Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
12/10/2022, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
PO-0452.pdf.js
Resource
win7-20220812-en
General
-
Target
PO-0452.pdf.js
-
Size
870KB
-
MD5
db09426b1c31bed509498c873602bd32
-
SHA1
1c2bd19c61ac10048f090cf49fda3d42a15e7c7a
-
SHA256
99d5f2394b1ba576d9e82ac5951d1108fe41e631ca5fd2de15837c733296b71c
-
SHA512
14ad9e37f9d77294b7b7d8090b333c57efb1649757437e887395baf5b55aad30f519bf2c4cd43851a877814f7e09dc50ec7d14c502289f6d919557d02fd5b0e5
-
SSDEEP
12288:2qirjOjQuXILATw3bvf1mKVYyYkP9ZrdOLFN+3OGo2Y5rpEqiEiVHTb5OmsFVxNI:AG4LYMzcWYlu5ULh3iVzb5OmsnjI
Malware Config
Extracted
remcos
RemoteHost
185.222.57.147:1989
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-N10BFI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 5 1272 wscript.exe 8 1272 wscript.exe 10 1272 wscript.exe 12 1272 wscript.exe 14 1272 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 2044 remcos_a.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQvdcedYEV.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQvdcedYEV.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1688 wrote to memory of 1272 1688 wscript.exe 27 PID 1688 wrote to memory of 1272 1688 wscript.exe 27 PID 1688 wrote to memory of 1272 1688 wscript.exe 27 PID 1688 wrote to memory of 2044 1688 wscript.exe 28 PID 1688 wrote to memory of 2044 1688 wscript.exe 28 PID 1688 wrote to memory of 2044 1688 wscript.exe 28 PID 1688 wrote to memory of 2044 1688 wscript.exe 28
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO-0452.pdf.js1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pQvdcedYEV.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:1272
-
-
C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"2⤵
- Executes dropped EXE
PID:2044
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
469KB
MD514ea8e66c295e1883924c5a685123069
SHA1b1dc4b5dd08c3c055066b10c119bd390747994f2
SHA256dc402d0bbdb1edac28207a6a9b6cbae698bb0b6cf6efe41bda4362c3a10d6915
SHA512c2baca8d5b9438bf061fb9581b6275870a4f6193b8632112e129362e478963ca610692615defad1e55586fd955ce293ab3ecf7408ea7566c7213387ab5b46009
-
Filesize
10KB
MD58c08d9c28569d6d222a76c39ef6dbd2c
SHA196c8240b6650b29cacb7abfcefc6defa913ad5c2
SHA256eb490702fcfcaa7ca28fe5037f7177c052c9617cf863333e3b9bade5a7e6596e
SHA51267e5ab76a58bc953c513204e4767afb68eb73ced347c08d77b37c55c9ba3b7c3ad529e50ba59825459e161ea7fdfd6242326deea0fcd31f30fc2e30f498f22db