Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 20:01
Behavioral task
behavioral1
Sample
ProcessKO.exe
Resource
win10-20220901-en
Behavioral task
behavioral2
Sample
ProcessKO.exe
Resource
win7-20220812-en
General
-
Target
ProcessKO.exe
-
Size
124KB
-
MD5
ca8cb6abd81db6107fe35cfbb7cbd8e6
-
SHA1
4a645ae8ab0da7092503e9cee6ce66032897a0af
-
SHA256
1dec2e1465205a4a69f71ce916c2f970072b8e6b1b075748bed557f3449940b4
-
SHA512
1046274e86986ae1f48ac47a63cb65bbc1761266169a9ed6b38461589293110779dc1f9587eef51c833e361a959c2a37a8edbf11980df471e29964a8259a41cd
-
SSDEEP
3072:tYZXD5IEkbYx2jHtmk0NdAL9cRu8rox/A7pZ5QmxeY+zQMNQIbJ:tYZXFEY47tP0UpKmA7pZ5QmxL+zQMNQI
Malware Config
Extracted
remcos
2.2.0 Pro
Planes2
remfff.duckdns.org:48604
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
csrss.exe
-
copy_folder
csrss.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
RemcosXs-H20591
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
csrss.exe
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 904 csrss.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1452 cmd.exe 1452 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
ProcessKO.execsrss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ ProcessKO.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\\csrss.exe\"" ProcessKO.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe\\csrss.exe\"" csrss.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
csrss.exepid process 904 csrss.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ProcessKO.exeWScript.execmd.exedescription pid process target process PID 1600 wrote to memory of 1092 1600 ProcessKO.exe WScript.exe PID 1600 wrote to memory of 1092 1600 ProcessKO.exe WScript.exe PID 1600 wrote to memory of 1092 1600 ProcessKO.exe WScript.exe PID 1600 wrote to memory of 1092 1600 ProcessKO.exe WScript.exe PID 1092 wrote to memory of 1452 1092 WScript.exe cmd.exe PID 1092 wrote to memory of 1452 1092 WScript.exe cmd.exe PID 1092 wrote to memory of 1452 1092 WScript.exe cmd.exe PID 1092 wrote to memory of 1452 1092 WScript.exe cmd.exe PID 1452 wrote to memory of 904 1452 cmd.exe csrss.exe PID 1452 wrote to memory of 904 1452 cmd.exe csrss.exe PID 1452 wrote to memory of 904 1452 cmd.exe csrss.exe PID 1452 wrote to memory of 904 1452 cmd.exe csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ProcessKO.exe"C:\Users\Admin\AppData\Local\Temp\ProcessKO.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exeC:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
422B
MD5f3ed21a8dbf48ccf6487d68cd12b8e89
SHA137b725cdc3bb8b91cb6242529721a2c3f1f03af2
SHA256a2c8cc5a927929bb186c39f2deefa5ca869ab705ada7b13c2687a54c99df0416
SHA512da85bc3517b3d085a29ae9c1a200ca7ae6c46f6bff4d5dc199bf493e6eda9cd223acf3945a4e24ae24f5a7fbc134f0345d725a6af1061b6c3f526ffec599851f
-
C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exeFilesize
124KB
MD5ca8cb6abd81db6107fe35cfbb7cbd8e6
SHA14a645ae8ab0da7092503e9cee6ce66032897a0af
SHA2561dec2e1465205a4a69f71ce916c2f970072b8e6b1b075748bed557f3449940b4
SHA5121046274e86986ae1f48ac47a63cb65bbc1761266169a9ed6b38461589293110779dc1f9587eef51c833e361a959c2a37a8edbf11980df471e29964a8259a41cd
-
C:\Users\Admin\AppData\Roaming\csrss.exe\csrss.exeFilesize
124KB
MD5ca8cb6abd81db6107fe35cfbb7cbd8e6
SHA14a645ae8ab0da7092503e9cee6ce66032897a0af
SHA2561dec2e1465205a4a69f71ce916c2f970072b8e6b1b075748bed557f3449940b4
SHA5121046274e86986ae1f48ac47a63cb65bbc1761266169a9ed6b38461589293110779dc1f9587eef51c833e361a959c2a37a8edbf11980df471e29964a8259a41cd
-
\Users\Admin\AppData\Roaming\csrss.exe\csrss.exeFilesize
124KB
MD5ca8cb6abd81db6107fe35cfbb7cbd8e6
SHA14a645ae8ab0da7092503e9cee6ce66032897a0af
SHA2561dec2e1465205a4a69f71ce916c2f970072b8e6b1b075748bed557f3449940b4
SHA5121046274e86986ae1f48ac47a63cb65bbc1761266169a9ed6b38461589293110779dc1f9587eef51c833e361a959c2a37a8edbf11980df471e29964a8259a41cd
-
\Users\Admin\AppData\Roaming\csrss.exe\csrss.exeFilesize
124KB
MD5ca8cb6abd81db6107fe35cfbb7cbd8e6
SHA14a645ae8ab0da7092503e9cee6ce66032897a0af
SHA2561dec2e1465205a4a69f71ce916c2f970072b8e6b1b075748bed557f3449940b4
SHA5121046274e86986ae1f48ac47a63cb65bbc1761266169a9ed6b38461589293110779dc1f9587eef51c833e361a959c2a37a8edbf11980df471e29964a8259a41cd
-
memory/904-62-0x0000000000000000-mapping.dmp
-
memory/1092-55-0x0000000000000000-mapping.dmp
-
memory/1452-58-0x0000000000000000-mapping.dmp
-
memory/1600-54-0x00000000761F1000-0x00000000761F3000-memory.dmpFilesize
8KB