Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2023 14:48
Static task
static1
Behavioral task
behavioral1
Sample
Halkbank_Ekstre_01.03 (1).exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Halkbank_Ekstre_01.03 (1).exe
Resource
win10v2004-20230220-en
General
-
Target
Halkbank_Ekstre_01.03 (1).exe
-
Size
525KB
-
MD5
96640a4799fe532df64ebde0a914567c
-
SHA1
5b8978b368104eb3ed79bfbb473790b9f18d4a83
-
SHA256
6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f
-
SHA512
d827bb98f6965cb4ffe76cb45251273abf07fbaaf98e544970a87e37a58d339dd1b323211b965b07ae26e904a7d8990c375c28981c19535551ab001184a85409
-
SSDEEP
12288:KYTTJvONxFQl3Hlhv8RWSGl9bOKMRTBI4A2Cpvb+TviXl0gpxX:KYTTxObqlVhEPOVOKMRTQVb+TKXl0gp5
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:55898
185.65.134.167:55898
10.15.0.18:55898
180.214.238.18:55898
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-41LT1T
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
dnzct.exednzct.exepid process 564 dnzct.exe 3772 dnzct.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dnzct.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mvrbkgpyt = "C:\\Users\\Admin\\AppData\\Roaming\\ibwgclu\\pyienjscxhq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dnzct.exe\" C:\\Users\\Admin\\AppData\\Local\\" dnzct.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
dnzct.exedescription pid process target process PID 564 set thread context of 3772 564 dnzct.exe dnzct.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
dnzct.exepid process 564 dnzct.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
dnzct.exepid process 3772 dnzct.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Halkbank_Ekstre_01.03 (1).exednzct.exedescription pid process target process PID 3204 wrote to memory of 564 3204 Halkbank_Ekstre_01.03 (1).exe dnzct.exe PID 3204 wrote to memory of 564 3204 Halkbank_Ekstre_01.03 (1).exe dnzct.exe PID 3204 wrote to memory of 564 3204 Halkbank_Ekstre_01.03 (1).exe dnzct.exe PID 564 wrote to memory of 3772 564 dnzct.exe dnzct.exe PID 564 wrote to memory of 3772 564 dnzct.exe dnzct.exe PID 564 wrote to memory of 3772 564 dnzct.exe dnzct.exe PID 564 wrote to memory of 3772 564 dnzct.exe dnzct.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_01.03 (1).exe"C:\Users\Admin\AppData\Local\Temp\Halkbank_Ekstre_01.03 (1).exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dnzct.exe"C:\Users\Admin\AppData\Local\Temp\dnzct.exe" C:\Users\Admin\AppData\Local\Temp\heltmtguyf.z2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dnzct.exe"C:\Users\Admin\AppData\Local\Temp\dnzct.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
144B
MD589c9964a680da1ab54c8387fa5666e7b
SHA10a2c282e9aa859673c2f9c6917dfebd79fb90eee
SHA256cdcd63bad0e6de59428514b11100c2db52d54af21530acdcfdbfae965678294d
SHA512fd4b6c7f487c96be07908fe4f5dd4d9ddee3fadf0f372a958c0d6832faa7b3290c5da2ca930d6779984dea52e3890930097d8266934fb12997ade749f111bc02
-
C:\Users\Admin\AppData\Local\Temp\dnzct.exeFilesize
85KB
MD5e392c200a94e1e654d6f9bfc018f113f
SHA1efe92e8b1da6cd6a3738b7c116405212e1561d19
SHA256f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616
SHA512bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c
-
C:\Users\Admin\AppData\Local\Temp\dnzct.exeFilesize
85KB
MD5e392c200a94e1e654d6f9bfc018f113f
SHA1efe92e8b1da6cd6a3738b7c116405212e1561d19
SHA256f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616
SHA512bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c
-
C:\Users\Admin\AppData\Local\Temp\dnzct.exeFilesize
85KB
MD5e392c200a94e1e654d6f9bfc018f113f
SHA1efe92e8b1da6cd6a3738b7c116405212e1561d19
SHA256f62474d4e95f6ff3421f1c22e8a71b4b48b2afbc0fc54cb24481de76d5a42616
SHA512bc72f0257f72351a9945a3f5cb54c14b9a2534af8aadfb0137326afa46eafa5d23aa3d844c575bcd26b9c2b9180b9029051f1b3b7b79176b08de8f2ca06d500c
-
C:\Users\Admin\AppData\Local\Temp\heltmtguyf.zFilesize
7KB
MD53dd2a19c4ba9e71e2bfdaf29b42f55de
SHA1cfcb1050c7157ca02c80407bc69bdce3fdd76528
SHA256ef6f26306ec3070342dfed59428da21eb2a4948ef010a126441d92aec38d1491
SHA51211406303c30f6d8ec0586d9a91cad3f23d860cbe9c0cc9f3edae46916313d107f6d96c74b3c59527c2ca9d98c2364150e4d913e0d7ea2b34a92bc46365f40926
-
C:\Users\Admin\AppData\Local\Temp\lgsxtlwhbcy.ggeFilesize
496KB
MD5ca773195df4f76627b6e1ec87866f60e
SHA1f6bf8ec80563827454da20721ec37c00aed6a718
SHA256df31595ab522440e50a5f0db1207f795f4e38cd1294c22ccbf9dd6625f540b3f
SHA51279aabb52af1b00ffc4b49beb1a5c88c99ff983b49b4e75cc7879398becf6d1faba466d8f9f4f48f7353b02f4fc1981ef5046939ee0dec8f0570546b1f8dc3205
-
memory/564-142-0x00000000009D0000-0x00000000009D2000-memory.dmpFilesize
8KB
-
memory/3772-148-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-173-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-145-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-150-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-151-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-152-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-153-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-154-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-157-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-160-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-162-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-143-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-166-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-169-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-170-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-147-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-174-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-175-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-177-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-179-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-182-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-184-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-185-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-186-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-189-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-192-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-195-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-206-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-207-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-209-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/3772-211-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB