Analysis
-
max time kernel
134s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 06:31
Static task
static1
Behavioral task
behavioral1
Sample
Revised_Order_Documentfdp.scr
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Revised_Order_Documentfdp.scr
Resource
win10v2004-20230220-en
General
-
Target
Revised_Order_Documentfdp.scr
-
Size
300.3MB
-
MD5
03a5de4492a409b3fd4dcadb87f6e140
-
SHA1
bb280dad0be2f7641bb83ca7429dc1861f90b39a
-
SHA256
07d8b0e5d6e43ea033dd06335b5b19c179f78733648a79006f9ac20b5c22042e
-
SHA512
2d8c5e179581e7633285df8e5ebcbe39bfed288b4416899d8941b5b138ae3d16b94fe612ea0a6cd1d2db303117b2881e678ffb2017a312b787935ea082589a59
-
SSDEEP
24576:ZTbBv5rUmlWpuLPF/q0f6PoedrSO67Lot/uMrD3gi64o:TBqaPdfuokSHOGMrD3364
Malware Config
Extracted
remcos
RemoteHost
185.246.220.63:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-0ILS8U
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
LocalISaKC_QNKT.exeehkbu.exepid process 2024 LocalISaKC_QNKT.exe 1816 ehkbu.exe -
Loads dropped DLL 1 IoCs
Processes:
wscript.exepid process 1252 wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ehkbu.exeRegSvcs.exedescription pid process target process PID 1816 set thread context of 928 1816 ehkbu.exe RegSvcs.exe PID 928 set thread context of 940 928 RegSvcs.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C60E9A0-CD43-11ED-ADAF-EE84389A6D8F} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4C60E9A2-CD43-11ED-ADAF-EE84389A6D8F}.dat = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
RegSvcs.exepid process 928 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2008 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
AcroRd32.exeiexplore.exeIEXPLORE.EXEpid process 1512 AcroRd32.exe 1512 AcroRd32.exe 1512 AcroRd32.exe 2008 iexplore.exe 2008 iexplore.exe 868 IEXPLORE.EXE 868 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
Revised_Order_Documentfdp.scrLocalISaKC_QNKT.exewscript.exeehkbu.exeRegSvcs.exeiexplore.exeiexplore.exedescription pid process target process PID 1324 wrote to memory of 2024 1324 Revised_Order_Documentfdp.scr LocalISaKC_QNKT.exe PID 1324 wrote to memory of 2024 1324 Revised_Order_Documentfdp.scr LocalISaKC_QNKT.exe PID 1324 wrote to memory of 2024 1324 Revised_Order_Documentfdp.scr LocalISaKC_QNKT.exe PID 1324 wrote to memory of 2024 1324 Revised_Order_Documentfdp.scr LocalISaKC_QNKT.exe PID 1324 wrote to memory of 1512 1324 Revised_Order_Documentfdp.scr AcroRd32.exe PID 1324 wrote to memory of 1512 1324 Revised_Order_Documentfdp.scr AcroRd32.exe PID 1324 wrote to memory of 1512 1324 Revised_Order_Documentfdp.scr AcroRd32.exe PID 1324 wrote to memory of 1512 1324 Revised_Order_Documentfdp.scr AcroRd32.exe PID 2024 wrote to memory of 1252 2024 LocalISaKC_QNKT.exe wscript.exe PID 2024 wrote to memory of 1252 2024 LocalISaKC_QNKT.exe wscript.exe PID 2024 wrote to memory of 1252 2024 LocalISaKC_QNKT.exe wscript.exe PID 2024 wrote to memory of 1252 2024 LocalISaKC_QNKT.exe wscript.exe PID 1252 wrote to memory of 1816 1252 wscript.exe ehkbu.exe PID 1252 wrote to memory of 1816 1252 wscript.exe ehkbu.exe PID 1252 wrote to memory of 1816 1252 wscript.exe ehkbu.exe PID 1252 wrote to memory of 1816 1252 wscript.exe ehkbu.exe PID 1816 wrote to memory of 928 1816 ehkbu.exe RegSvcs.exe PID 1816 wrote to