Overview

overview

10

Static

static

SC30003983763.exe

windows7_x64

10

SC30003983763.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SC30003983763.exe

  • Size

    492KB

  • MD5

    ed0657c7ee885752cc36859ac8c4f7f9

  • SHA1

    9fd613617dd96e689472575dae56c5497dbf3348

  • SHA256

    aea8b826c919840c0757bde7e31b915fda0439bd28b10418479aa17c53f91e12

  • SHA512

    69eae75cd1463ca50fc434843ba3558c014b57394de813f1993b418af349c9769ba23d29dfa7877f615495f525ba242beb8ea0f2faaf0cf4afc35db5dc550827

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

79.134.225.72:32765

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SC30003983763.exe
    "C:\Users\Admin\AppData\Local\Temp\SC30003983763.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN rembyname /XML "C:\Users\Admin\AppData\Local\Temp\be66102cee3d44508fbecb04dfa1cfea.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN rembyname /XML "C:\Users\Admin\AppData\Local\Temp\be66102cee3d44508fbecb04dfa1cfea.xml"
        3⤵
        • Creates scheduled task(s)
        PID:3212
    • C:\Users\Admin\AppData\Local\Temp\SC30003983763.exe
      "C:\Users\Admin\AppData\Local\Temp\SC30003983763.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3824
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe
        3⤵
          PID:208

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\be66102cee3d44508fbecb04dfa1cfea.xml
      MD5

      ca5298a98c2b74380f1319953211713b

      SHA1

      99990aa98f57c7c6ece90ae741ae1dc53486d6e5

      SHA256

      fa4c13ec864f24a5aacd6d462e9d6ed3838920eb6cc9eda2a212b5b27d8ee946

      SHA512

      377a2b0d8476b4b1a20f8f656d969232f2308338ff4f440ca3faad00029d74cbfbca56df427b539de3c3aa7e29ac9caffbdb9ad01404a881f107342fa4be5e19

      Download Submit
    • memory/1528-2-0x0000000000000000-mapping.dmp
      Download
    • memory/3212-7-0x0000000000000000-mapping.dmp
      Download
    • memory/3824-3-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/3824-4-0x0000000000413FA4-mapping.dmp
      Download
    • memory/3824-6-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download