Analysis

  • max time kernel
    147s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:33

General

  • Target

    PO-Scan-Documents00012910993993.exe

  • Size

    177KB

  • MD5

    a2c17f6556ae89a8a1683f889bffc7e9

  • SHA1

    cf2aa59cc8e074dfd3d72b052beef746aba1fe6a

  • SHA256

    4c61692f5b36f6b2b136958c7c315113899a1bdb1cfe7415f37c0acfdaab01a7

  • SHA512

    9f18670e24387969db2fee5cbc9698cfdac86997d1b5ac63e39cf973e0170473440ed3cd0a130ab00b339bf89802b14da425f52bb5c62c651eea0c486a993b37

Score
10/10

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe
      "C:\Users\Admin\AppData\Local\Temp\PO-Scan-Documents00012910993993.exe"
      2⤵
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3292
          • C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
            C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:752
            • C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
              "C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:860
              • C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe
                "C:\Users\Admin\AppData\Roaming\owerri\owerrinta.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetWindowsHookEx
                PID:1180

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads