Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2023 12:46
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
INVOICE.exe
Resource
win10v2004-20230220-en
General
-
Target
INVOICE.exe
-
Size
294KB
-
MD5
f5da0115ae4a3eb7b325a8756b1013f7
-
SHA1
7832e5c3f52a4227e49b77968b2e316a4f575363
-
SHA256
198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d
-
SHA512
7389875afb1896958043c451bf1b0f354a8052041baa595f6765ca33a35eed693d3df88eaca55ac537039aca7380a2a17dbf4829b39b7ee406012416d8a50f4b
-
SSDEEP
6144:GT4DtMmNNsXLWs9baMwEyGnTaaZOMnUivg5FLJTQhli0xk74/S:GT9XLWszTa9Mdvg5FxQXi0xx/S
Malware Config
Extracted
remcos
RemoteHost
darren2023.sytes.net:2115
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
scs.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-3YNKQ0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file 2 TTPs 4 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
INVOICE.exeINVOICE.exescs.exescs.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe INVOICE.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe INVOICE.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe scs.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe scs.exe -
Executes dropped EXE 1 IoCs
Processes:
scs.exepid process 820 scs.exe -
Loads dropped DLL 4 IoCs
Processes:
INVOICE.exeINVOICE.exescs.exescs.exepid process 924 INVOICE.exe 608 INVOICE.exe 820 scs.exe 1832 scs.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
INVOICE.exescs.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ INVOICE.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\scs.exe\"" INVOICE.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\ scs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\scs.exe\"" scs.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ scs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\scs.exe\"" scs.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\ INVOICE.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\scs.exe\"" INVOICE.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
INVOICE.exescs.exepid process 608 INVOICE.exe 1832 scs.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
INVOICE.exeINVOICE.exescs.exescs.exepid process 924 INVOICE.exe 608 INVOICE.exe 820 scs.exe 1832 scs.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
INVOICE.exescs.exedescription pid process target process PID 924 set thread context of 608 924 INVOICE.exe INVOICE.exe PID 820 set thread context of 1832 820 scs.exe scs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
INVOICE.exescs.exepid process 924 INVOICE.exe 820 scs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
scs.exepid process 1832 scs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
INVOICE.exeINVOICE.exescs.exedescription pid process target process PID 924 wrote to memory of 608 924 INVOICE.exe INVOICE.exe PID 924 wrote to memory of 608 924 INVOICE.exe INVOICE.exe PID 924 wrote to memory of 608 924 INVOICE.exe INVOICE.exe PID 924 wrote to memory of 608 924 INVOICE.exe INVOICE.exe PID 924 wrote to memory of 608 924 INVOICE.exe INVOICE.exe PID 608 wrote to memory of 820 608 INVOICE.exe scs.exe PID 608 wrote to memory of 820 608 INVOICE.exe scs.exe PID 608 wrote to memory of 820 608 INVOICE.exe scs.exe PID 608 wrote to memory of 820 608 INVOICE.exe scs.exe PID 820 wrote to memory of 1832 820 scs.exe scs.exe PID 820 wrote to memory of 1832 820 scs.exe scs.exe PID 820 wrote to memory of 1832 820 scs.exe scs.exe PID 820 wrote to memory of 1832 820 scs.exe scs.exe PID 820 wrote to memory of 1832 820 scs.exe scs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\scs.exe"C:\Users\Admin\AppData\Roaming\scs.exe"3⤵
