Overview

overview

10

Static

static

11a7d2f272...83.exe

windows7_x64

10

11a7d2f272...83.exe

windows10_x64

10

Analysis

  • max time kernel
    12s
  • max time network
    102s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83.exe

  • Size

    257KB

  • MD5

    6546310491f91536d50a4afec31d29ad

  • SHA1

    fe52fb147856063236b35cfc44109c433c4f80c3

  • SHA256

    11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

  • SHA512

    79c52bf52ffa8d35822e9c9496391d3325c44a723e1036dc5bc9ac40769fdecb0abb000db0ff7bf95bf1b51166449540ede564c4902530a07ae1c0319877cfed

Score
10/10
remcoscoreentitypersistenceratrezer0

Malware Config

Extracted

Family

remcos

C2

vuelta2020.ddns.net:7373

Signatures

  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • rezer0 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83.exe
    "C:\Users\Admin\AppData\Local\Temp\11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEEoAfyRNnKsrH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7507.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4392
    • C:\Users\Admin\AppData\Local\Temp\11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83.exe
      "{path}"
      2⤵
        PID:3948
      • C:\Users\Admin\AppData\Local\Temp\11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83.exe
        "{path}"
        2⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Adds Run key to start application
        • Modifies WinLogon
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3924
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:4444
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\win\win.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1008
            • C:\Users\Admin\AppData\Roaming\win\win.exe
              C:\Users\Admin\AppData\Roaming\win\win.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1124
              • C:\Windows\SysWOW64\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEEoAfyRNnKsrH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8216.tmp"
                6⤵
                • Creates scheduled task(s)
                PID:1612
              • C:\Users\Admin\AppData\Roaming\win\win.exe
                "{path}"
                6⤵
                • Modifies WinLogon for persistence
                • Adds policy Run key to start application
                • Executes dropped EXE
                • Adds Run key to start application
                • Modifies WinLogon
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2036
                • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                  7⤵
                    PID:2192

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Winlogon Helper DLL

      2
      T1004

      Registry Run Keys / Startup Folder

      2
      T1060

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.vbs
        MD5

        b1761d84b463c9e5446da97d24428723

        SHA1

        9e85ffc552655c87e6aaddf242649481d9453f6b

        SHA256

        c09b10e952b509d49f0488b6209f26ff65c1f8b0a2a63697dca663b5d9146155

        SHA512

        85971d8371df0188b4199dd3e0e069ffbfc210c29c249600b19890db1ee161619936a4c9e3693487378f9fac5af11b11dba53dc14015d4a4f90c705ed9375ffc

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp7507.tmp
        MD5

        3fa7f43c3b0f9f35f3130e5adcc6da59

        SHA1

        15811a162939c98d27273500719bf1c268988f43

        SHA256

        4466b0506781ae5a605f9637439f6b7cdf287d91f022ae4061b7abdd48cdfc7d

        SHA512

        462d26970ebe90103ea95877385217639d363003490a453167b6d4645c48288c9975f29cd9e781b06689f1fcfa52fd49867d4a9d6b6c2dd375999e792bf7c002

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp8216.tmp
        MD5

        3fa7f43c3b0f9f35f3130e5adcc6da59

        SHA1

        15811a162939c98d27273500719bf1c268988f43

        SHA256

        4466b0506781ae5a605f9637439f6b7cdf287d91f022ae4061b7abdd48cdfc7d

        SHA512

        462d26970ebe90103ea95877385217639d363003490a453167b6d4645c48288c9975f29cd9e781b06689f1fcfa52fd49867d4a9d6b6c2dd375999e792bf7c002

        Download Submit
      • C:\Users\Admin\AppData\Roaming\win\win.exe
        MD5

        6546310491f91536d50a4afec31d29ad

        SHA1

        fe52fb147856063236b35cfc44109c433c4f80c3

        SHA256

        11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

        SHA512

        79c52bf52ffa8d35822e9c9496391d3325c44a723e1036dc5bc9ac40769fdecb0abb000db0ff7bf95bf1b51166449540ede564c4902530a07ae1c0319877cfed

        Download Submit
      • C:\Users\Admin\AppData\Roaming\win\win.exe
        MD5

        6546310491f91536d50a4afec31d29ad

        SHA1

        fe52fb147856063236b35cfc44109c433c4f80c3

        SHA256

        11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

        SHA512

        79c52bf52ffa8d35822e9c9496391d3325c44a723e1036dc5bc9ac40769fdecb0abb000db0ff7bf95bf1b51166449540ede564c4902530a07ae1c0319877cfed

        Download Submit
      • C:\Users\Admin\AppData\Roaming\win\win.exe
        MD5

        6546310491f91536d50a4afec31d29ad

        SHA1

        fe52fb147856063236b35cfc44109c433c4f80c3

        SHA256

        11a7d2f2722df45e01851eb75765dbcb21f70ea9c8f89f58b9e8ccacda92cc83

        SHA512

        79c52bf52ffa8d35822e9c9496391d3325c44a723e1036dc5bc9ac40769fdecb0abb000db0ff7bf95bf1b51166449540ede564c4902530a07ae1c0319877cfed

        Download Submit
      • memory/1008-16-0x0000000000000000-mapping.dmp
        Download
      • memory/1124-20-0x00000000739D0000-0x00000000740BE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1124-17-0x0000000000000000-mapping.dmp
        Download
      • memory/1612-29-0x0000000000000000-mapping.dmp
        Download
      • memory/2036-34-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/2036-32-0x0000000000413A84-mapping.dmp
        Download
      • memory/2192-35-0x0000000000400000-0x0000000000446000-memory.dmp
        Filesize

        280KB

        Download
      • memory/2192-36-0x000000000044193A-mapping.dmp
        Download
      • memory/3924-13-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/3924-12-0x0000000000413A84-mapping.dmp
        Download
      • memory/3924-11-0x0000000000400000-0x0000000000420000-memory.dmp
        Filesize

        128KB

        Download
      • memory/4392-9-0x0000000000000000-mapping.dmp
        Download
      • memory/4444-14-0x0000000000000000-mapping.dmp
        Download
      • memory/4800-0-0x00000000739D0000-0x00000000740BE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4800-8-0x0000000008E20000-0x0000000008E47000-memory.dmp
        Filesize

        156KB

        Download
      • memory/4800-7-0x0000000005660000-0x0000000005662000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4800-6-0x0000000008D10000-0x0000000008D11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4800-5-0x00000000052D0000-0x00000000052D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4800-4-0x0000000005210000-0x0000000005211000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4800-3-0x0000000005710000-0x0000000005711000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4800-1-0x00000000008D0000-0x00000000008D1000-memory.dmp
        Filesize

        4KB

        Download