Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 09:04
Static task
static1
Behavioral task
behavioral1
Sample
MT NEW STAR V2231.PDF.js
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
MT NEW STAR V2231.PDF.js
Resource
win10v2004-20220901-en
General
-
Target
MT NEW STAR V2231.PDF.js
-
Size
856KB
-
MD5
b57f46aae59e5b141af36a0e5598cb7b
-
SHA1
d7c37a169fd2399d44b6330d8c459f5edd0151dd
-
SHA256
15c52aa78fef0b66472f35c92e2778fcc726762e4f648ea8b027074f4d13fe46
-
SHA512
040321fa3f3db208587af428bcc2643e36b941eaaea788c86c1e380168b35790c735cc09bbe29305feb1612bd9673e239007a728a7aa388427a7fa34235eb6f1
-
SSDEEP
12288:5F+J0rvOJnnLrRoIalxPZu2o0iZTbSX7/QCFxweyve:+JGrhu5qVGve
Malware Config
Extracted
remcos
RemoteHost
84.21.172.33:5763
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
uac.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-AG7QM3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/824-155-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2364-157-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/2364-158-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule behavioral2/memory/824-155-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2104-156-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2364-157-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2364-158-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Blocklisted process makes network request 6 IoCs
Processes:
wscript.exeflow pid process 5 2064 wscript.exe 36 2064 wscript.exe 46 2064 wscript.exe 49 2064 wscript.exe 52 2064 wscript.exe 53 2064 wscript.exe -
Executes dropped EXE 5 IoCs
Processes:
remcos_a.exeuac.exeuac.exeuac.exeuac.exepid process 3872 remcos_a.exe 3544 uac.exe 2364 uac.exe 824 uac.exe 2104 uac.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exeremcos_a.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation wscript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation remcos_a.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkBSYEKIrV.js wscript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DkBSYEKIrV.js wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
uac.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts uac.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
uac.exeremcos_a.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ uac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\uac.exe\"" uac.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ remcos_a.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\uac.exe\"" remcos_a.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ remcos_a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\uac.exe\"" remcos_a.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\ uac.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\ProgramData\\Remcos\\uac.exe\"" uac.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
uac.exedescription pid process target process PID 3544 set thread context of 1848 3544 uac.exe svchost.exe PID 3544 set thread context of 2364 3544 uac.exe uac.exe PID 3544 set thread context of 824 3544 uac.exe uac.exe PID 3544 set thread context of 2104 3544 uac.exe uac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
remcos_a.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings remcos_a.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
uac.exeuac.exepid process 2364 uac.exe 2364 uac.exe 2104 uac.exe 2104 uac.exe 2364 uac.exe 2364 uac.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
uac.exepid process 3544 uac.exe 3544 uac.exe 3544 uac.exe 3544 uac.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
uac.exedescription pid process Token: SeDebugPrivilege 2104 uac.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