memory of 928 1816 ehkbu.exe RegSvcs.exe PID 1816 wrote to memory of 928 1816 ehkbu.exe RegSvcs.exe PID 1816 wrote to memory of 928 1816 ehkbu.exe RegSvcs.exe PID 1816 wrote to memory of 928 1816 ehkbu.exe RegSvcs.exe PID 1816 wrote to memory of 928 1816 ehkbu.exe RegSvcs.exe PID 1816 wrote to memory of 928 1816 ehkbu.exe RegSvcs.exe PID 1816 wrote to memory of 928 1816 ehkbu.exe RegSvcs.exe PID 1816 wrote to memory of 928 1816 ehkbu.exe RegSvcs.exe PID 928 wrote to memory of 940 928 RegSvcs.exe iexplore.exe PID 928 wrote to memory of 940 928 RegSvcs.exe iexplore.exe PID 928 wrote to memory of 940 928 RegSvcs.exe iexplore.exe PID 928 wrote to memory of 940 928 RegSvcs.exe iexplore.exe PID 928 wrote to memory of 940 928 RegSvcs.exe iexplore.exe PID 940 wrote to memory of 2008 940 iexplore.exe iexplore.exe PID 940 wrote to memory of 2008 940 iexplore.exe iexplore.exe PID 940 wrote to memory of 2008 940 iexplore.exe iexplore.exe PID 940 wrote to memory of 2008 940 iexplore.exe iexplore.exe PID 2008 wrote to memory of 868 2008 iexplore.exe IEXPLORE.EXE PID 2008 wrote to memory of 868 2008 iexplore.exe IEXPLORE.EXE PID 2008 wrote to memory of 868 2008 iexplore.exe IEXPLORE.EXE PID 2008 wrote to memory of 868 2008 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Revised_Order_Documentfdp.scr"C:\Users\Admin\AppData\Local\Temp\Revised_Order_Documentfdp.scr" /S1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\LocalISaKC_QNKT.exe"C:\Users\Admin\AppData\LocalISaKC_QNKT.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" pxbffb-fpkmd.bmp.vbe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exe"C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exe" osoek.dat4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
\??\c:\program files (x86)\internet explorer\iexplore.exe"c:\program files (x86)\internet explorer\iexplore.exe"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.07⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2008 CREDAT:275457 /prefetch:28⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\LocalEakfkhbzPY.pdf"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalEakfkhbzPY.pdfFilesize
167KB
MD52cfecbd58e0eec099942e74f05c38cff
SHA14cf962574cacef01d9f5ec911542c55c2af0c64e
SHA256b218d8a4ee4c29a98a3a5e6218a1836d7dfd36f5565117dc15b7a0c903da8abe
SHA51287ef346dc8fff5de0663e9ade5a98f5436a594e0f57390bbb242b09897690d77d01e6f7cee25af5aaf65f7d406a765520e5b98c60c873e4f4fc3d58c248a5304
-
C:\Users\Admin\AppData\LocalISaKC_QNKT.exeFilesize
300.0MB
MD59dbf6919c0982fdf363d666b9cea97ee
SHA104664634a6d9e87286e27a30ef8117e198669647
SHA25674180ea67b2047e7225720e1735ecb9ab1322797704bd606ac54f4c1c9c4afc2
SHA51271488336954aae0233bb0e822934a69d28aa8d4b1542780a2c22b82e45e45a4798f539fa0510f264753b3548dc439a71f9385b2ab7faeb3488b56fd0427e6ed8
-
C:\Users\Admin\AppData\LocalISaKC_QNKT.exeFilesize
300.0MB
MD59dbf6919c0982fdf363d666b9cea97ee
SHA104664634a6d9e87286e27a30ef8117e198669647
SHA25674180ea67b2047e7225720e1735ecb9ab1322797704bd606ac54f4c1c9c4afc2
SHA51271488336954aae0233bb0e822934a69d28aa8d4b1542780a2c22b82e45e45a4798f539fa0510f264753b3548dc439a71f9385b2ab7faeb3488b56fd0427e6ed8
-
C:\Users\Admin\AppData\Local\Temp\cppv\dbamss.rpgFilesize
868KB
MD53018e14b39c9633d246c9d5e2bff88fd
SHA109ca88027622c823f804786f9192f3e0dadad09d
