e13521b893056a15f7437d4a84e8dbde785c47466d1f4f75fe8690c16deeac25

Analysis

Target

Remmy11.exe
Size

564KB
MD5

518454edd1875ea6cc1db084005dbf2a
SHA1

fd2ef3bf1f09479545134437b864b3397e81874b
SHA256

e13521b893056a15f7437d4a84e8dbde785c47466d1f4f75fe8690c16deeac25
SHA512

b2411133b3db237f637dd2219ba6e50f7eb0494efadffa5516739db8d68f585f7f5874b27b82d58f05408c33c5760702a46da9515abda17187ab8d9f9b66e6a6

Score

1^/10

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1220 schtasks.exe

pid	process
1220	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Remmy11.execmd.exe

description	pid	process	target process
PID 1580 wrote to memory of 1112	1580	Remmy11.exe	cmd.exe
PID 1580 wrote to memory of 1112	1580	Remmy11.exe	cmd.exe
PID 1580 wrote to memory of 1112	1580	Remmy11.exe	cmd.exe
PID 1580 wrote to memory of 1112	1580	Remmy11.exe	cmd.exe
PID 1580 wrote to memory of 2024	1580	Remmy11.exe	Remmy11.exe
PID 1580 wrote to memory of 2024	1580	Remmy11.exe	Remmy11.exe
PID 1580 wrote to memory of 2024	1580	Remmy11.exe	Remmy11.exe
PID 1580 wrote to memory of 2024	1580	Remmy11.exe	Remmy11.exe
PID 1112 wrote to memory of 1220	1112	cmd.exe	schtasks.exe
PID 1112 wrote to memory of 1220	1112	cmd.exe	schtasks.exe
PID 1112 wrote to memory of 1220	1112	cmd.exe	schtasks.exe
PID 1112 wrote to memory of 1220	1112	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Remmy11.exe
"C:\Users\Admin\AppData\Local\Temp\Remmy11.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN remmy1 /XML "C:\Users\Admin\AppData\Local\Temp\2c6443d20e2643f59226c7655a0b9b69.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN remmy1 /XML "C:\Users\Admin\AppData\Local\Temp\2c6443d20e2643f59226c7655a0b9b69.xml"
3⤵
- Creates scheduled task(s)
PID:1220

C:\Users\Admin\AppData\Local\Temp\Remmy11.exe
"C:\Users\Admin\AppData\Local\Temp\Remmy11.exe"
2⤵
PID:2024

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Local\Temp\2c6443d20e2643f59226c7655a0b9b69.xml

MD5
d34f511c893420501babf400d5343b21

SHA1
765dd539688e0c224183ce1dda56a4dc7bd6b101

SHA256
6acfd07cc5abd97ba09b13af39745c0169b394a700dd56b8523d86e370e0ea76

SHA512
7eeb9dfffd3367234fbf63fd1e0fdde3496a254f2a6eff66b51be97eec64d396b92c4a1a59f605afaa58a981e9da21c2bf4c42fd3b07438c68ffdca0e8959b79

Download Submit
memory/1112-2-0x0000000000000000-mapping.dmp

Download
memory/1220-4-0x0000000000000000-mapping.dmp

Download
memory/2024-3-0x0000000000000000-mapping.dmp

Download