Overview

overview

10

Static

static

drivers_check.exe

windows7_x64

1

drivers_check.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-01-2021 18:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    drivers_check.exe

  • Size

    1.4MB

  • MD5

    46580314ad41ee9c33eea70fd336f9d1

  • SHA1

    0f27e8e24c40de4df8d6f50634c7aba117679f7a

  • SHA256

    46f9b3a73b2ef17c7ace714e6b69b02e444096fb395d85e3b3220ed13d060a48

  • SHA512

    f160f04a9104eff461122393c62a9a3f963eea47e50b7464787db6212db2ec06ba295e122ac085653b95d224dd23504de98a05733b2d5b97e44fc36d4b5a3c27

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

5.61.56.10:9003

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 174 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\drivers_check.exe
    "C:\Users\Admin\AppData\Local\Temp\drivers_check.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:3572
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe"
        3⤵
          PID:3176
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe"
          3⤵
          • Blocklisted process makes network request
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          PID:4160

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3572-2-0x0000000000000000-mapping.dmp
      Download
    • memory/4160-3-0x0000000000000000-mapping.dmp
      Download
    • memory/4160-4-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download