SHA25632e400fd227d0590d1ba5628ffc300d4c67a1e26764ae6ebae3cf74762e8a6d8
SHA512bfbb15efb7d38e6917898402406031c84c20efcf07ccdc28c6ad2bced9165037a0341e0471443a9adffa82dd878decc35d866064cf2914221b53ec3969d8f827
-
C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exeFilesize
944KB
MD576ab3e669b01f2a037c34060a4e9ea02
SHA18a04e160052b1fcf803c7d867f8b1c3682ecda62
SHA256c060f8a33c68264bb01616527642a4432ac4ddbecaf006c585e8199593f31583
SHA512d728cf3c4e12845f8efd05a8d9e2e2e2f0c13de85806cbd4d96c5f97ce823c115c827ec16dd87a93c7f11e80a12afce076724d8cc873d130be9464438c0b3223
-
C:\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exeFilesize
944KB
MD576ab3e669b01f2a037c34060a4e9ea02
SHA18a04e160052b1fcf803c7d867f8b1c3682ecda62
SHA256c060f8a33c68264bb01616527642a4432ac4ddbecaf006c585e8199593f31583
SHA512d728cf3c4e12845f8efd05a8d9e2e2e2f0c13de85806cbd4d96c5f97ce823c115c827ec16dd87a93c7f11e80a12afce076724d8cc873d130be9464438c0b3223
-
C:\Users\Admin\AppData\Local\Temp\cppv\ggcoopcd.exeFilesize
36KB
MD5ae20d990918c3003eadad115c7c54c9c
SHA1f9e72d61f73fe382143cc4f2a52d3e76c71a4d3b
SHA256ea266dc747fd492bae1682595dbb066fc0cca80db84c8757c5c719a7af5faa4e
SHA5124bfc52bbeba535d5674b2cb6713c9d8eef7e716169ec64e6b6f90ad22a43d7bd3aaa0c5ff4c6a6e9745849d35641b4eb1f13cbacf895b4592d0c4dcde9c64aa4
-
C:\Users\Admin\AppData\Local\Temp\cppv\osoek.datFilesize
93.1MB
MD510bf7c6ad8a79508841359d1e00487de
SHA19b9d4294260b86ac0d9d6307830329aeff4cff6c
SHA25634d15509786fac4f4ca1d7181e10614b1fc5fc3e5c1add6428e64594fec43ebf
SHA51204ad60f5fd4ef57d884f421e46c56d29a30c2633cab37be36778b78bd858434a6746180f0c107f27c999cd4e162a612f853df8ab575d4ffc9e081e84fe01d87e
-
C:\Users\Admin\AppData\Local\temp\cppv\pxbffb-fpkmd.bmp.vbeFilesize
47KB
MD53345543b3aa28f415cfc7665cd95b02a
SHA13f1a2588ea4b36eaee50ec5146df7f42a8b063f9
SHA256260b3c71b33ae80765af93908120ff5948cb65daca9dca2165f6807b20c41853
SHA51253794a66f55395af601bff752e113cd7d5dc02b4d187bb6e9ab54e7e7abd9c9f399d8a7c40f45a5a023ac919218495b78b589ffd47eb5923f402ec68b2d28b26
-
\Users\Admin\AppData\Local\Temp\cppv\ehkbu.exeFilesize
944KB
MD576ab3e669b01f2a037c34060a4e9ea02
SHA18a04e160052b1fcf803c7d867f8b1c3682ecda62
SHA256c060f8a33c68264bb01616527642a4432ac4ddbecaf006c585e8199593f31583
SHA512d728cf3c4e12845f8efd05a8d9e2e2e2f0c13de85806cbd4d96c5f97ce823c115c827ec16dd87a93c7f11e80a12afce076724d8cc873d130be9464438c0b3223
-
memory/928-148-0x0000000000260000-0x000000000098C000-memory.dmpFilesize
7.2MB
-
memory/928-143-0x0000000000260000-0x000000000098C000-memory.dmpFilesize
7.2MB
-
memory/928-145-0x0000000000260000-0x000000000098C000-memory.dmpFilesize
7.2MB
-
memory/928-144-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/928-147-0x0000000000260000-0x000000000098C000-memory.dmpFilesize
7.2MB
-
memory/928-151-0x0000000000260000-0x000000000098C000-memory.dmpFilesize
7.2MB
-
memory/940-149-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/940-150-0x0000000000080000-0x000000000008E000-memory.dmpFilesize
56KB
-
memory/940-153-0x0000000000080000-0x000000000008E000-memory.dmpFilesize
56KB
-
memory/940-155-0x0000000000080000-0x000000000008E000-memory.dmpFilesize
56KB
-
memory/1324-55-0x0000000001300000-0x0000000002300000-memory.dmpFilesize
16.0MB
-
memory/1324-54-0x00000000009F0000-0x0000000000A70000-memory.dmpFilesize
512KB