Overview

overview

10

Static

static

10

z9ERDG51.exe

windows7_x64

10

z9ERDG51.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-11-2020 06:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    z9ERDG51.exe

  • Size

    92KB

  • MD5

    cc6a463987484ace0a9f98e327c85c2b

  • SHA1

    1867031e6a7d7057d7d96cfd4ad99eba14afde1e

  • SHA256

    08f15e4acb5af5b3095304fbfd9370d33ea57a561da66bc1239477cdc6530dc3

  • SHA512

    9e8286d422cb012826eeb390073cbeb58b8685b86befd3b620dfce0b5e489db04ce15f91682cd000ac8508ea54e474935eaad3ef6aeaf7d6f4de159609bc9e19

Score
10/10
remcosevasionpersistencerat

Malware Config

Extracted

Family

remcos

C2

185.185.3.40:2404

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Adds policy Run key to start application 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Modifies WinLogon 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\z9ERDG51.exe
    "C:\Users\Admin\AppData\Local\Temp\z9ERDG51.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds policy Run key to start application
    • Adds Run key to start application
    • Modifies WinLogon
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\PING.EXE
        PING 127.0.0.1 -n 2
        3⤵
        • Runs ping.exe
        PID:2688
      • C:\Windows\SysWOW64\System32\system32.exe
        "C:\Windows\SysWOW64\System32\system32.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Adds policy Run key to start application
        • Executes dropped EXE
        • Adds Run key to start application
        • Modifies WinLogon
        PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2
T1004

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

1
T1012

Virtualization/Sandbox Evasion

1
T1497

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\install.bat
    MD5

    0388d8b82bed97af63fc35118dedf1b5

    SHA1

    1befd7d16a9d58ff84d0c8782edd3c12c56991d7

    SHA256

    9153d5342603a00ad6030e5d20f3eb54a0470ba3fb6762d365b6a781e76dbd4a

    SHA512

    d7648007e2673c5fd4f354abd0dfda70c9d7361ceb0e2ff191d46765c9a895f2cd5435db1357b0ad04085a8fd2ead798df76c183a83f814fe554c16223143d58

    Download Submit
  • C:\Windows\SysWOW64\System32\system32.exe
    MD5

    cc6a463987484ace0a9f98e327c85c2b

    SHA1

    1867031e6a7d7057d7d96cfd4ad99eba14afde1e

    SHA256

    08f15e4acb5af5b3095304fbfd9370d33ea57a561da66bc1239477cdc6530dc3

    SHA512

    9e8286d422cb012826eeb390073cbeb58b8685b86befd3b620dfce0b5e489db04ce15f91682cd000ac8508ea54e474935eaad3ef6aeaf7d6f4de159609bc9e19

    Download Submit
  • C:\Windows\SysWOW64\System32\system32.exe
    MD5

    cc6a463987484ace0a9f98e327c85c2b

    SHA1

    1867031e6a7d7057d7d96cfd4ad99eba14afde1e

    SHA256

    08f15e4acb5af5b3095304fbfd9370d33ea57a561da66bc1239477cdc6530dc3

    SHA512

    9e8286d422cb012826eeb390073cbeb58b8685b86befd3b620dfce0b5e489db04ce15f91682cd000ac8508ea54e474935eaad3ef6aeaf7d6f4de159609bc9e19

    Download Submit
  • memory/2408-0-0x0000000000000000-mapping.dmp
    Download
  • memory/2688-2-0x0000000000000000-mapping.dmp
    Download
  • memory/4060-3-0x0000000000000000-mapping.dmp
    Download
  • memory/4060-4-0x0000000000000000-mapping.dmp
    Download