Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/11/2022, 11:38
Static task
static1
Behavioral task
behavioral1
Sample
oder.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
oder.exe
Resource
win10v2004-20220812-en
General
-
Target
oder.exe
-
Size
1.4MB
-
MD5
d09dec170b549ce4a803423a73f1ca12
-
SHA1
a3288dafe2d5b2758846cbb685684583411494a2
-
SHA256
3c7c946ab9bd9f728928c817d648b9808eb7783b4ca73710050093f0c46d5f61
-
SHA512
30cc589739db5b083910b97c81aadb1f5a7983671e81364515648b1a8c7228168ed76adc9b403a6193b187fa30994479f8b9a431caa8f5b9d40d2427a54fe0ad
-
SSDEEP
24576:7AOcZX4c9rYLMbYjqTfJ7UOO1mIgRBltn9zKnyjdrZYLphOaC/EZQ/J+43DsIYnV:djMEjqTBHQWXbFeyjJ6LPO3nh+y+V
Malware Config
Extracted
remcos
svnHost
83.229.39.38:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-H96B2Z
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1288 beqgxodpl.exe 1544 RegSvcs.exe -
Loads dropped DLL 2 IoCs
pid Process 1352 WScript.exe 1288 beqgxodpl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run beqgxodpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4_49\\BEQGXO~1.EXE C:\\Users\\Admin\\AppData\\Local\\Temp\\4_49\\xhpfes.jus" beqgxodpl.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1288 set thread context of 1544 1288 beqgxodpl.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1544 RegSvcs.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1352 1976 oder.exe 26 PID 1976 wrote to memory of 1352 1976 oder.exe 26 PID 1976 wrote to memory of 1352 1976 oder.exe 26 PID 1976 wrote to memory of 1352 1976 oder.exe 26 PID 1352 wrote to memory of 1288 1352 WScript.exe 27 PID 1352 wrote to memory of 1288 1352 WScript.exe 27 PID 1352 wrote to memory of 1288 1352 WScript.exe 27 PID 1352 wrote to memory of 1288 1352 WScript.exe 27 PID 1288 wrote to memory of 1544 1288 beqgxodpl.exe 28 PID 1288 wrote to memory of 1544 1288 beqgxodpl.exe 28 PID 1288 wrote to memory of 1544 1288 beqgxodpl.exe 28 PID 1288 wrote to memory of 1544 1288 beqgxodpl.exe 28 PID 1288 wrote to memory of 1544 1288 beqgxodpl.exe 28 PID 1288 wrote to memory of 1544 1288 beqgxodpl.exe 28 PID 1288 wrote to memory of 1544 1288 beqgxodpl.exe 28 PID 1288 wrote to memory of 1544 1288 beqgxodpl.exe 28 PID 1288 wrote to memory of 1544 1288 beqgxodpl.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\oder.exe"C:\Users\Admin\AppData\Local\Temp\oder.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\4_49\qkngrv.vbe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe"C:\Users\Admin\AppData\Local\Temp\4_49\beqgxodpl.exe" xhpfes.jus3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1023KB
MD5f918014ea55e52d1fa0afd76f3a06e74
SHA13b8f11f27e469d02ec54f2ccf452add22413be36
SHA256f1150309a596ab1c84e27b637edc5bdae2bae5ea0d0cac75736be0432de6821f
SHA512b1b136f4a748ad6032f7f1fe8468317df1ab78f06a46589929ba8cf10239bc281deb5081a3241de76d26f20d9bffaf3df3859a47ed48bde3156b458db4bdb96f
-
Filesize
1023KB
MD5f918014ea55e52d1fa0afd76f3a06e74
SHA13b8f11f27e469d02ec54f2ccf452add22413be36
SHA256f1150309a596ab1c84e27b637edc5bdae2bae5ea0d0cac75736be0432de6821f
SHA512b1b136f4a748ad6032f7f1fe8468317df1ab78f06a46589929ba8cf10239bc281deb5081a3241de76d26f20d9bffaf3df3859a47ed48bde3156b458db4bdb96f
-
Filesize
939KB
MD591cd0a1fffab60215a45d8eee93dc28b
SHA126e0fa3702d9d11d5077c0fe82b6ef2c177198dc
SHA256be6a5a94f351db158d5a67f596b85a0baa112efc42fabf3a60e85c0169df73b0
SHA51284dacf17999aa9efc73562681e9a2571ec9eeb8091e2615e469c705826ffe7ec40400680acc225cdd35548a874bb0bbdc7e41d7a69a6d31154e246ae026c85cd
-
Filesize
48KB
MD56806cad8f76ac1e64729efabe69a6cc3
SHA179e5e3d2f558dc609f36dac2fe0c70a403e80a9b
SHA2563be3e03a563b786d7ee47aa806c7ecc641bae2bbcc446e7d0b6980edf1e6e308
SHA512a40937eef628dcec8a13c96859efaa4bf51977f0a9e03eeaa9a93d1e6b74cf5a77a2d23be69651fd18c47ad665df6e68d57cd177bd55a631afd39605e5ce37f8
-
Filesize
96.7MB
MD5c358f58747a462523f062670fa9caa7e
SHA1063d8a38f699a7ea3f3ded2b740f308d8d5e0731
SHA256e68ead499ad15805ebae14eb3a567cc8571f2ae8a06fd78ab465b9ffebeed444
SHA51298776ee8be1a0fd5d21dc99e047ed0d2c65e08b98a6c00ffd0b40c43db93b70674519312fbf75d3c0f9ec34f6c2d6ec1bd695f5aab49449f486fe89b46c3a9f2
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
Filesize
32KB
MD5c9ab163d2f7bc130856326b41406df9f
SHA17b581bc36fbe920087affb4ceed4878277de5b9f
SHA256b1d50e6e39d34d9ba1c2bee72eebf36750f727ba618bf2caacf5400817fbc306
SHA512fe3a7308fff00c8f6918945968eb902f0685d7977a0de76d070ba4ef5e48592e135ca7a4d68043941b583884c1da75d185af54f08f7f6d216813e93335b509c2
-
Filesize
1023KB
MD5f918014ea55e52d1fa0afd76f3a06e74
SHA13b8f11f27e469d02ec54f2ccf452add22413be36
SHA256f1150309a596ab1c84e27b637edc5bdae2bae5ea0d0cac75736be0432de6821f
SHA512b1b136f4a748ad6032f7f1fe8468317df1ab78f06a46589929ba8cf10239bc281deb5081a3241de76d26f20d9bffaf3df3859a47ed48bde3156b458db4bdb96f
-
Filesize
44KB
MD50e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215