Analysis
-
max time kernel
603s -
max time network
608s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 13:33
Static task
static1
Behavioral task
behavioral1
Sample
CONTRACT.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
CONTRACT.exe
Resource
win10v2004-20220812-en
General
-
Target
CONTRACT.exe
-
Size
444KB
-
MD5
8bff446184b5ab123684c62895414df0
-
SHA1
c08002db93295dc774137fb8b64e25982bb813b0
-
SHA256
38e450e0f888c722ba57ed39900759397ede821614371832456b7fa29143aaba
-
SHA512
232757030b2f0a4498cda94bd5b4215193396fb5e705df36391c54b713104eec629ff54f10778e2f7e3958b01194e4bbe2f5b63200469d01b92448eeb2599809
-
SSDEEP
12288:VAC+Qu5ylAM8kCR7GIwhg9ZRHmWE485yHv/8YM1jk:WCTlAMiR6IfXm3WMZo
Malware Config
Extracted
remcos
RemoteHost
drremcoz1.ddns.net:1307
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-FADJRF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
pxsvrjfkc.exepxsvrjfkc.exepid process 1644 pxsvrjfkc.exe 2004 pxsvrjfkc.exe -
Loads dropped DLL 2 IoCs
Processes:
CONTRACT.exepxsvrjfkc.exepid process 832 CONTRACT.exe 1644 pxsvrjfkc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
pxsvrjfkc.exedescription pid process target process PID 1644 set thread context of 2004 1644 pxsvrjfkc.exe pxsvrjfkc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pxsvrjfkc.exepid process 1644 pxsvrjfkc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
pxsvrjfkc.exepid process 2004 pxsvrjfkc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
CONTRACT.exepxsvrjfkc.exedescription pid process target process PID 832 wrote to memory of 1644 832 CONTRACT.exe pxsvrjfkc.exe PID 832 wrote to memory of 1644 832 CONTRACT.exe pxsvrjfkc.exe PID 832 wrote to memory of 1644 832 CONTRACT.exe pxsvrjfkc.exe PID 832 wrote to memory of 1644 832 CONTRACT.exe pxsvrjfkc.exe PID 1644 wrote to memory of 2004 1644 pxsvrjfkc.exe pxsvrjfkc.exe PID 1644 wrote to memory of 2004 1644 pxsvrjfkc.exe pxsvrjfkc.exe PID 1644 wrote to memory of 2004 1644 pxsvrjfkc.exe pxsvrjfkc.exe PID 1644 wrote to memory of 2004 1644 pxsvrjfkc.exe pxsvrjfkc.exe PID 1644 wrote to memory of 2004 1644 pxsvrjfkc.exe pxsvrjfkc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CONTRACT.exe"C:\Users\Admin\AppData\Local\Temp\CONTRACT.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exe"C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exe" C:\Users\Admin\AppData\Local\Temp\thoga.wi2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exe"C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oegcns.fozFilesize
469KB
MD5de8044726c585f4741e6db78c08cdfc8
SHA1b773dea447ef2c7a70ab5eb02cdbf34f03927ea1
SHA2561c97a6c00f9635d38681572fd4c9fc68a9e71b6170b05b50fed64eea9346c89b
SHA51272d26e195a7f615d33712a0ebcdae32f797120bbe27fecefebcec6726c6797836af50dce44ff7cb4d580df2e124db4cc8ebe273453fc5bea8af62f6372a22b8e
-
C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exeFilesize
12KB
MD53e04e586c99713a446fb9fc183867eb2
SHA11366d02cfce19379ff6c878f13fe47e1dde8d246
SHA256591de4e14c50bb35c5017f59f51d7a418fa89e030f414d903f35413b1fac1f5b
SHA5126e4b84aa46eadc910b91496b4a7b8fe64777c892a1cf748d450a7536dbd1a25e13a6448550849f71d7c0596e9bf9d0315c833ce444efd780c490491e41a897c7
-
C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exeFilesize
12KB
MD53e04e586c99713a446fb9fc183867eb2
SHA11366d02cfce19379ff6c878f13fe47e1dde8d246
SHA256591de4e14c50bb35c5017f59f51d7a418fa89e030f414d903f35413b1fac1f5b
SHA5126e4b84aa46eadc910b91496b4a7b8fe64777c892a1cf748d450a7536dbd1a25e13a6448550849f71d7c0596e9bf9d0315c833ce444efd780c490491e41a897c7
-
C:\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exeFilesize
12KB
MD53e04e586c99713a446fb9fc183867eb2
SHA11366d02cfce19379ff6c878f13fe47e1dde8d246
SHA256591de4e14c50bb35c5017f59f51d7a418fa89e030f414d903f35413b1fac1f5b
SHA5126e4b84aa46eadc910b91496b4a7b8fe64777c892a1cf748d450a7536dbd1a25e13a6448550849f71d7c0596e9bf9d0315c833ce444efd780c490491e41a897c7
-
C:\Users\Admin\AppData\Local\Temp\thoga.wiFilesize
5KB
MD53bdc83cec9bb5bb252e9f5305a4fea45
SHA1f72c926a6862a7eee8a263384354f9f7889948f7
SHA256b75b9780bad70797af4538f2ccc2b5f63c6b0f46d3a3758b53e9931738c20a71
SHA512f54532bcfb5666749f9bd37b1b675b13d404d9d298283f2e416d9b14ff371a5ffdbaecc18f94349f5c5ab3137a3b5e51f64b0618b53704cfae89f152dc7c6c4d
-
\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exeFilesize
12KB
MD53e04e586c99713a446fb9fc183867eb2
SHA11366d02cfce19379ff6c878f13fe47e1dde8d246
SHA256591de4e14c50bb35c5017f59f51d7a418fa89e030f414d903f35413b1fac1f5b
SHA5126e4b84aa46eadc910b91496b4a7b8fe64777c892a1cf748d450a7536dbd1a25e13a6448550849f71d7c0596e9bf9d0315c833ce444efd780c490491e41a897c7
-
\Users\Admin\AppData\Local\Temp\pxsvrjfkc.exeFilesize
12KB
MD53e04e586c99713a446fb9fc183867eb2
SHA11366d02cfce19379ff6c878f13fe47e1dde8d246
SHA256591de4e14c50bb35c5017f59f51d7a418fa89e030f414d903f35413b1fac1f5b
SHA5126e4b84aa46eadc910b91496b4a7b8fe64777c892a1cf748d450a7536dbd1a25e13a6448550849f71d7c0596e9bf9d0315c833ce444efd780c490491e41a897c7
-
memory/832-54-0x0000000075921000-0x0000000075923000-memory.dmpFilesize
8KB
-
memory/1644-56-0x0000000000000000-mapping.dmp
-
memory/2004-62-0x00000000004327A4-mapping.dmp
-
memory/2004-65-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2004-66-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB