Overview

overview

10

Static

static

ALMENIDE G...T .exe

windows7_x64

10

ALMENIDE G...T .exe

windows10_x64

10

Analysis

  • max time kernel
    98s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ALMENIDE GLOBAL SOURCING - PRODUCTS LIST .exe

  • Size

    878KB

  • MD5

    e2c6b846839de667cbb3b05bc0dceb31

  • SHA1

    cbd0bb3f8987d2fdaace1ac6a2b2ceff8a49ce31

  • SHA256

    be65a77b922867eaeb9e0cb417eb3b1497ff25c583bc32dd2025e51a320f2610

  • SHA512

    46a108acaebdf2fda465f9b9dfd44fa3aafdc6f85c27893d3706aa540e42455e770c1364fc3ef8a4cabd67fa3cccd8b9758fd8f45c89aab74eb6b44cbcaa03b2

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

212.83.46.26:4044

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ALMENIDE GLOBAL SOURCING - PRODUCTS LIST .exe
    "C:\Users\Admin\AppData\Local\Temp\ALMENIDE GLOBAL SOURCING - PRODUCTS LIST .exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nQxFbYVpQONFX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55BE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:756
    • C:\Users\Admin\AppData\Local\Temp\ALMENIDE GLOBAL SOURCING - PRODUCTS LIST .exe
      "C:\Users\Admin\AppData\Local\Temp\ALMENIDE GLOBAL SOURCING - PRODUCTS LIST .exe"
      2⤵
        PID:1064

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp55BE.tmp
      MD5

      23a26426e6d47e2a50a235ec530bf316

      SHA1

      b4267a55bc354c63cce92c48a27baf36e2eeb759

      SHA256

      585a5cc92d87e23e92451e6e0863aea1c58542a98bdb4555d6639064f8b0a323

      SHA512

      d7c3daf8279fe26d59f782c6b64474f421f12d4bc218197cc7667388685140f62a7c72faf387af8427a1cbcbb7e503f8883658df9f022529af1aac7ff15430b9

      Download Submit
    • memory/756-7-0x0000000000000000-mapping.dmp
      Download
    • memory/808-2-0x0000000073F40000-0x000000007462E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/808-3-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/808-5-0x0000000000210000-0x0000000000222000-memory.dmp
      Filesize

      72KB

      Download
    • memory/808-6-0x00000000023A0000-0x00000000023F7000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1064-9-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/1064-10-0x000000000040FD88-mapping.dmp
      Download
    • memory/1064-11-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download