e13521b893056a15f7437d4a84e8dbde785c47466d1f4f75fe8690c16deeac25

Analysis

max time kernel
4s
max time network
8s
platform
windows7_x64
resource
win7v20201028
submitted
13-01-2021 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remmy11.exe
Size

564KB
MD5

518454edd1875ea6cc1db084005dbf2a
SHA1

fd2ef3bf1f09479545134437b864b3397e81874b
SHA256

e13521b893056a15f7437d4a84e8dbde785c47466d1f4f75fe8690c16deeac25
SHA512

b2411133b3db237f637dd2219ba6e50f7eb0494efadffa5516739db8d68f585f7f5874b27b82d58f05408c33c5760702a46da9515abda17187ab8d9f9b66e6a6

Score

1^/10

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1220 schtasks.exe

pid	process
1220	schtasks.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Remmy11.execmd.exe

description	pid	process	target process
PID 1580 wrote to memory of 1112	1580	Remmy11.exe	cmd.exe
PID 1580 wrote to memory of 1112	1580	Remmy11.exe	cmd.exe
PID 1580 wrote to memory of 1112	1580	Remmy11.exe	cmd.exe
PID 1580 wrote to memory of 1112	1580	Remmy11.exe	cmd.exe
PID 1580 wrote to memory of 2024	1580	Remmy11.exe	Remmy11.exe
PID 1580 wrote to memory of 2024	1580	Remmy11.exe	Remmy11.exe
PID 1580 wrote to memory of 2024	1580	Remmy11.exe	Remmy11.exe
PID 1580 wrote to memory of 2024	1580	Remmy11.exe	Remmy11.exe
PID 1112 wrote to memory of 1220	1112	cmd.exe	schtasks.exe
PID 1112 wrote to memory of 1220	1112	cmd.exe	schtasks.exe
PID 1112 wrote to memory of 1220	1112	cmd.exe	schtasks.exe
PID 1112 wrote to memory of 1220	1112	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\Remmy11.exe
"C:\Users\Admin\AppData\Local\Temp\Remmy11.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN remmy1 /XML "C:\Users\Admin\AppData\Local\Temp\2c6443d20e2643f59226c7655a0b9b69.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN remmy1 /XML "C:\Users\Admin\AppData\Local\Temp\2c6443d20e2643f59226c7655a0b9b69.xml"
3⤵
- Creates scheduled task(s)
PID:1220

C:\Users\Admin\AppData\Local\Temp\Remmy11.exe
"C:\Users\Admin\AppData\Local\Temp\Remmy11.exe"
2⤵
PID:2024

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2c6443d20e2643f59226c7655a0b9b69.xml
MD5
d34f511c893420501babf400d5343b21

SHA1
765dd539688e0c224183ce1dda56a4dc7bd6b101

SHA256
6acfd07cc5abd97ba09b13af39745c0169b394a700dd56b8523d86e370e0ea76

SHA512
7eeb9dfffd3367234fbf63fd1e0fdde3496a254f2a6eff66b51be97eec64d396b92c4a1a59f605afaa58a981e9da21c2bf4c42fd3b07438c68ffdca0e8959b79

Download Submit
memory/1112-2-0x0000000000000000-mapping.dmp

Download
memory/1220-4-0x0000000000000000-mapping.dmp

Download
memory/2024-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads