Overview

overview

10

Static

static

image00293...F7.exe

windows7_x64

10

image00293...F7.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    30-12-2020 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    image002933894HF8474H038RHF7.exe

  • Size

    2.6MB

  • MD5

    a20b5a07ccf2b7dc101161b49f140626

  • SHA1

    53493c31d96556211b32e2ce078d5d63f6f5329a

  • SHA256

    c07fd0e28659f9346a6330682e6c598df98402f2b853b6e00fef908ce432ee42

  • SHA512

    45d49d0b5ea7c326e4e564db0cf347b2e058ab33e93a318019ec8daf2e515dea8ad636b87ca298fcb3d5ebad1e87f1eb51513a88c34c119534bea63478dd2e40

Score
10/10
remcosevasionpersistencerattrojan

Malware Config

Extracted

Family

remcos

C2

www.alldatalogs.xyz:2404

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Drops startup file 2 IoCs
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\image002933894HF8474H038RHF7.exe
    "C:\Users\Admin\AppData\Local\Temp\image002933894HF8474H038RHF7.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image002933894HF8474H038RHF7.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:388
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image002933894HF8474H038RHF7.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image002933894HF8474H038RHF7.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3700
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\image002933894HF8474H038RHF7.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3724
    • C:\Users\Admin\AppData\Local\Temp\image002933894HF8474H038RHF7.exe
      "C:\Users\Admin\AppData\Local\Temp\image002933894HF8474H038RHF7.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:196

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    bdf0bd2566f357fabdeb393df965f416

    SHA1

    217509a16579a42e17998ed37baa8ea442978e93

    SHA256

    97295ecd156f6c66497fad5d7d3ce5bb54ac64a4bf79bf23761e632283a4ab6a

    SHA512

    a34e953d824c964b972a198d80d8c96abfa6f75d949d6a94032327ada8acf501383a4abb572d058fb2f21178136f6ba7a8bfcf0d00d10cbf0523519365963705

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    48fec4d39cff7403de68e73074118e53

    SHA1

    54e1065609d8b46f4bd36ae26d18d866d1f2788f

    SHA256

    0d4b463cfd2336387e71194dcd55bc901bfb7525a1914b22e628c4617a72922a

    SHA512

    0ae5a6931b9c3400393893e22cfeba377a0b1148fcc80b240f54abfccb49f9e2d00b06b89ba879039e0cf772b5ea497a1fee54398a025ed5e6b7d0ed941cedf3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    e038de7b6384bfb27d9b8d1840371f65

    SHA1

    2676649835ddb9247ab3c2db4eeb519f861d3d70

    SHA256

    e6748e9cd7a00f764d7a0bdaf141896efadc81b76557f3df3642167ff286401b

    SHA512

    333793b6233637ee1fe78cbe1082972a830d18c6b8abd3784e730a5610c9fc2ac8dd3904b7af5f5501414f26c0e2c6e3cb81c5e6f05c8a92e3e63eef51a7702d

    Download Submit

  • memory/196-52-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/196-54-0x0000000000400000-0x0000000000451000-memory.dmp

    Filesize

    324KB

    Download

  • memory/196-53-0x0000000000413FA4-mapping.dmp

    Download

  • memory/388-11-0x0000000073A70000-0x000000007415E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/388-8-0x0000000000000000-mapping.dmp

    Download

  • memory/388-13-0x0000000004400000-0x0000000004401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/388-14-0x00000000070B0000-0x00000000070B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/388-99-0x0000000009190000-0x0000000009191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-3-0x0000000000980000-0x0000000000981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-5-0x0000000005420000-0x0000000005421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-6-0x0000000004EA0000-0x0000000004EFE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1176-7-0x0000000006C50000-0x0000000006C51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-2-0x0000000073A70000-0x000000007415E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2600-81-0x00000000091F0000-0x00000000091F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-24-0x00000000073D0000-0x00000000073D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-40-0x0000000007B60000-0x0000000007B61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-43-0x00000000081A0000-0x00000000081A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-48-0x0000000008440000-0x0000000008441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-29-0x0000000007C70000-0x0000000007C71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-9-0x0000000000000000-mapping.dmp

    Download

  • memory/2600-28-0x0000000007C00000-0x0000000007C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-58-0x0000000009210000-0x0000000009243000-memory.dmp

    Filesize

    204KB

    Download

  • memory/2600-27-0x0000000007B90000-0x0000000007B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-85-0x0000000009380000-0x0000000009381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-15-0x0000000073A70000-0x000000007415E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3700-10-0x0000000000000000-mapping.dmp

    Download

  • memory/3700-106-0x0000000009AB0000-0x0000000009AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3700-17-0x0000000073A70000-0x000000007415E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3700-95-0x0000000009B10000-0x0000000009B11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3724-20-0x0000000073A70000-0x000000007415E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3724-12-0x0000000000000000-mapping.dmp

    Download