Overview

overview

10

Static

static

000009000000900.exe

windows7_x64

10

000009000000900.exe

windows10_x64

10

Analysis

  • max time kernel
    71s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    000009000000900.exe

  • Size

    443KB

  • MD5

    881a02cd53c6403a7e543185b29a42f5

  • SHA1

    c6cb7c4594be2c4578b359e4b1edfe98c131d856

  • SHA256

    9a923858b6e0434e961118c2e0b6fc62bfddf64e1fc69b1b8acaa323d27c1d5e

  • SHA512

    3180af12faa6ac2d137fee19eeaf8856bb48fb4bd4a95ead82aee77f82f2797236314864c18bee894ea28726ff6a6167109afe3a8aa627af523d6ce67accfbf9

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

45.137.22.52:8780

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\000009000000900.exe
    "C:\Users\Admin\AppData\Local\Temp\000009000000900.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\d8f301e18dc84944a07a39734140b265.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3456
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\d8f301e18dc84944a07a39734140b265.xml"
        3⤵
        • Creates scheduled task(s)
        PID:3304
    • C:\Users\Admin\AppData\Local\Temp\000009000000900.exe
      "C:\Users\Admin\AppData\Local\Temp\000009000000900.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1524

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\d8f301e18dc84944a07a39734140b265.xml
    MD5

    a36564afc14b3eb0849c01a3afdb9944

    SHA1

    4dcee9fae3fde4e46b08529bc0ba067150686f07

    SHA256

    9d4342f763c5d62a06f69aa6fdcb1caa376ff2f2c0972f36b487f73b4d221996

    SHA512

    782082aa36ae056734e90fc079c813dfef59420571a1b70cde4cf15eb6c870f85b2bfe0748ef4db9df3d010c08671bff744d78178ba75bf2ba02b665f044ae89

    Download Submit
  • memory/1524-3-0x0000000000400000-0x0000000000417000-memory.dmp
    Filesize

    92KB

    Download
  • memory/1524-4-0x000000000040FD88-mapping.dmp
    Download
  • memory/1524-6-0x0000000000400000-0x0000000000417000-memory.dmp
    Filesize

    92KB

    Download
  • memory/3304-7-0x0000000000000000-mapping.dmp
    Download
  • memory/3456-2-0x0000000000000000-mapping.dmp
    Download