wscript.exeremcos_a.execmd.exeWScript.execmd.exeuac.execmd.exedescription pid process target process PID 4180 wrote to memory of 2064 4180 wscript.exe wscript.exe PID 4180 wrote to memory of 2064 4180 wscript.exe wscript.exe PID 4180 wrote to memory of 3872 4180 wscript.exe remcos_a.exe PID 4180 wrote to memory of 3872 4180 wscript.exe remcos_a.exe PID 4180 wrote to memory of 3872 4180 wscript.exe remcos_a.exe PID 3872 wrote to memory of 4172 3872 remcos_a.exe cmd.exe PID 3872 wrote to memory of 4172 3872 remcos_a.exe cmd.exe PID 3872 wrote to memory of 4172 3872 remcos_a.exe cmd.exe PID 4172 wrote to memory of 5116 4172 cmd.exe reg.exe PID 4172 wrote to memory of 5116 4172 cmd.exe reg.exe PID 4172 wrote to memory of 5116 4172 cmd.exe reg.exe PID 3872 wrote to memory of 240 3872 remcos_a.exe WScript.exe PID 3872 wrote to memory of 240 3872 remcos_a.exe WScript.exe PID 3872 wrote to memory of 240 3872 remcos_a.exe WScript.exe PID 240 wrote to memory of 3532 240 WScript.exe cmd.exe PID 240 wrote to memory of 3532 240 WScript.exe cmd.exe PID 240 wrote to memory of 3532 240 WScript.exe cmd.exe PID 3532 wrote to memory of 3544 3532 cmd.exe uac.exe PID 3532 wrote to memory of 3544 3532 cmd.exe uac.exe PID 3532 wrote to memory of 3544 3532 cmd.exe uac.exe PID 3544 wrote to memory of 1400 3544 uac.exe cmd.exe PID 3544 wrote to memory of 1400 3544 uac.exe cmd.exe PID 3544 wrote to memory of 1400 3544 uac.exe cmd.exe PID 3544 wrote to memory of 1848 3544 uac.exe svchost.exe PID 3544 wrote to memory of 1848 3544 uac.exe svchost.exe PID 3544 wrote to memory of 1848 3544 uac.exe svchost.exe PID 3544 wrote to memory of 1848 3544 uac.exe svchost.exe PID 1400 wrote to memory of 1084 1400 cmd.exe reg.exe PID 1400 wrote to memory of 1084 1400 cmd.exe reg.exe PID 1400 wrote to memory of 1084 1400 cmd.exe reg.exe PID 3544 wrote to memory of 2364 3544 uac.exe uac.exe PID 3544 wrote to memory of 2364 3544 uac.exe uac.exe PID 3544 wrote to memory of 2364 3544 uac.exe uac.exe PID 3544 wrote to memory of 824 3544 uac.exe uac.exe PID 3544 wrote to memory of 824 3544 uac.exe uac.exe PID 3544 wrote to memory of 824 3544 uac.exe uac.exe PID 3544 wrote to memory of 2104 3544 uac.exe uac.exe PID 3544 wrote to memory of 2104 3544 uac.exe uac.exe PID 3544 wrote to memory of 2104 3544 uac.exe uac.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\MT NEW STAR V2231.PDF.js"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DkBSYEKIrV.js"2⤵
- Blocklisted process makes network request
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\remcos_a.exe"C:\Users\Admin\AppData\Roaming\remcos_a.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rgpivvnedcdjzqomsrejlf.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Remcos\uac.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Remcos\uac.exeC:\ProgramData\Remcos\uac.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\svchost.exesvchost.exe6⤵
-
C:\ProgramData\Remcos\uac.exeC:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\ewsnssolfiovjpj"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\Remcos\uac.exeC:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\pqxgslyntqgzuvxobq"6⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\ProgramData\Remcos\uac.exeC:\ProgramData\Remcos\uac.exe /stext "C:\Users\Admin\AppData\Local\Temp\zlkytdjhhyymwbtssatlq"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Remcos\uac.exeFilesize
470KB
MD5d7eda792cc905481af5f73aa23dcfbcb
SHA124bacf412ca6befbaf27703019ab3aafa0e52596
SHA256da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108
SHA5120891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da
-
