Analysis
-
max time kernel
222s -
max time network
241s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2022 09:03
Static task
static1
Behavioral task
behavioral1
Sample
Payment receipt.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Payment receipt.exe
Resource
win10v2004-20221111-en
General
-
Target
Payment receipt.exe
-
Size
488KB
-
MD5
42f46f5712661c1cde04667a69263196
-
SHA1
0441839c8aaf53c06ec48e698da276b499ba21b5
-
SHA256
f1ee84bf85dec48e4b94e5967de93bbed0d1b96ef43d68c2aa0b8ab7675d2c70
-
SHA512
2955f10a90c57dfc96f4006ce265843e75375be911548f4ea1e0546fa244c1090c746302507a765244b10b8fab4a4d23f57a061d9cc999355256fa9b3ec53821
-
SSDEEP
12288:VAJQhjuFi1ckK160/7qNPG4GT1jj8MW3XJ7I+GZb6qt+uP8:WJT41ckKE0/4G4u1jj8MWnJ7jG16w+/
Malware Config
Extracted
remcos
UC
ucremcz1.ddns.net:1823
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
BIN.exe
-
copy_folder
BIN
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-X402GF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
bin
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
otjhuvh.exeotjhuvh.exepid process 3008 otjhuvh.exe 3800 otjhuvh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
otjhuvh.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fnbwuh = "C:\\Users\\Admin\\AppData\\Roaming\\nrvgcfyksvarq\\cidrcgh.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\otjhuvh.exe\" C:\\Users\\Admin\\AppData\\Lo" otjhuvh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
otjhuvh.exedescription pid process target process PID 3008 set thread context of 3800 3008 otjhuvh.exe otjhuvh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
otjhuvh.exepid process 3008 otjhuvh.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
otjhuvh.exepid process 3800 otjhuvh.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Payment receipt.exeotjhuvh.exedescription pid process target process PID 5012 wrote to memory of 3008 5012 Payment receipt.exe otjhuvh.exe PID 5012 wrote to memory of 3008 5012 Payment receipt.exe otjhuvh.exe PID 5012 wrote to memory of 3008 5012 Payment receipt.exe otjhuvh.exe PID 3008 wrote to memory of 3800 3008 otjhuvh.exe otjhuvh.exe PID 3008 wrote to memory of 3800 3008 otjhuvh.exe otjhuvh.exe PID 3008 wrote to memory of 3800 3008 otjhuvh.exe otjhuvh.exe PID 3008 wrote to memory of 3800 3008 otjhuvh.exe otjhuvh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"C:\Users\Admin\AppData\Local\Temp\Payment receipt.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\otjhuvh.exe"C:\Users\Admin\AppData\Local\Temp\otjhuvh.exe" C:\Users\Admin\AppData\Local\Temp\gjlhbsls.sn2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\otjhuvh.exe"C:\Users\Admin\AppData\Local\Temp\otjhuvh.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fvfhpew.ywFilesize
469KB
MD5934e9cde12313d3640ceff4b3480e252
SHA17e269766eac4e846ccad8385c8e36409f265b5e8
SHA25613dfff990385074af57e6eb20223d4cd7ff56f76cd00675854430a0929969d04
SHA5126c73cca8fc2a95b6dffe2891888f107147e6185841c3a3145a616a8c3852bbc2c4530ac24975a6c8575c207539e5470e9a6335eefa9411b1ebc3b203f23c372d
-
C:\Users\Admin\AppData\Local\Temp\gjlhbsls.snFilesize
7KB
MD561a547ba66db3c5414000ec24cb6a1a9
SHA15a1780bcf6b4dea4a241fcf176da4263506cc0c5
SHA256ead51cf059354582c49f319c681bc621c854a1dad31ad69de3d84ac20941d5b6
SHA5126fd8a1c2b3bcee56b1c8f438969864bc8ca36b5472e11de8cad2cfffd075f49ee17e0fe91b449d6bb9b6bfff9b75dcf8ace1f5ef8be6bcd54db2c369c3b422ce
-
C:\Users\Admin\AppData\Local\Temp\otjhuvh.exeFilesize
104KB
MD5b762ac88d9d934e1711e631db2880135
SHA1dfcd02307fa39c7c09779de4d3b520f90b7ffabf
SHA25689f84d974662db251ac18275abf51fae9a958da0930c612210047250477f62b1
SHA512a1701e1d7067283bfa77d07d79fe22d51ec0f71419248c6ef3e52efb190aff0daaa6edda6feeeb4ff97dac8654f6f0f2955da3d08b619b8b2e672a98fc767135
-
C:\Users\Admin\AppData\Local\Temp\otjhuvh.exeFilesize
104KB
MD5b762ac88d9d934e1711e631db2880135
SHA1dfcd02307fa39c7c09779de4d3b520f90b7ffabf
SHA25689f84d974662db251ac18275abf51fae9a958da0930c612210047250477f62b1
SHA512a1701e1d7067283bfa77d07d79fe22d51ec0f71419248c6ef3e52efb190aff0daaa6edda6feeeb4ff97dac8654f6f0f2955da3d08b619b8b2e672a98fc767135
-
C:\Users\Admin\AppData\Local\Temp\otjhuvh.exeFilesize
104KB
MD5b762ac88d9d934e1711e631db2880135
SHA1dfcd02307fa39c7c09779de4d3b520f90b7ffabf
SHA25689f84d974662db251ac18275abf51fae9a958da0930c612210047250477f62b1
SHA512a1701e1d7067283bfa77d07d79fe22d51ec0f71419248c6ef3e52efb190aff0daaa6edda6feeeb4ff97dac8654f6f0f2955da3d08b619b8b2e672a98fc767135
-
memory/3008-132-0x0000000000000000-mapping.dmp
-
memory/3800-137-0x0000000000000000-mapping.dmp
-
memory/3800-139-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3800-140-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB