Overview

overview

10

Static

static

SecuriteIn...90.exe

windows7_x64

10

SecuriteIn...90.exe

windows10_x64

10

Analysis

  • max time kernel
    53s
  • max time network
    54s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-01-2021 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe

  • Size

    651KB

  • MD5

    d0b73f883fdd6cc9097028375fdc6231

  • SHA1

    786826282e4f20076f50b7648e45ca1df856dd12

  • SHA256

    97c1693cc21829a1b2139d13bc9b21a47555b18d6dc8943c4804890f1ab3b25c

  • SHA512

    6c76cacd033b503d54d260f69ba370117f46c0b2fd72f6e9851e73d17d6966ffd1bceb655b3df029a5661275a14702c0b1d6094aac12480291199f963235c91c

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

push4me.freeddns.org:1814

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 68 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1768
          • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
            "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1384
            • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
              "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1584
              • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
                "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:1560
                • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
                  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1748
                  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
                    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:752
                    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
                      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
                      10⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1796
                      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
                        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:396
                        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
                          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
                          12⤵
                          • Suspicious use of WriteProcessMemory
                          PID:1456
                          • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
                            "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:576
                            • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
                              "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
                              14⤵
                              • Suspicious use of WriteProcessMemory
                              PID:292
                              • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
                                "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
                                15⤵
                                • Suspicious use of WriteProcessMemory
                                PID:932
                                • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe
                                  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen11.58832.24978.21590.exe"
                                  16⤵
                                  • Adds Run key to start application
                                  • Suspicious use of WriteProcessMemory
                                  PID:1156
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
                                    17⤵
                                      PID:1872
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\eremcos\VLC.exe"
                                        18⤵
                                          PID:1540

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.vbs
        MD5

        516c683f65edb23d0e850fa3ef3c8684

        SHA1

        2ac568ffec85d04a03ce8cd67d22c0f57ebcf78b

        SHA256

        90fcf9d38e16bf59c8ba902a0a2fb4535cb54515fdb51ecf561cec6911db553d

        SHA512

        fb785e0ba530ef75dab428467da6b2da078a356a953fb7b1729d2474b06a44f854cfd41fa6f3432e13f330c4a12b1665d316c63291fbd46bb165ba1e7b384c93

        Download Submit
      • memory/292-27-0x0000000000000000-mapping.dmp
        Download
      • memory/396-21-0x0000000000000000-mapping.dmp
        Download
      • memory/576-25-0x0000000000000000-mapping.dmp
        Download
      • memory/752-17-0x0000000000000000-mapping.dmp
        Download
      • memory/932-29-0x0000000000000000-mapping.dmp
        Download
      • memory/1096-2-0x0000000075711000-0x0000000075713000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1156-31-0x0000000000000000-mapping.dmp
        Download
      • memory/1156-33-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1156-35-0x0000000000320000-0x0000000000321000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1384-9-0x0000000000000000-mapping.dmp
        Download
      • memory/1456-23-0x0000000000000000-mapping.dmp
        Download
      • memory/1540-38-0x0000000000000000-mapping.dmp
        Download
      • memory/1560-13-0x0000000000000000-mapping.dmp
        Download
      • memory/1584-11-0x0000000000000000-mapping.dmp
        Download
      • memory/1748-15-0x0000000000000000-mapping.dmp
        Download
      • memory/1768-7-0x0000000000000000-mapping.dmp
        Download
      • memory/1796-19-0x0000000000000000-mapping.dmp
        Download
      • memory/1872-34-0x0000000000000000-mapping.dmp
        Download
      • memory/1872-39-0x0000000002880000-0x0000000002884000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1976-5-0x0000000000000000-mapping.dmp
        Download
      • memory/1988-3-0x0000000000000000-mapping.dmp
        Download