Overview

overview

10

Static

static

0000090000902021.exe

windows7_x64

10

0000090000902021.exe

windows10_x64

10

Analysis

  • max time kernel
    13s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-01-2021 07:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0000090000902021.exe

  • Size

    354KB

  • MD5

    4decfb66c5f4b06dfd047292f6e18d7c

  • SHA1

    0d0d42946b325aba13e75514513e363601582815

  • SHA256

    0c873ba18e7449a4e0110dbef0fce6cbe36ce0649a743d84675800bb2caa1938

  • SHA512

    58f8bc7145d997eb3a67890f5c5a94889e564df64aea86f6fd31af9185b9da466d5bc1927feb31743a1fa00c707d1b8e6fc046f3beeb881413076d85f26f1050

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

72.11.157.241:4445

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0000090000902021.exe
    "C:\Users\Admin\AppData\Local\Temp\0000090000902021.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      2⤵
        PID:2032
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\2e7933cd4c36479e897d47cded967c74.xml"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\2e7933cd4c36479e897d47cded967c74.xml"
          3⤵
          • Creates scheduled task(s)
          PID:1168
      • C:\Users\Admin\AppData\Local\Temp\0000090000902021.exe
        "C:\Users\Admin\AppData\Local\Temp\0000090000902021.exe"
        2⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1288

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2e7933cd4c36479e897d47cded967c74.xml
      MD5

      9313352a59e3b368ab4eb8173567c406

      SHA1

      fc776c28e3ae9bd5e68f25c2a4f6248126731370

      SHA256

      469d4994320f37196faca4de8ada85161a43dd42c9405b283bea5e4ea84c9a8d

      SHA512

      000f6edf387b4ea0f244003fad3f66be5eb1920012838ba3a19c3f2dcde973fce8450c8e556c22cc20f7a3a0980d735fb169ecfafd440993c9fe5b8875fc7462

      Download Submit
    • memory/1084-3-0x0000000000000000-mapping.dmp
      Download
    • memory/1168-6-0x0000000000000000-mapping.dmp
      Download
    • memory/1288-4-0x0000000000400000-0x0000000000419000-memory.dmp
      Filesize

      100KB

      Download
    • memory/1288-5-0x00000000004172EC-mapping.dmp
      Download
    • memory/1288-7-0x0000000000400000-0x0000000000419000-memory.dmp
      Filesize

      100KB

      Download
    • memory/1288-9-0x0000000000400000-0x0000000000419000-memory.dmp
      Filesize

      100KB

      Download
    • memory/2032-2-0x0000000000000000-mapping.dmp
      Download