- Checks QEMU agent file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\scs.exe"C:\Users\Admin\AppData\Roaming\scs.exe"4⤵
- Checks QEMU agent file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD51fcc10720c843f6603490145bb6369ae
SHA1bcdccd807446f061a9a6aed47fcb687668a3ffd7
SHA256bf8d204e51e5e78aca46a7de2a16083977bd562e123b78c00972516158b02529
SHA512794e90bd7732729ebb83828e26b3f84be39c5b8ea5849fa3bef6b53973d03fb817a4dd932d6a3d6e1a0a250c7cea47107a9c433b3326023b67fac65ec0e489ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5654EC63294C39DE7CC060CB799182CFFilesize
471B
MD5474a5d47cc23e28fea70e3d32fe95427
SHA1db4e4a58803bea6ecdaf992a4fc73d90ddd4c375
SHA256831b3e8febf102b90cf79251960c1ea2f436e39dd5d5ca71facde10f67a19dd7
SHA512960dadceb3dc32f947ca8f25912020869b8c123601a6b5f4a07960eb87e25aa6e13686425f0975e7bb6f21ab2a88df030729d12350dfc95e9056eaacebf0dede
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_A40DDA23AC660EBD6C048B34D97187FBFilesize
471B
MD5aee967595d5b11fc508d102c6c93dd93
SHA11b51ae5b5f9a4b7e3c51bb4307c9eacd4ea2a85e
SHA2563cbc3af47f5b1e142bb6cb5fed8154476b773f1b9a95623b5bb5ba94957ff309
SHA51256638d9f7e75c56e3ff0ac24ed6a44355787803c60958640cbf9137dfcd886c0efbbdc53f893d89014a4431492f9c84d49080f344e04358f51c4a30108541db9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5ba08a9f1bbac2f83042dd63ce6161542
SHA1a15c3542d65f7cccc3ed42b17c404a507f4cf8f3
SHA2568429d0d176d297e38f3c353875bb2c2d8832f7ccddc1812964e6c490dac0a8a0
SHA512509adac06f1cc3ba8be69758f7fa150a9ad97e1d659f1cab4d12041fe7b332785627c29368233556420f79bc8abd300a4da876b1f4d27a08811a632e9db9c5fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5654EC63294C39DE7CC060CB799182CFFilesize
406B
MD5c56840f419152657a00cf797f06c1553
SHA1cf59879d3b68994283ad1a9975cc79cacff3d0dc
SHA2561c435c6fdc8fb8bbb2924b042195329ade13d85bdcf30e1e6c8a45dcedc2d3fc
SHA5125c17a8ef0897cc31e77204e8f999829e5c27872a50c136b3b08994796c3d483f0011fd2105845a9df201949c034ccc55a521697ea6775941d7aebe9a381e2c42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b328502c608ae2a57125d3cc47c2573e
SHA1d38af0bd49dfa3221a115a7cdfb193f42ad56ed2
SHA2562a5a6c88d35c92f57715b1ad11f896aa3761f6419a41b73f42d97e705c5802eb
SHA5120b1ba937f209a837bf9bb7859119b429f5e79433f7b140512f37cb1d738e510cd0301071da59eef1e6e9d64ef01b6de3c76adc7a4c6b7cbd911ab84d200e6e4c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD55ef77f627d51d5f826c68314520eff8d
SHA126f6fd87aed2f3e733edb1a3af0141135cd829fd
SHA256f427561d0e4c9da59a765545920f2b62877054a09ac8c1d5abee12ab58f83b7c
SHA512e1e7302a31ccc985e62e96544dd71aa88a90659ea9c39185a22c3f8933adc3f80aaf1f2803c89cc886c66bd02943952b78ca9a2d4f3b66b4ecaf4ad0dea9b789
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_A40DDA23AC660EBD6C048B34D97187FBFilesize
406B
MD56f2eae46ffdff91252c3bae16ce93b69
SHA11c9930f6f9eda5aee3e8d89f617398b7fc6b6b47
SHA256c207cc88cf0ba7fa1beb0afa93fac83d125a83d1d62e793d61e9327be595dd0b
SHA512b916359aeeebdfa3267850a74a0e62ceb3616314208d5fe12fac6629b84af35b9ab866632134826bd496a8d502e402ec75f355a77ff798d32f9b0aa7c2786fad
-
C:\Users\Admin\AppData\Local\Temp\CabA8ED.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\nsoBAB9.tmp\System.dllFilesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Detachably\Valrappen\Folkboat\D248\Photopolymerisation\Polyvirulent\Nondisputatious\taphaners.SukFilesize
101KB
MD590c93001b331654e0a76b3144fd6f742
SHA16478ad6bc23175e2f5ebbbffc1ac36520bc247c7
SHA256e775321e2e41bc4a886d1ca80bb25f19751d427ca9615ea9e79c7ac36ea4c7c5
SHA51260193a84d61b33f6d99b88660f9bfd26fba1f4ef033d5df7c3311fc15e552ef40fbf266b359cce94d3a62b68fc4d7d841734161dac42fee53fbc9560d68a400a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Detachably\Valrappen\Folkboat\Unluckiness\subentitle\Unnimbed\Hallowmas.BloFilesize
244KB
MD5ad9e7ae8ca3b7e776a04e3cfe1f2a4d6
SHA1a9078da2ddf2c2d30ba231a2fce357965f7b1e01
SHA256aa6585275558bf692a3fcb8857dda6d2e33932d0c0b46a838e321e83b5a4983c
SHA51274247fcf01f5b8bd5f73efb481f8e24961704d832ef89e5bdd61e64104f75ead5021429a1f6595070eb02711b4f0bf5d9ec1ce033e70204f34e6c152d27307fd
-
C:\Users\Admin\AppData\Roaming\scs.exeFilesize
294KB
MD5f5da0115ae4a3eb7b325a8756b1013f7
SHA17832e5c3f52a4227e49b77968b2e316a4f575363
SHA256198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d
SHA5127389875afb1896958043c451bf1b0f354a8052041baa595f6765ca33a35eed693d3df88eaca55ac537039aca7380a2a17dbf4829b39b7ee406012416d8a50f4b
-
C:\Users\Admin\AppData\Roaming\scs.exeFilesize
294KB
MD5f5da0115ae4a3eb7b325a8756b1013f7
SHA17832e5c3f52a4227e49b77968b2e316a4f575363
SHA256198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d
SHA5127389875afb1896958043c451bf1b0f354a8052041baa595f6765ca33a35eed693d3df88eaca55ac537039aca7380a2a17dbf4829b39b7ee406012416d8a50f4b
-
C:\Users\Admin\AppData\Roaming\scs.exeFilesize
294KB
MD5f5da0115ae4a3eb7b325a8756b1013f7
SHA17832e5c3f52a4227e49b77968b2e316a4f575363
SHA256198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d
SHA5127389875afb1896958043c451bf1b0f354a8052041baa595f6765ca33a35eed693d3df88eaca55ac537039aca7380a2a17dbf4829b39b7ee406012416d8a50f4b
-
\Users\Admin\AppData\Local\Temp\nsoBAB9.tmp\System.dllFilesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
\Users\Admin\AppData\Local\Temp\nst96A6.tmp\System.dllFilesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
\Users\Admin\AppData\Roaming\scs.exeFilesize
294KB
MD5f5da0115ae4a3eb7b325a8756b1013f7
SHA17832e5c3f52a4227e49b77968b2e316a4f575363
SHA256198c4b09ed4b8a46cfca9fd672797c0bb6f6d9a84016fd4f699ec65be9b9de3d
SHA5127389875afb1896958043c451bf1b0f354a8052041baa595f6765ca33a35eed693d3df88eaca55ac537039aca7380a2a17dbf4829b39b7ee406012416d8a50f4b
-
memory/608-64-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/608-66-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/608-102-0x0000000001470000-0x000000000269D000-memory.dmpFilesize
18.2MB
-
memory/608-65-0x0000000001470000-0x000000000269D000-memory.dmpFilesize
18.2MB
-
memory/608-67-0x0000000001470000-0x000000000269D000-memory.dmpFilesize
18.2MB
-
memory/608-68-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/608-104-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/608-95-0x0000000001470000-0x000000000269D000-memory.dmpFilesize
18.2MB
-
memory/608-91-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/820-114-0x0000000003080000-0x00000000042AD000-memory.dmpFilesize
18.2MB
-
memory/820-113-0x0000000003080000-0x00000000042AD000-memory.dmpFilesize
18.2MB
-
memory/924-63-0x0000000003070000-0x000000000429D000-memory.dmpFilesize
18.2MB
-
memory/924-62-0x0000000003070000-0x000000000429D000-memory.dmpFilesize
18.2MB
-
memory/1832-118-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1832-117-0x0000000001470000-0x000000000269D000-memory.dmpFilesize
18.2MB
-
memory/1832-116-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1832-139-0x0000000001470000-0x000000000269D000-memory.dmpFilesize
18.2MB
-
memory/1832-137-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1832-142-0x0000000001470000-0x000000000269D000-memory.dmpFilesize
18.2MB
-
memory/1832-143-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1832-144-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB