Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-12-2020 09:48
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Backdoor.Remcos.20284.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Backdoor.Remcos.20284.exe
-
Size
866KB
-
MD5
d543a59ba12985acaf4134c3ff427b86
-
SHA1
626f4d2877429d63586bc0ccfdf313911b6817c8
-
SHA256
45758c4c53cd20b6f598a9cba7185150543d829eee00aaa8dc565cefd59e9909
-
SHA512
80bfd4931b4a0e032fd583544cdf4fe36a0791d988b3ccfdcffe826fb1f93dabadf9de7f0a309da5eca1972839420e0c4bac796b9768d740075980459962689e
Malware Config
Signatures
-
NetWire RAT payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1584-16-0x0000000000400000-0x000000000042C000-memory.dmp netwire behavioral2/memory/1584-17-0x0000000000402BCB-mapping.dmp netwire behavioral2/memory/1584-18-0x0000000000400000-0x000000000042C000-memory.dmp netwire -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Backdoor.Remcos.20284.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Backdoor.Remcos.20284.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Backdoor.Remcos.20284.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SecuriteInfo.com.Backdoor.Remcos.20284.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ SecuriteInfo.com.Backdoor.Remcos.20284.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.Backdoor.Remcos.20284.exe" SecuriteInfo.com.Backdoor.Remcos.20284.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Backdoor.Remcos.20284.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SecuriteInfo.com.Backdoor.Remcos.20284.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 SecuriteInfo.com.Backdoor.Remcos.20284.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Backdoor.Remcos.20284.exedescription pid process target process PID 1924 set thread context of 1584 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe SecuriteInfo.com.Backdoor.Remcos.20284.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.Backdoor.Remcos.20284.exepid process 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Backdoor.Remcos.20284.exedescription pid process Token: SeDebugPrivilege 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SecuriteInfo.com.Backdoor.Remcos.20284.exedescription pid process target process PID 1924 wrote to memory of 1584 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe SecuriteInfo.com.Backdoor.Remcos.20284.exe PID 1924 wrote to memory of 1584 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe SecuriteInfo.com.Backdoor.Remcos.20284.exe PID 1924 wrote to memory of 1584 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe SecuriteInfo.com.Backdoor.Remcos.20284.exe PID 1924 wrote to memory of 1584 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe SecuriteInfo.com.Backdoor.Remcos.20284.exe PID 1924 wrote to memory of 1584 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe SecuriteInfo.com.Backdoor.Remcos.20284.exe PID 1924 wrote to memory of 1584 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe SecuriteInfo.com.Backdoor.Remcos.20284.exe PID 1924 wrote to memory of 1584 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe SecuriteInfo.com.Backdoor.Remcos.20284.exe PID 1924 wrote to memory of 1584 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe SecuriteInfo.com.Backdoor.Remcos.20284.exe PID 1924 wrote to memory of 1584 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe SecuriteInfo.com.Backdoor.Remcos.20284.exe PID 1924 wrote to memory of 1584 1924 SecuriteInfo.com.Backdoor.Remcos.20284.exe SecuriteInfo.com.Backdoor.Remcos.20284.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Backdoor.Remcos.20284.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Backdoor.Remcos.20284.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Backdoor.Remcos.20284.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Backdoor.Remcos.20284.exe"2⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1584-16-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1584-18-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/1584-17-0x0000000000402BCB-mapping.dmp
-
memory/1924-9-0x0000000007E40000-0x0000000007E41000-memory.dmpFilesize
4KB
-
memory/1924-7-0x0000000007C80000-0x0000000007C81000-memory.dmpFilesize
4KB
-
memory/1924-8-0x0000000007BB0000-0x0000000007BB1000-memory.dmpFilesize
4KB
-
memory/1924-2-0x0000000073900000-0x0000000073FEE000-memory.dmpFilesize
6.9MB
-
memory/1924-10-0x0000000029120000-0x0000000049108000-memory.dmpFilesize
511.9MB
-
memory/1924-11-0x0000000049460000-0x00000000494A9000-memory.dmpFilesize
292KB
-
memory/1924-12-0x0000000008170000-0x0000000008178000-memory.dmpFilesize
32KB
-
memory/1924-14-0x00000000495D0000-0x00000000495FC000-memory.dmpFilesize
176KB
-
memory/1924-15-0x00000000496B0000-0x00000000496B1000-memory.dmpFilesize
4KB
-
memory/1924-6-0x0000000008180000-0x0000000008181000-memory.dmpFilesize
4KB
-
memory/1924-5-0x0000000007BE0000-0x0000000007BE1000-memory.dmpFilesize
4KB
-
memory/1924-3-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB