Overview

overview

10

Static

static

SecuriteIn...88.exe

windows7_x64

10

SecuriteIn...88.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-01-2021 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe

  • Size

    1.3MB

  • MD5

    8a16967ee620b6d50578ec90143e9b88

  • SHA1

    8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

  • SHA256

    f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

  • SHA512

    f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

wedsazxcvfghyuiokjhbnvfcdsaweyplmhbvrtud.ydns.eu:1996

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Delays execution with timeout.exe 6 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 86 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1768
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1348
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:1468
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.8a16967ee620b6d5.22788.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\win.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:288
          • C:\Users\Admin\AppData\Roaming\win.exe
            C:\Users\Admin\AppData\Roaming\win.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:340
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c timeout 1
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2032
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                7⤵
                • Delays execution with timeout.exe
                PID:1660
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c timeout 1
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1964
              • C:\Windows\SysWOW64\timeout.exe
                timeout 1
                7⤵
                • Delays execution with timeout.exe
                PID:2008
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c timeout 1
              6⤵
                PID:904
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 1
                  7⤵
                  • Delays execution with timeout.exe
                  PID:920
              • C:\Users\Admin\AppData\Roaming\win.exe
                "C:\Users\Admin\AppData\Roaming\win.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetWindowsHookEx
                PID:1404
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 600
                6⤵
                • Loads dropped DLL
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1476

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      MD5

      4a74e626596d6e66b4bbc59ee6848f2d

      SHA1

      047849ac8735ecc0943428c7cd5e00b52eee06ed

      SHA256

      98bd6dc219a7a3e04d3d67bbec9f0b4d4640831a3a6be0a0078b050041088b0e

      SHA512

      1cd943482d0f1ce2ffaf6ee4a82895e4d57c52051bb14bbda0548cf072b4c5cbe719d2cdb549b5ae7c0241dd9c68dd9d1674acd26aed684b8145500079cc5403

      Download Submit
    • C:\Users\Admin\AppData\Roaming\win.exe
      MD5

      8a16967ee620b6d50578ec90143e9b88

      SHA1

      8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

      SHA256

      f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

      SHA512

      f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\win.exe
      MD5

      8a16967ee620b6d50578ec90143e9b88

      SHA1

      8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

      SHA256

      f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

      SHA512

      f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

      Download Submit
    • C:\Users\Admin\AppData\Roaming\win.exe
      MD5

      8a16967ee620b6d50578ec90143e9b88

      SHA1

      8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

      SHA256

      f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

      SHA512

      f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

      Download Submit
    • \Users\Admin\AppData\Roaming\win.exe
      MD5

      8a16967ee620b6d50578ec90143e9b88

      SHA1

      8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

      SHA256

      f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

      SHA512

      f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

      Download Submit
    • \Users\Admin\AppData\Roaming\win.exe
      MD5

      8a16967ee620b6d50578ec90143e9b88

      SHA1

      8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

      SHA256

      f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

      SHA512

      f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

      Download Submit
    • \Users\Admin\AppData\Roaming\win.exe
      MD5

      8a16967ee620b6d50578ec90143e9b88

      SHA1

      8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

      SHA256

      f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

      SHA512

      f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

      Download Submit
    • \Users\Admin\AppData\Roaming\win.exe
      MD5

      8a16967ee620b6d50578ec90143e9b88

      SHA1

      8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

      SHA256

      f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

      SHA512

      f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

      Download Submit
    • \Users\Admin\AppData\Roaming\win.exe
      MD5

      8a16967ee620b6d50578ec90143e9b88

      SHA1

      8b3ab5b20d8fbcb5c5428768c7e3fe8f3a954a8f

      SHA256

      f64dfe37f4518739d7d31f0a81cc8a126d6766ca16039b3f80a50495efd6d765

      SHA512

      f0fe9ee56e17ef17fc0a1fb70f6f37946f93fc4ad0d2eb9bb9ade5429ace6a027e5a4fa5ee6a993de7474f7106e45a6543d9e3adf98a63d002e75c447b1869d1

      Download Submit
    • memory/268-10-0x0000000000000000-mapping.dmp
      Download
    • memory/288-18-0x0000000000000000-mapping.dmp
      Download
    • memory/340-25-0x00000000734A0000-0x0000000073B8E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/340-26-0x0000000000A40000-0x0000000000A41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/340-23-0x0000000000000000-mapping.dmp
      Download
    • memory/904-33-0x0000000000000000-mapping.dmp
      Download
    • memory/920-34-0x0000000000000000-mapping.dmp
      Download
    • memory/932-2-0x0000000074120000-0x000000007480E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/932-3-0x0000000001320000-0x0000000001321000-memory.dmp
      Filesize

      4KB

      Download
    • memory/932-5-0x0000000000270000-0x000000000029F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1208-15-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1208-12-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1208-13-0x0000000000413FA4-mapping.dmp
      Download
    • memory/1348-9-0x0000000000000000-mapping.dmp
      Download
    • memory/1404-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1404-38-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1404-36-0x0000000000413FA4-mapping.dmp
      Download
    • memory/1468-11-0x0000000000000000-mapping.dmp
      Download
    • memory/1476-39-0x0000000000000000-mapping.dmp
      Download
    • memory/1476-40-0x0000000001E30000-0x0000000001E41000-memory.dmp
      Filesize

      68KB

      Download
    • memory/1524-19-0x00000000027A0000-0x00000000027A4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1524-16-0x0000000000000000-mapping.dmp
      Download
    • memory/1660-30-0x0000000000000000-mapping.dmp
      Download
    • memory/1768-7-0x0000000000000000-mapping.dmp
      Download
    • memory/1964-31-0x0000000000000000-mapping.dmp
      Download
    • memory/1980-6-0x0000000000000000-mapping.dmp
      Download
    • memory/2008-32-0x0000000000000000-mapping.dmp
      Download
    • memory/2032-29-0x0000000000000000-mapping.dmp
      Download