Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-01-2021 16:35
Static task
static1
Behavioral task
behavioral1
Sample
New PO.exe
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
New PO.exe
-
Size
665KB
-
MD5
5ad9944b195708e20ed9008a6aca905d
-
SHA1
56a770ba16062100d0cb2574fe24a042718c9fbc
-
SHA256
4fe8c8398a6cf30cfd7cbed590de821abdb40aa177781c43c19bdfec75308355
-
SHA512
a4e92e98029adb6d46a6d225d90284ec2b11c8b3763557a80c3fe8fd629cb0ccfb3f7c0570430127c6c3a3d3146c9ea73321f1ccbf6a664d3af5690c1fd6ae7d
Malware Config
Extracted
Family
remcos
C2
194.5.98.32:959
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
New PO.exedescription pid process target process PID 4708 set thread context of 4256 4708 New PO.exe vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
New PO.exepid process 4708 New PO.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New PO.exedescription pid process Token: SeDebugPrivilege 4708 New PO.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 4256 vbc.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
New PO.exedescription pid process target process PID 4708 wrote to memory of 4256 4708 New PO.exe vbc.exe PID 4708 wrote to memory of 4256 4708 New PO.exe vbc.exe PID 4708 wrote to memory of 4256 4708 New PO.exe vbc.exe PID 4708 wrote to memory of 4256 4708 New PO.exe vbc.exe PID 4708 wrote to memory of 4256 4708 New PO.exe vbc.exe PID 4708 wrote to memory of 4256 4708 New PO.exe vbc.exe PID 4708 wrote to memory of 4256 4708 New PO.exe vbc.exe PID 4708 wrote to memory of 4256 4708 New PO.exe vbc.exe PID 4708 wrote to memory of 4256 4708 New PO.exe vbc.exe PID 4708 wrote to memory of 4256 4708 New PO.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New PO.exe"C:\Users\Admin\AppData\Local\Temp\New PO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx