Analysis
-
max time kernel
98s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
18-02-2020 17:03
Static task
static1
Behavioral task
behavioral1
Sample
remcos.bin.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
remcos.bin.exe
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
remcos.bin.exe
-
Size
360KB
-
MD5
c8cd8226c29bbaed1b40691f25793833
-
SHA1
e6e802589ce0589bb1a7b17f93661dcffb67598d
-
SHA256
d783cab5c5ae5cada441b48ab938855e5fb5a0f696f31f86d68479041cc991cf
-
SHA512
3de43aae6c5fb9bc8e900ed73f3c26ccc5fbe32ed283cfb6cfc30af4e2d2fb3402723d1298f5a82d4c6cbc50b8da59b602ddb702b45a23ccef2db1f34950e758
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
remcos.bin.exedescription pid process target process PID 4040 wrote to memory of 3712 4040 remcos.bin.exe powershell.exe PID 4040 wrote to memory of 3712 4040 remcos.bin.exe powershell.exe PID 4040 wrote to memory of 3712 4040 remcos.bin.exe powershell.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 984 3712 WerFault.exe powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 984 WerFault.exe Token: SeBackupPrivilege 984 WerFault.exe Token: SeDebugPrivilege 984 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe 984 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\remcos.bin.exe"C:\Users\Admin\AppData\Local\Temp\remcos.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\sysq.ps1"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 11563⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses