Overview

overview

10

Static

static

SC30003983763.exe

windows7_x64

10

SC30003983763.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SC30003983763.exe

  • Size

    492KB

  • MD5

    ed0657c7ee885752cc36859ac8c4f7f9

  • SHA1

    9fd613617dd96e689472575dae56c5497dbf3348

  • SHA256

    aea8b826c919840c0757bde7e31b915fda0439bd28b10418479aa17c53f91e12

  • SHA512

    69eae75cd1463ca50fc434843ba3558c014b57394de813f1993b418af349c9769ba23d29dfa7877f615495f525ba242beb8ea0f2faaf0cf4afc35db5dc550827

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

79.134.225.72:32765

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SC30003983763.exe
    "C:\Users\Admin\AppData\Local\Temp\SC30003983763.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN rembyname /XML "C:\Users\Admin\AppData\Local\Temp\be66102cee3d44508fbecb04dfa1cfea.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1868
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN rembyname /XML "C:\Users\Admin\AppData\Local\Temp\be66102cee3d44508fbecb04dfa1cfea.xml"
        3⤵
        • Creates scheduled task(s)
        PID:1372
    • C:\Users\Admin\AppData\Local\Temp\SC30003983763.exe
      "C:\Users\Admin\AppData\Local\Temp\SC30003983763.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2032
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 208
          4⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\be66102cee3d44508fbecb04dfa1cfea.xml
    MD5

    c278ea8974ed242625419446334bea7f

    SHA1

    e1f1cd7bb6438fcc81128e28974aa2e41b3f22fb

    SHA256

    21a31b40164fa929a226505c30cc2602315a4a576963a2007175f23cd0109abb

    SHA512

    4f85e833d2efba6a5bb09d64351cc59183f251539eb23c0ae561e480f86d3ea801739594b4a06842359f1e7fd467b685b519da1f6e82f894a1d1ab99014ca013

    Download Submit

  • memory/524-11-0x0000000000000000-mapping.dmp

    Download

  • memory/524-12-0x00000000023C0000-0x00000000023D1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1372-5-0x0000000000000000-mapping.dmp

    Download

  • memory/1608-8-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1608-9-0x0000000000407970-mapping.dmp

    Download

  • memory/1608-10-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1868-2-0x0000000000000000-mapping.dmp

    Download

  • memory/2032-4-0x0000000000413FA4-mapping.dmp

    Download

  • memory/2032-3-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2032-7-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download