Overview

overview

10

Static

static

DHL Delive...DF.exe

windows7_x64

10

DHL Delive...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 05:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Delivery Shipping, PDF.exe

  • Size

    991KB

  • MD5

    43df80ded0aa1f92951742b2dc2b916e

  • SHA1

    0d37d5f1876431cd0345f72770e38302d07b194b

  • SHA256

    3f416eb40a2f3043bb0e16cc684a3cecdae3fee9f340e4adf9ddb700e4bf2cfd

  • SHA512

    16216eaa505ffb11ecd0b61b50387fe242079dcc17158dc783df6c08d9884eeac4612a6586450a7957c2d425e1957905ca023d0733137844615577205e6ed338

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

mikegrace2021.ddns.net:1999

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3940
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iJFAuLr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2D79.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1268
    • C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Shipping, PDF.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:3620

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp2D79.tmp
    MD5

    87eca2b66cd43417007d96477b68e169

    SHA1

    94b913308874981ed0d7d4ec38c79767de608a67

    SHA256

    a87be6dc440199e57dc1291f8b3d195431e147b67c76900a8dc62be7dfbe141e

    SHA512

    e67b9c9780ef9f19399a5f603e01f150c6204ca7b9996752efc81a0e9b91e9a9f2b5647942d5a7d6f1564c807806ef82878c4fe9b26bd0a6bc840b6bc5ccc379

    Download Submit

  • memory/1268-12-0x0000000000000000-mapping.dmp

    Download

  • memory/3620-16-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3620-15-0x0000000000413FA4-mapping.dmp

    Download

  • memory/3620-14-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3940-6-0x0000000005750000-0x0000000005751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3940-9-0x0000000005480000-0x0000000005481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3940-10-0x00000000052C0000-0x00000000052D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3940-11-0x0000000005F10000-0x0000000005F6E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/3940-8-0x0000000005160000-0x0000000005161000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3940-7-0x00000000052F0000-0x00000000052F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3940-2-0x0000000073BA0000-0x000000007428E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3940-5-0x0000000005190000-0x0000000005191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3940-3-0x0000000000860000-0x0000000000861000-memory.dmp

    Filesize

    4KB

    Download