Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2023 14:21
Behavioral task
behavioral1
Sample
unpaced.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
unpaced.exe
Resource
win10v2004-20230220-en
General
-
Target
unpaced.exe
-
Size
128KB
-
MD5
c352c288a3dd998102ee306ad1c26e10
-
SHA1
901a35d85e7bf23fe3e8956a61ddbc6ffe293efb
-
SHA256
51253ebd215a9f0a66fe8a5aa65ae58885570f71437415fef49f8d2cd5232998
-
SHA512
4d60fee342676b10da77c64e1869b1022e2d5948d9e58435e489c433bef909e82a363e384f5c85ad2532034bd783e848386f8991e5b1cd95cf0b346dc468228a
-
SSDEEP
3072:mFh1qaSs6IF9OK4b80S2Van4Va1cpcQjed5OzqhUha:Ch1qn3IF9Obbj/a1cpcQjeHOzqhUh
Malware Config
Extracted
remcos
2.5.0 Pro
RemoteHost
bekleyen.myq-see.com:2424
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
VLC.exe
-
copy_folder
VLC
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-001UHE
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
wikipedia;solitaire;
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
unpaced.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation unpaced.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 1 IoCs
Processes:
VLC.exepid process 3024 VLC.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
unpaced.exeVLC.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run\ unpaced.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\VLC\\VLC.exe\"" unpaced.exe Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run\ VLC.exe Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\VLC\\VLC.exe\"" VLC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
unpaced.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings unpaced.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
VLC.exepid process 3024 VLC.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
unpaced.exeWScript.execmd.exedescription pid process target process PID 4400 wrote to memory of 1616 4400 unpaced.exe WScript.exe PID 4400 wrote to memory of 1616 4400 unpaced.exe WScript.exe PID 4400 wrote to memory of 1616 4400 unpaced.exe WScript.exe PID 1616 wrote to memory of 3876 1616 WScript.exe cmd.exe PID 1616 wrote to memory of 3876 1616 WScript.exe cmd.exe PID 1616 wrote to memory of 3876 1616 WScript.exe cmd.exe PID 3876 wrote to memory of 3024 3876 cmd.exe VLC.exe PID 3876 wrote to memory of 3024 3876 cmd.exe VLC.exe PID 3876 wrote to memory of 3024 3876 cmd.exe VLC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\unpaced.exe"C:\Users\Admin\AppData\Local\Temp\unpaced.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\VLC\VLC.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Roaming\VLC\VLC.exeC:\Users\Admin\AppData\Roaming\VLC\VLC.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
406B
MD5854219cc98e5b2481c851446afe79605
SHA12423fce3defedf02f7cb8af374f92b78f4bd22f9
SHA256db79feef63151ee105d5cb255d847df5f09b987db10b4015410a7db35bf76a7f
SHA51232c16b720c94f800f4513a78be858d92d7fd85aa6cf450408e68cf78b64948f3d3b50e343e2c215234b5404de25be76619b2ac083dfe6b2d0a06bb6c4fedad80
-
C:\Users\Admin\AppData\Roaming\VLC\VLC.exeFilesize
128KB
MD5c352c288a3dd998102ee306ad1c26e10
SHA1901a35d85e7bf23fe3e8956a61ddbc6ffe293efb
SHA25651253ebd215a9f0a66fe8a5aa65ae58885570f71437415fef49f8d2cd5232998
SHA5124d60fee342676b10da77c64e1869b1022e2d5948d9e58435e489c433bef909e82a363e384f5c85ad2532034bd783e848386f8991e5b1cd95cf0b346dc468228a
-
C:\Users\Admin\AppData\Roaming\VLC\VLC.exeFilesize
128KB
MD5c352c288a3dd998102ee306ad1c26e10
SHA1901a35d85e7bf23fe3e8956a61ddbc6ffe293efb
SHA25651253ebd215a9f0a66fe8a5aa65ae58885570f71437415fef49f8d2cd5232998
SHA5124d60fee342676b10da77c64e1869b1022e2d5948d9e58435e489c433bef909e82a363e384f5c85ad2532034bd783e848386f8991e5b1cd95cf0b346dc468228a
-
C:\Users\Admin\AppData\Roaming\remcos\logs.datFilesize
74B
MD5fcee623a5403212f5efddcfb70313edb
SHA19f718815228fe119573b2d843cba3f98ba660493
SHA25664f8f818a5645603fac6706c9eff2049cb89c2ad96f986ec58881ad202e9cff9
SHA512a5ad57d0b3af22edd132f73e9c7830305507c74a0dd04864bc357289443c106c569f5525166d5cedee0c4156eb23e87edea781d264a95a9ae65f691cb760a088