Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 05:59

General

  • Target

    DHL Delivery Shipping, PDF.exe

  • Size

    991KB

  • MD5

    43df80ded0aa1f92951742b2dc2b916e

  • SHA1

    0d37d5f1876431cd0345f72770e38302d07b194b

  • SHA256

    3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd

  • SHA512

    16216eaa505ffb11ecd0b61b50387fe242079dcc17158dc783df6c08d9884eeac4612a6586450a7957c2d425e1957905ca023d0733137844615577205e6ed338

Score
10/10

Malware Config

Extracted

Family

remcos

C2

mikegrace2021.ddns.net:1999

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJFAuLr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8E6.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1668
    • C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe"
      2⤵
        PID:268
      • C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:592

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp8E6.tmp

      MD5

      3d1e9bc4a00f81d17ba27a8bb9742863

      SHA1

      57fce9b60eb659a28101e63d9389dfb129f44792

      SHA256

      8862106b37ba011e5388a828a0552f9bd25068d1962593d44cc1a00aac5c63bc

      SHA512

      d8ea6e9596ee5e9ce6b9ec6a86e92f656f5ee4ba4ed87e68ae69b2ef9c0dc6ae11965dd737505c7548713f6efaa01e6d4b5dd1cf66f658f31d7b1ccb6055687e

    • memory/592-9-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/592-10-0x0000000000413FA4-mapping.dmp

    • memory/592-11-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/1668-7-0x0000000000000000-mapping.dmp

    • memory/1740-2-0x00000000741A0000-0x000000007488E000-memory.dmp

      Filesize

      6.9MB

    • memory/1740-3-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

      Filesize

      4KB

    • memory/1740-5-0x00000000005A0000-0x00000000005B2000-memory.dmp

      Filesize

      72KB

    • memory/1740-6-0x00000000043D0000-0x000000000442E000-memory.dmp

      Filesize

      376KB