Overview

overview

10

Static

static

ALMENIDE G...T .exe

windows7_x64

10

ALMENIDE G...T .exe

windows10_x64

10

Analysis

  • max time kernel
    127s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ALMENIDE GLOBAL SOURCING - PRODUCTS LIST .exe

  • Size

    878KB

  • MD5

    e2c6b846839de667cbb3b05bc0dceb31

  • SHA1

    cbd0bb3f8987d2fdaace1ac6a2b2ceff8a49ce31

  • SHA256

    be65a77b922867eaeb9e0cb417eb3b1497ff25c583bc32dd2025e51a320f2610

  • SHA512

    46a108acaebdf2fda465f9b9dfd44fa3aafdc6f85c27893d3706aa540e42455e770c1364fc3ef8a4cabd67fa3cccd8b9758fd8f45c89aab74eb6b44cbcaa03b2

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

212.83.46.26:4044

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ALMENIDE GLOBAL SOURCING - PRODUCTS LIST .exe
    "C:\Users\Admin\AppData\Local\Temp\ALMENIDE GLOBAL SOURCING - PRODUCTS LIST .exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nQxFbYVpQONFX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A89.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3920
    • C:\Users\Admin\AppData\Local\Temp\ALMENIDE GLOBAL SOURCING - PRODUCTS LIST .exe
      "C:\Users\Admin\AppData\Local\Temp\ALMENIDE GLOBAL SOURCING - PRODUCTS LIST .exe"
      2⤵
        PID:1132

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3A89.tmp
      MD5

      cd16ba433177050fce93c411992fabfc

      SHA1

      0223918c7e07b09a07c7e3d986867888385725f1

      SHA256

      0f245fc9ae14ee6aedd28d9139dbb651ce6faa680eca4d2488e24e7f05b1582b

      SHA512

      acd04888c4921a79620765df3bdf66a0faacbd0d3a5914078bd7b5e9b0f8edaa89cb91597b2f22967473be1a2a1c88f62708b82b35b401c842c523dd4b9666a7

      Download Submit
    • memory/988-9-0x0000000005730000-0x0000000005731000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-5-0x0000000005440000-0x0000000005441000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-6-0x0000000005A90000-0x0000000005A91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-7-0x0000000005590000-0x0000000005591000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-8-0x00000000054E0000-0x00000000054E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/988-2-0x0000000073310000-0x00000000739FE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/988-10-0x0000000005520000-0x0000000005532000-memory.dmp
      Filesize

      72KB

      Download
    • memory/988-11-0x0000000006330000-0x0000000006387000-memory.dmp
      Filesize

      348KB

      Download
    • memory/988-3-0x0000000000B50000-0x0000000000B51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1132-14-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/1132-15-0x000000000040FD88-mapping.dmp
      Download
    • memory/1132-16-0x0000000000400000-0x0000000000417000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3920-12-0x0000000000000000-mapping.dmp
      Download