Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200217 -
submitted
09-03-2020 00:30
General
-
Target
DHL 2723382830領収書,pdf.exe
-
Size
654KB
-
MD5
cb4a7469e6eb99572ba41e5aff6c63c5
-
SHA1
b760cdb563386f0afbafea1f793d7ba16cef4167
-
SHA256
55de0a43df1a914bef31d31c8fcdc495a25ebbd90d9ef44a329030da306d9313
-
SHA512
aa9e6135cdcda394aaa760b7836c27c059fa4afcac8e5b0473c34ead56b39753add220bf8a1cf989bd770032c2adab5975da5b854a2073f3eae011f94f231634
Score
10/10
Malware Config
Extracted
Family
remcos
C2
favournwa.ddns.net:7171
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious behavior: EnumeratesProcesses 1578 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Drops startup file 1 IoCs
-
NTFS ADS 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL 2723382830領収書,pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL 2723382830領収書,pdf.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- NTFS ADS
-
C:\Users\Admin\AppData\Roaming\grace\dfghjhjgf.exe"C:\Users\Admin\AppData\Roaming\grace\dfghjhjgf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\grace\dfghjhjgf.exe"C:\Users\Admin\AppData\Roaming\grace\dfghjhjgf.exe"3⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\grace\dfghjhjgf.exe"C:\Users\Admin\AppData\Roaming\grace\dfghjhjgf.exe" 2 3368 884063⤵
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
-
-
-
Filesize
128KB
-
Filesize
128KB