C:\ProgramData\Remcos\uac.exeFilesize
470KB
MD5d7eda792cc905481af5f73aa23dcfbcb
SHA124bacf412ca6befbaf27703019ab3aafa0e52596
SHA256da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108
SHA5120891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da
-
C:\ProgramData\Remcos\uac.exeFilesize
470KB
MD5d7eda792cc905481af5f73aa23dcfbcb
SHA124bacf412ca6befbaf27703019ab3aafa0e52596
SHA256da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108
SHA5120891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da
-
C:\ProgramData\Remcos\uac.exeFilesize
470KB
MD5d7eda792cc905481af5f73aa23dcfbcb
SHA124bacf412ca6befbaf27703019ab3aafa0e52596
SHA256da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108
SHA5120891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da
-
C:\ProgramData\Remcos\uac.exeFilesize
470KB
MD5d7eda792cc905481af5f73aa23dcfbcb
SHA124bacf412ca6befbaf27703019ab3aafa0e52596
SHA256da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108
SHA5120891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da
-
C:\Users\Admin\AppData\Local\Temp\ewsnssolfiovjpjFilesize
4KB
MD5952a930b9fe70f809a67cb4e765c9448
SHA17e6c235246cc1be14d8a01ee7688a2a2471d44c9
SHA256bd8156713974af3003c418302d3647fa84f62836fe83613c05e8bc40cb06a867
SHA51210d12f2412fd2cb9ecf47cccd0261b17d9a3323957602c06795c4b2244306837d0a979ec6e552dc023ee81719ebcb9455bdb6f9d44f07788664994d1498452fb
-
C:\Users\Admin\AppData\Local\Temp\rgpivvnedcdjzqomsrejlf.vbsFilesize
380B
MD57b8772bb10bd0b5381f26c961f6d2768
SHA1ad8bdcb8251394e87f5599abdb0bc2334f65eb12
SHA2560bb9b2e1d903edf86f15874531f3ceea186e953ab8f8489ecd601fd7eac5b457
SHA512bff73e04eb175c741a733c48a3bb38821d26d470e9b25ee0c18b1b7d0ccf850d57a9cee94843016c78e17f6859ca86dd6b4ea59296ed7b0022d7cf915a743a75
-
C:\Users\Admin\AppData\Roaming\DkBSYEKIrV.jsFilesize
7KB
MD5de6279ecda86cb1c9dea290f11778fed
SHA1510eeb73129bf63873ed19fd07955e2e8cb3e83d
SHA256a99dbe1f52517b26087512d54d1f849c0216f14ab9f3c618c437546118dd1373
SHA512f3434f9b38f0d2b9a52aa160698aec75d03f3bd92263a06636098561e0b5f310191bca760338a0640a280893488f781cb2df80f52b9a6f3a631dd2c4fcecff73
-
C:\Users\Admin\AppData\Roaming\remcos_a.exeFilesize
470KB
MD5d7eda792cc905481af5f73aa23dcfbcb
SHA124bacf412ca6befbaf27703019ab3aafa0e52596
SHA256da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108
SHA5120891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da
-
C:\Users\Admin\AppData\Roaming\remcos_a.exeFilesize
470KB
MD5d7eda792cc905481af5f73aa23dcfbcb
SHA124bacf412ca6befbaf27703019ab3aafa0e52596
SHA256da59632417e4b72af2be17400c9f5cbbc8207542de1781ab5f69657d2c85f108
SHA5120891b69a550e5a8daf48be8c2eb2e47eac092e564d696d8fb83103ee2c4efa358c9069ac22635d971f4e23fa3f3dab33ff261fd14bfe9ed9ad83f4c2588f56da
-
memory/240-139-0x0000000000000000-mapping.dmp
-
memory/824-151-0x0000000000000000-mapping.dmp
-
memory/824-155-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1084-147-0x0000000000000000-mapping.dmp
-
memory/1400-145-0x0000000000000000-mapping.dmp
-
memory/1848-148-0x0000000000E00000-0x0000000000E7F000-memory.dmpFilesize
508KB
-
memory/1848-146-0x0000000000000000-mapping.dmp
-
memory/2064-132-0x0000000000000000-mapping.dmp
-
memory/2104-153-0x0000000000000000-mapping.dmp
-
memory/2104-156-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2364-158-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2364-149-0x0000000000000000-mapping.dmp
-
memory/2364-157-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/3532-141-0x0000000000000000-mapping.dmp
-
memory/3544-142-0x0000000000000000-mapping.dmp
-
memory/3872-134-0x0000000000000000-mapping.dmp
-
memory/4172-137-0x0000000000000000-mapping.dmp
-
memory/5116-138-0x0000000000000000-mapping.dmp