Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2022, 13:22
Static task
static1
Behavioral task
behavioral1
Sample
PO-0452.pdf.js
Resource
win7-20220812-en
General
-
Target
PO-0452.pdf.js
-
Size
870KB
-
MD5
db09426b1c31bed509498c873602bd32
-
SHA1
1c2bd19c61ac10048f090cf49fda3d42a15e7c7a
-
SHA256
99d5f2394b1ba576d9e82ac5951d1108fe41e631ca5fd2de15837c733296b71c
-
SHA512
14ad9e37f9d77294b7b7d8090b333c57efb1649757437e887395baf5b55aad30f519bf2c4cd43851a877814f7e09dc50ec7d14c502289f6d919557d02fd5b0e5
-
SSDEEP
12288:2qirjOjQuXILATw3bvf1mKVYyYkP9ZrdOLFN+3OGo2Y5rpEqiEiVHTb5OmsFVxNI:AG4LYMzcWYlu5ULh3iVzb5OmsnjI
Malware Config
Extracted
remcos
RemoteHost
185.222.57.147:1989
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-N10BFI
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 8 3972 wscript.exe 29 3972 wscript.exe 31 3972 wscript.exe 35 3972 wscript.exe 37 3972 wscript.exe 40 3972 wscript.exe -
Executes dropped EXE 1 IoCs
pid Process 1252 remcos_a.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQvdcedYEV.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pQvdcedYEV.js wscript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 964 wrote to memory of 3972 964 wscript.exe 81 PID 964 wrote to memory of 3972 964 wscript.exe 81 PID 964 wrote to memory of 1252 964 wscript.exe 82 PID 964 wrote to memory of 1252 964 wscript.exe 82 PID 964 wrote to memory of 1252 964 wscript.exe 82
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO-0452.pdf.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pQvdcedYEV.js"2⤵
- Blocklisted process makes network request
- Drops startup file
PID:3972
-
-
C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"2⤵
- Executes dropped EXE
PID:1252
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
469KB
MD514ea8e66c295e1883924c5a685123069
SHA1b1dc4b5dd08c3c055066b10c119bd390747994f2
SHA256dc402d0bbdb1edac28207a6a9b6cbae698bb0b6cf6efe41bda4362c3a10d6915
SHA512c2baca8d5b9438bf061fb9581b6275870a4f6193b8632112e129362e478963ca610692615defad1e55586fd955ce293ab3ecf7408ea7566c7213387ab5b46009
-
Filesize
469KB
MD514ea8e66c295e1883924c5a685123069
SHA1b1dc4b5dd08c3c055066b10c119bd390747994f2
SHA256dc402d0bbdb1edac28207a6a9b6cbae698bb0b6cf6efe41bda4362c3a10d6915
SHA512c2baca8d5b9438bf061fb9581b6275870a4f6193b8632112e129362e478963ca610692615defad1e55586fd955ce293ab3ecf7408ea7566c7213387ab5b46009
-
Filesize
10KB
MD58c08d9c28569d6d222a76c39ef6dbd2c
SHA196c8240b6650b29cacb7abfcefc6defa913ad5c2
SHA256eb490702fcfcaa7ca28fe5037f7177c052c9617cf863333e3b9bade5a7e6596e
SHA51267e5ab76a58bc953c513204e4767afb68eb73ced347c08d77b37c55c9ba3b7c3ad529e50ba59825459e161ea7fdfd6242326deea0fcd31f30fc2e30f498f22db