d783cab5c5ae5cada441b48ab938855e5fb5a0f696f31f86d68479041cc991cf | Triage

Analysis

max time kernel
98s
max time network
150s
platform
windows10_x64
resource
win10v200217
submitted
18-02-2020 17:03

Sharing

General

Target

remcos.bin.exe
Size

360KB
MD5

c8cd8226c29bbaed1b40691f25793833
SHA1

e6e802589ce0589bb1a7b17f93661dcffb67598d
SHA256

d783cab5c5ae5cada441b48ab938855e5fb5a0f696f31f86d68479041cc991cf
SHA512

3de43aae6c5fb9bc8e900ed73f3c26ccc5fbe32ed283cfb6cfc30af4e2d2fb3402723d1298f5a82d4c6cbc50b8da59b602ddb702b45a23ccef2db1f34950e758

Score

7^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

remcos.bin.exe

description	pid	process	target process
PID 4040 wrote to memory of 3712	4040	remcos.bin.exe	powershell.exe
PID 4040 wrote to memory of 3712	4040	remcos.bin.exe	powershell.exe
PID 4040 wrote to memory of 3712	4040	remcos.bin.exe	powershell.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

984 3712 WerFault.exe powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 984 WerFault.exe
Token: SeBackupPrivilege 984 WerFault.exe
Token: SeDebugPrivilege 984 WerFault.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\remcos.bin.exe
"C:\Users\Admin\AppData\Local\Temp\remcos.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\sysq.ps1"
2⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 1156
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/984-0-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/984-1-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/984-3-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download