Overview

overview

10

Static

static

11a7d2f272...83.exe

windows7_x64

10

11a7d2f272...83.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83.exe

  • Size

    257KB

  • MD5

    6546310491f91536d50a4afec31d29ad

  • SHA1

    fe52fb147856063236b35cfc44109c433c4f80c3

  • SHA256

    11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

  • SHA512

    79c52bf52ffa8d35822e9c9496391d3325c44a723e1036dc5bc9ac40769fdecb0abb000db0ff7bf95bf1b51166449540ede564c4902530a07ae1c0319877cfed

Score
10/10
remcoscoreentitypersistenceratrezer0

Malware Config

Extracted

Family

remcos

C2

vuelta2020.ddns.net:7373

Signatures

  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • rezer0 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83.exe
    "C:\Users\Admin\AppData\Local\Temp\11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEEoAfyRNnKsrH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6C69.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1124
    • C:\Users\Admin\AppData\Local\Temp\11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83.exe
      "{path}"
      2⤵
      • Modifies WinLogon for persistence
      • Adds policy Run key to start application
      • Adds Run key to start application
      • Modifies WinLogon
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1292
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\win\win.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:676
          • C:\Users\Admin\AppData\Roaming\win\win.exe
            C:\Users\Admin\AppData\Roaming\win\win.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEEoAfyRNnKsrH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81EC.tmp"
              6⤵
              • Creates scheduled task(s)
              PID:1756
            • C:\Users\Admin\AppData\Roaming\win\win.exe
              "{path}"
              6⤵
              • Modifies WinLogon for persistence
              • Adds policy Run key to start application
              • Executes dropped EXE
              • Adds Run key to start application
              • Modifies WinLogon
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:864
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                7⤵
                  PID:1808

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Winlogon Helper DLL

    2
    T1004

    Registry Run Keys / Startup Folder

    2
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      MD5

      b1761d84b463c9e5446da97d24428723

      SHA1

      9e85ffc552655c87e6aaddf242649481d9453f6b

      SHA256

      c09b10e952b509d49f0488b6209f26ff65c1f8b0a2a63697dca663b5d9146155

      SHA512

      85971d8371df0188b4199dd3e0e069ffbfc210c29c249600b19890db1ee161619936a4c9e3693487378f9fac5af11b11dba53dc14015d4a4f90c705ed9375ffc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp6C69.tmp
      MD5

      3caf311b74261160e1f95a6179cbe82e

      SHA1

      118806d6de5751a77a100455d2ac3024c5b5a8fa

      SHA256

      2b7f692996750feb2f481a6e3a4e2fcfd9122abbda8b92345f0b73781fe8bb90

      SHA512

      1886b862147d5464342c79092a687784a5041819ba46a66dfb67da86e77b3f471e575f811e3b1599e3bd59e56d2c476628ac86287d3da3e6360d676e0d09435f

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp81EC.tmp
      MD5

      3caf311b74261160e1f95a6179cbe82e

      SHA1

      118806d6de5751a77a100455d2ac3024c5b5a8fa

      SHA256

      2b7f692996750feb2f481a6e3a4e2fcfd9122abbda8b92345f0b73781fe8bb90

      SHA512

      1886b862147d5464342c79092a687784a5041819ba46a66dfb67da86e77b3f471e575f811e3b1599e3bd59e56d2c476628ac86287d3da3e6360d676e0d09435f

      Download Submit
    • C:\Users\Admin\AppData\Roaming\win\win.exe
      MD5

      6546310491f91536d50a4afec31d29ad

      SHA1

      fe52fb147856063236b35cfc44109c433c4f80c3

      SHA256

      11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

      SHA512

      79c52bf52ffa8d35822e9c9496391d3325c44a723e1036dc5bc9ac40769fdecb0abb000db0ff7bf95bf1b51166449540ede564c4902530a07ae1c0319877cfed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\win\win.exe
      MD5

      6546310491f91536d50a4afec31d29ad

      SHA1

      fe52fb147856063236b35cfc44109c433c4f80c3

      SHA256

      11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

      SHA512

      79c52bf52ffa8d35822e9c9496391d3325c44a723e1036dc5bc9ac40769fdecb0abb000db0ff7bf95bf1b51166449540ede564c4902530a07ae1c0319877cfed

      Download Submit
    • C:\Users\Admin\AppData\Roaming\win\win.exe
      MD5

      6546310491f91536d50a4afec31d29ad

      SHA1

      fe52fb147856063236b35cfc44109c433c4f80c3

      SHA256

      11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

      SHA512

      79c52bf52ffa8d35822e9c9496391d3325c44a723e1036dc5bc9ac40769fdecb0abb000db0ff7bf95bf1b51166449540ede564c4902530a07ae1c0319877cfed

      Download Submit
    • \Users\Admin\AppData\Roaming\win\win.exe
      MD5

      6546310491f91536d50a4afec31d29ad

      SHA1

      fe52fb147856063236b35cfc44109c433c4f80c3

      SHA256

      11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

      SHA512

      79c52bf52ffa8d35822e9c9496391d3325c44a723e1036dc5bc9ac40769fdecb0abb000db0ff7bf95bf1b51166449540ede564c4902530a07ae1c0319877cfed

      Download Submit
    • memory/676-12-0x0000000000000000-mapping.dmp
      Download
    • memory/864-28-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/864-26-0x0000000000413A84-mapping.dmp
      Download
    • memory/1040-3-0x0000000000560000-0x0000000000562000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1040-1-0x0000000000380000-0x0000000000381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1040-0-0x0000000074900000-0x0000000074FEE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1040-4-0x0000000001E60000-0x0000000001E87000-memory.dmp
      Filesize

      156KB

      Download
    • memory/1124-5-0x0000000000000000-mapping.dmp
      Download
    • memory/1292-10-0x0000000000000000-mapping.dmp
      Download
    • memory/1292-17-0x0000000002770000-0x0000000002774000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1616-15-0x0000000000000000-mapping.dmp
      Download
    • memory/1616-19-0x0000000001280000-0x0000000001281000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1616-18-0x00000000735B0000-0x0000000073C9E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1624-7-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1624-8-0x0000000000413A84-mapping.dmp
      Download
    • memory/1624-9-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1756-23-0x0000000000000000-mapping.dmp
      Download
    • memory/1808-29-0x0000000000400000-0x0000000000446000-memory.dmp
      Filesize

      280KB

      Download
    • memory/1808-30-0x000000000044193A-mapping.dmp
      Download
    • memory/1808-31-0x0000000000400000-0x0000000000446000-memory.dmp
      Filesize

      280KB

      Download
    • memory/1808-32-0x0000000000400000-0x0000000000446000-memory.dmp
      Filesize

      280KB

      Download