.dmpFilesize
624KB
-
memory/4332-139-0x0000000000000000-mapping.dmp