Analysis
-
max time kernel
152s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-02-2023 09:31
Static task
static1
Behavioral task
behavioral1
Sample
TNT Original Invoice PDF.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
TNT Original Invoice PDF.exe
Resource
win10v2004-20220812-en
General
-
Target
TNT Original Invoice PDF.exe
-
Size
1.0MB
-
MD5
f64fc1f7c9d03819bd76645aab99be48
-
SHA1
11513e335fefcc3a302aba54ea5f5911f3290b9d
-
SHA256
8b6a0f607c8aa32a95838d10b496bdbd68b86a457ef49f8043badb21f5b12b2a
-
SHA512
5e9ffee587fbb61256b3f531a50c9ec40598a6459f6e2e30d022c84940a7786208a38430cf7a529588ee9be2f23a930d7b87afa6718744a25b26f81c476dc625
-
SSDEEP
24576:wYXIQ57jS4qoLVNVS9nqi06jz8ajDTEnU6D5RJ:x/5+oxS9nC6rLR6
Malware Config
Extracted
remcos
RemoteHost
51.75.209.245:2406
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-52YOYG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TNT Original Invoice PDF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation TNT Original Invoice PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT Original Invoice PDF.exedescription pid process target process PID 1944 set thread context of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
TNT Original Invoice PDF.exepowershell.exepowershell.exepid process 1944 TNT Original Invoice PDF.exe 1944 TNT Original Invoice PDF.exe 1944 TNT Original Invoice PDF.exe 1944 TNT Original Invoice PDF.exe 1944 TNT Original Invoice PDF.exe 1944 TNT Original Invoice PDF.exe 344 powershell.exe 3200 powershell.exe 1944 TNT Original Invoice PDF.exe 1944 TNT Original Invoice PDF.exe 1944 TNT Original Invoice PDF.exe 1944 TNT Original Invoice PDF.exe 344 powershell.exe 3200 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
TNT Original Invoice PDF.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1944 TNT Original Invoice PDF.exe Token: SeDebugPrivilege 344 powershell.exe Token: SeDebugPrivilege 3200 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TNT Original Invoice PDF.exepid process 3520 TNT Original Invoice PDF.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
TNT Original Invoice PDF.exedescription pid process target process PID 1944 wrote to memory of 344 1944 TNT Original Invoice PDF.exe powershell.exe PID 1944 wrote to memory of 344 1944 TNT Original Invoice PDF.exe powershell.exe PID 1944 wrote to memory of 344 1944 TNT Original Invoice PDF.exe powershell.exe PID 1944 wrote to memory of 3200 1944 TNT Original Invoice PDF.exe powershell.exe PID 1944 wrote to memory of 3200 1944 TNT Original Invoice PDF.exe powershell.exe PID 1944 wrote to memory of 3200 1944 TNT Original Invoice PDF.exe powershell.exe PID 1944 wrote to memory of 5000 1944 TNT Original Invoice PDF.exe schtasks.exe PID 1944 wrote to memory of 5000 1944 TNT Original Invoice PDF.exe schtasks.exe PID 1944 wrote to memory of 5000 1944 TNT Original Invoice PDF.exe schtasks.exe PID 1944 wrote to memory of 1400 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 1400 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 1400 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe PID 1944 wrote to memory of 3520 1944 TNT Original Invoice PDF.exe TNT Original Invoice PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\kZskrgQLQwU.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kZskrgQLQwU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\TNT Original Invoice PDF.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1D0.tmpFilesize
1KB
MD503b41ac6491dfe776333bbd5bd6b99e8
SHA12f4bb429bfc66711c5cd55c5744802e506c59c74
SHA256d7e321bc6872bcb38cf01354176ba5f5b4b4516f8725b7cf644adde1bb7cb967
SHA512b172375bd7c2eca650f926689fc8a2539dff3edd5e3da8b38af0a09a30b5c135f1a74fa96bf241744dad1a1f9b56b6bb0ede5d45b9963c5bb49d059d98ffebe4
-
memory/344-144-0x00000000057A0000-0x0000000005806000-memory.dmpFilesize
408KB
-
memory/344-139-0x0000000004A90000-0x0000000004AC6000-memory.dmpFilesize
216KB
-
memory/344-162-0x00000000076A0000-0x00000000076BA000-memory.dmpFilesize
104KB
-
memory/344-153-0x0000000007050000-0x0000000007082000-memory.dmpFilesize
200KB
-
memory/344-141-0x0000000005100000-0x0000000005728000-memory.dmpFilesize
6.2MB
-
memory/344-158-0x0000000007360000-0x000000000737A000-memory.dmpFilesize
104KB
-
memory/344-152-0x0000000006050000-0x000000000606E000-memory.dmpFilesize
120KB
-
memory/344-157-0x00000000079C0000-0x000000000803A000-memory.dmpFilesize
6.5MB
-
memory/344-137-0x0000000000000000-mapping.dmp
-
memory/344-155-0x0000000070E50000-0x0000000070E9C000-memory.dmpFilesize
304KB
-
memory/1400-146-0x0000000000000000-mapping.dmp
-
memory/1944-133-0x0000000005290000-0x0000000005834000-memory.dmpFilesize
5.6MB
-
memory/1944-134-0x0000000004DD0000-0x0000000004E62000-memory.dmpFilesize
584KB
-
memory/1944-136-0x0000000005040000-0x00000000050DC000-memory.dmpFilesize
624KB
-
memory/1944-135-0x0000000004F90000-0x0000000004F9A000-memory.dmpFilesize
40KB
-
memory/1944-132-0x0000000000330000-0x0000000000440000-memory.dmpFilesize
1.1MB
-
memory/3200-138-0x0000000000000000-mapping.dmp
-
memory/3200-160-0x0000000007320000-0x00000000073B6000-memory.dmpFilesize
600KB
-
memory/3200-159-0x0000000007110000-0x000000000711A000-memory.dmpFilesize
40KB
-
memory/3200-161-0x00000000072D0000-0x00000000072DE000-memory.dmpFilesize
56KB
-
memory/3200-145-0x0000000004E40000-0x0000000004EA6000-memory.dmpFilesize
408KB
-
memory/3200-154-0x0000000070E50000-0x0000000070E9C000-memory.dmpFilesize
304KB
-
memory/3200-156-0x0000000006340000-0x000000000635E000-memory.dmpFilesize
120KB
-
memory/3200-143-0x0000000004CC0000-0x0000000004CE2000-memory.dmpFilesize
136KB
-
memory/3200-163-0x00000000073C0000-0x00000000073C8000-memory.dmpFilesize
32KB
-
memory/3520-148-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3520-151-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3520-150-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3520-149-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/3520-147-0x0000000000000000-mapping.dmp
-
memory/3520-164-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/5000-140-0x0000000000000000-mapping.dmp