Analysis
-
max time kernel
124s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 08:01
General
-
Target
MC International Trading - products list.exe
-
Size
1.0MB
-
MD5
1749cf9fe03ca7ee146bf316831f01b2
-
SHA1
c87d534728d266847e4a7665d82c4a9553c60ccc
-
SHA256
f8b5e14a549989e51f567b5a7be04f6187d7bd4067e957e66152ecbf73893a47
-
SHA512
1a6b0be1b92493698ced5e663fa0fa3811ef9ca897d029d1c98c698e680f110f4c548f7bc5f13d5d987b359991dfada6e1f81e2fbc715ec98160d4de6c87b317
Malware Config
Extracted
remcos
185.136.171.240:4044
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MC International Trading - products list.exe"C:\Users\Admin\AppData\Local\Temp\MC International Trading - products list.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AilChTvm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\MC International Trading - products list.exe"C:\Users\Admin\AppData\Local\Temp\MC International Trading - products list.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3A5.tmpMD5
d04e2a76f89108c6a08fe018b56768f5
SHA125707e942d145042f1040bd90a768238ebd8a47a
SHA25673da580d1a84f67a3ecbb9106682f80b64b5c83aef92804a77c99f95d5e70412
SHA512a76c05cbb57c832060845d506e5312012df5a2715517f0628a9a151dccc64c64146f40af1c553637d668a60afb01c7063bb46e073f5cb52e7d51dd97614e183b
-
memory/936-14-0x0000000000000000-mapping.dmp
-
memory/1164-18-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1164-17-0x000000000040FD88-mapping.dmp
-
memory/1164-16-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4808-7-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/4808-9-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/4808-10-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/4808-11-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/4808-12-0x0000000005560000-0x0000000005573000-memory.dmpFilesize
76KB
-
memory/4808-13-0x0000000000ED0000-0x0000000000F6A000-memory.dmpFilesize
616KB
-
memory/4808-8-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/4808-2-0x00000000739D0000-0x00000000740BE000-memory.dmpFilesize
6.9MB
-
memory/4808-6-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/4808-5-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/4808-3-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB