Overview

overview

3

Static

static

Remmy11.exe

windows7_x64

1

Remmy11.exe

windows10_x64

3

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Remmy11.exe

  • Size

    564KB

  • MD5

    518454edd1875ea6cc1db084005dbf2a

  • SHA1

    fd2ef3bf1f09479545134437b864b3397e81874b

  • SHA256

    e13521b893056a15f7437d4a84e8dbde785c47466d1f4f75fe8690c16deeac25

  • SHA512

    b2411133b3db237f637dd2219ba6e50f7eb0494efadffa5516739db8d68f585f7f5874b27b82d58f05408c33c5760702a46da9515abda17187ab8d9f9b66e6a6

Score
3/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Remmy11.exe
    "C:\Users\Admin\AppData\Local\Temp\Remmy11.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1400
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN remmy1 /XML "C:\Users\Admin\AppData\Local\Temp\2c6443d20e2643f59226c7655a0b9b69.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN remmy1 /XML "C:\Users\Admin\AppData\Local\Temp\2c6443d20e2643f59226c7655a0b9b69.xml"
        3⤵
        • Creates scheduled task(s)
        PID:3016
    • C:\Users\Admin\AppData\Local\Temp\Remmy11.exe
      "C:\Users\Admin\AppData\Local\Temp\Remmy11.exe"
      2⤵
        PID:3432
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 936
          3⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1324

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2c6443d20e2643f59226c7655a0b9b69.xml
      MD5

      05e177b8f1c2d23bfb3d263ba20a5531

      SHA1

      32204bb8bf776ce1e847406376aa01b22215cc1d

      SHA256

      59ef8dd1e8966684e9dce8b35b612d458197af77c46d39c3b40cc4a8645e8e15

      SHA512

      bdeb9de1be3ba8b93e63afebe4cf11780d40bc080dd5ec376a6b4a78197e9d0de6a8eab40b986c4e9f4b38ca3ce4474b14d96662be81f4d1e479e4be516a8f6f

      Download Submit

    • memory/1324-8-0x0000000004450000-0x0000000004451000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1324-9-0x0000000004450000-0x0000000004451000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3016-4-0x0000000000000000-mapping.dmp

      Download

    • memory/3144-2-0x0000000000000000-mapping.dmp

      Download

    • memory/3432-3-0x0000000000000000-mapping.dmp

      Download

    • memory/3432-6-0x0000000073E30000-0x000000007451E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/3432-7-0x0000000002DA0000-0x0000000002DC0000-memory.dmp

      Filesize

      128KB

      Download