Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
27-03-2023 15:16
Static task
static1
Behavioral task
behavioral1
Sample
Best price inquiry.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Best price inquiry.exe
Resource
win10v2004-20230221-en
General
-
Target
Best price inquiry.exe
-
Size
768KB
-
MD5
b5d80c839eed720a63fbc6cd47a80a9e
-
SHA1
ef4bf7a44f3f7da17798ad1be32055e359ecd90b
-
SHA256
643d6f1a9a24b68a77de03bbe2ccf63751c072976b14607bb224eda31887f2de
-
SHA512
5355d606140ad0c10d8db7bea8fe1b4a8468947fdc2605f05520ccd931f8aa1c5eb9dc0420b2efa376a9311c85c2cd12431d24a9965bd018e29f48d455fdf46d
-
SSDEEP
24576:aMwf+m50w/dByz9z+NTUv91fZ5ZM1P3A6YlBE5Gw9:aMwf0w/dsYqjfrW93AXbEN9
Malware Config
Extracted
remcos
RemoteHost
darren2023.sytes.net:2115
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
scs.exe
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-3YNKQ0
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Best price inquiry.exeBest price inquiry.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Best price inquiry.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Best price inquiry.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Best price inquiry.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation Best price inquiry.exe -
Executes dropped EXE 1 IoCs
Processes:
scs.exepid process 1628 scs.exe -
Loads dropped DLL 2 IoCs
Processes:
Best price inquiry.exescs.exepid process 4640 Best price inquiry.exe 1628 scs.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
Best price inquiry.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Best price inquiry.exe Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\scs.exe\"" Best price inquiry.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ Best price inquiry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\scs.exe\"" Best price inquiry.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Best price inquiry.exepid process 3476 Best price inquiry.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Best price inquiry.exeBest price inquiry.exepid process 4640 Best price inquiry.exe 3476 Best price inquiry.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Best price inquiry.exedescription pid process target process PID 4640 set thread context of 3476 4640 Best price inquiry.exe Best price inquiry.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Best price inquiry.exescs.exedescription ioc process File opened for modification C:\Program Files (x86)\Servantry.ini Best price inquiry.exe File opened for modification C:\Program Files (x86)\Servantry.ini scs.exe -
Drops file in Windows directory 1 IoCs
Processes:
Best price inquiry.exedescription ioc process File opened for modification C:\Windows\Akustikerne\Blinker42.Vel33 Best price inquiry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Best price inquiry.exepid process 4640 Best price inquiry.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Best price inquiry.exeBest price inquiry.exedescription pid process target process PID 4640 wrote to memory of 3476 4640 Best price inquiry.exe Best price inquiry.exe PID 4640 wrote to memory of 3476 4640 Best price inquiry.exe Best price inquiry.exe PID 4640 wrote to memory of 3476 4640 Best price inquiry.exe Best price inquiry.exe PID 4640 wrote to memory of 3476 4640 Best price inquiry.exe Best price inquiry.exe PID 3476 wrote to memory of 1628 3476 Best price inquiry.exe scs.exe PID 3476 wrote to memory of 1628 3476 Best price inquiry.exe scs.exe PID 3476 wrote to memory of 1628 3476 Best price inquiry.exe scs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Best price inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Best price inquiry.exe"1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Best price inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Best price inquiry.exe"2⤵
- Checks QEMU agent file
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\scs.exe"C:\Users\Admin\AppData\Roaming\scs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nsl530E.tmp\System.dllFilesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
C:\Users\Admin\AppData\Local\Temp\nsl530E.tmp\System.dllFilesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
C:\Users\Admin\AppData\Local\Temp\nsnA7FE.tmp\System.dllFilesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Danskvandernes\Unselfconsciousness\penial\Unfooted\Fodermestrene\Wainer\Blackland22.StaFilesize
98KB
MD5f1c8c629cb85183aacc7cf48089b5c4b
SHA1a1902dfc003b9ec0b17115e71a41ec1fb8695c30
SHA256dcab505b1a5cfc6eb7ad308ba934b15132af881089a1ccd829a33b2be3efb6e6
SHA512e22a0de27171bfcd1ba1d03413781e01cacbccae7896a8fc59f5ff051334067ed3e097938294cf1fe1954a5866c5b2525e888b4edca8ba72da90d20f34b06025
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Danskvandernes\Unselfconsciousness\penial\Unfooted\Fodermestrene\Wainer\Caesura.PicFilesize
237KB
MD5bf854859a5af013bf3670f26c4f2e11d
SHA1f781202f218a1a999af14c8636bd488737221ed7
SHA25689e2b117d576e4bfd257072d00103860c28b1e737a50a02ca2acd92994c9a6e1
SHA512931e89c6bf79e5ab72c6ba45f8a0503d1c967aa39b4fa5d80aa005e34ba23309e17408af0c343f6fc88d923a0dd5c7e5a0d1da1efea91354efec90385744ccbb
-
C:\Users\Admin\AppData\Roaming\scs.exeFilesize
768KB
MD5b5d80c839eed720a63fbc6cd47a80a9e
SHA1ef4bf7a44f3f7da17798ad1be32055e359ecd90b
SHA256643d6f1a9a24b68a77de03bbe2ccf63751c072976b14607bb224eda31887f2de
SHA5125355d606140ad0c10d8db7bea8fe1b4a8468947fdc2605f05520ccd931f8aa1c5eb9dc0420b2efa376a9311c85c2cd12431d24a9965bd018e29f48d455fdf46d
-
C:\Users\Admin\AppData\Roaming\scs.exeFilesize
768KB
MD5b5d80c839eed720a63fbc6cd47a80a9e
SHA1ef4bf7a44f3f7da17798ad1be32055e359ecd90b
SHA256643d6f1a9a24b68a77de03bbe2ccf63751c072976b14607bb224eda31887f2de
SHA5125355d606140ad0c10d8db7bea8fe1b4a8468947fdc2605f05520ccd931f8aa1c5eb9dc0420b2efa376a9311c85c2cd12431d24a9965bd018e29f48d455fdf46d
-
C:\Users\Admin\AppData\Roaming\scs.exeFilesize
768KB
MD5b5d80c839eed720a63fbc6cd47a80a9e
SHA1ef4bf7a44f3f7da17798ad1be32055e359ecd90b
SHA256643d6f1a9a24b68a77de03bbe2ccf63751c072976b14607bb224eda31887f2de
SHA5125355d606140ad0c10d8db7bea8fe1b4a8468947fdc2605f05520ccd931f8aa1c5eb9dc0420b2efa376a9311c85c2cd12431d24a9965bd018e29f48d455fdf46d
-
memory/3476-163-0x0000000001660000-0x0000000004F11000-memory.dmpFilesize
56.7MB
-
memory/3476-159-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3476-146-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB
-
memory/3476-174-0x0000000001660000-0x0000000004F11000-memory.dmpFilesize
56.7MB
-
memory/3476-182-0x0000000000400000-0x0000000001654000-memory.dmpFilesize
18.3MB