Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2022, 13:22

General

  • Target

    PO-0452.pdf.js

  • Size

    870KB

  • MD5

    db09426b1c31bed509498c873602bd32

  • SHA1

    1c2bd19c61ac10048f090cf49fda3d42a15e7c7a

  • SHA256

    99d5f2394b1ba576d9e82ac5951d1108fe41e631ca5fd2de15837c733296b71c

  • SHA512

    14ad9e37f9d77294b7b7d8090b333c57efb1649757437e887395baf5b55aad30f519bf2c4cd43851a877814f7e09dc50ec7d14c502289f6d919557d02fd5b0e5

  • SSDEEP

    12288:2qirjOjQuXILATw3bvf1mKVYyYkP9ZrdOLFN+3OGo2Y5rpEqiEiVHTb5OmsFVxNI:AG4LYMzcWYlu5ULh3iVzb5OmsnjI

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.222.57.147:1989

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-N10BFI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PO-0452.pdf.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pQvdcedYEV.js"
      2⤵
      • Blocklisted process makes network request
      • Drops startup file
      PID:1272
    • C:\Users\Admin\AppData\Local\Temp\remcos_a.exe
      "C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"
      2⤵
      • Executes dropped EXE
      PID:2044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

    Filesize

    469KB

    MD5

    14ea8e66c295e1883924c5a685123069

    SHA1

    b1dc4b5dd08c3c055066b10c119bd390747994f2

    SHA256

    dc402d0bbdb1edac28207a6a9b6cbae698bb0b6cf6efe41bda4362c3a10d6915

    SHA512

    c2baca8d5b9438bf061fb9581b6275870a4f6193b8632112e129362e478963ca610692615defad1e55586fd955ce293ab3ecf7408ea7566c7213387ab5b46009

  • C:\Users\Admin\AppData\Roaming\pQvdcedYEV.js

    Filesize

    10KB

    MD5

    8c08d9c28569d6d222a76c39ef6dbd2c

    SHA1

    96c8240b6650b29cacb7abfcefc6defa913ad5c2

    SHA256

    eb490702fcfcaa7ca28fe5037f7177c052c9617cf863333e3b9bade5a7e6596e

    SHA512

    67e5ab76a58bc953c513204e4767afb68eb73ced347c08d77b37c55c9ba3b7c3ad529e50ba59825459e161ea7fdfd6242326deea0fcd31f30fc2e30f498f22db

  • memory/1688-54-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

    Filesize

    8KB

  • memory/2044-59-0x0000000075601000-0x0000000075603000-memory.dmp

    Filesize

    8KB