Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-01-2021 16:35
Static task
static1
Behavioral task
behavioral1
Sample
New PO.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
New PO.exe
-
Size
665KB
-
MD5
5ad9944b195708e20ed9008a6aca905d
-
SHA1
56a770ba16062100d0cb2574fe24a042718c9fbc
-
SHA256
4fe8c8398a6cf30cfd7cbed590de821abdb40aa177781c43c19bdfec75308355
-
SHA512
a4e92e98029adb6d46a6d225d90284ec2b11c8b3763557a80c3fe8fd629cb0ccfb3f7c0570430127c6c3a3d3146c9ea73321f1ccbf6a664d3af5690c1fd6ae7d
Malware Config
Extracted
Family
remcos
C2
194.5.98.32:959
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
New PO.exedescription pid process target process PID 108 set thread context of 1520 108 New PO.exe vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1520 vbc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
New PO.exedescription pid process target process PID 108 wrote to memory of 1520 108 New PO.exe vbc.exe PID 108 wrote to memory of 1520 108 New PO.exe vbc.exe PID 108 wrote to memory of 1520 108 New PO.exe vbc.exe PID 108 wrote to memory of 1520 108 New PO.exe vbc.exe PID 108 wrote to memory of 1520 108 New PO.exe vbc.exe PID 108 wrote to memory of 1520 108 New PO.exe vbc.exe PID 108 wrote to memory of 1520 108 New PO.exe vbc.exe PID 108 wrote to memory of 1520 108 New PO.exe vbc.exe PID 108 wrote to memory of 1520 108 New PO.exe vbc.exe PID 108 wrote to memory of 1520 108 New PO.exe vbc.exe PID 108 wrote to memory of 1520 108 New PO.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New PO.exe"C:\Users\Admin\AppData\Local\Temp\New PO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:1520