Overview

overview

10

Static

static

Dhl Delive...DF.exe

windows7_x64

10

Dhl Delive...DF.exe

windows10_x64

1

Analysis

  • max time kernel
    152s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-01-2021 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dhl Delivery Shipping Cargo, PDF.exe

  • Size

    1.1MB

  • MD5

    ba0fba7f60adab31a07ee0b8707164ef

  • SHA1

    9bc0f14230a8439566d69caa5ddd730b946afbc8

  • SHA256

    a9bb3e9f775ca73baaac71ef7e7b4a5d7c467aef99d3b8f34856f16dbb3afe26

  • SHA512

    bb95b5eb16b015759b577d6b15f4fc07eb7171db328db98c56235aaa9e71680d678c1b6149b50f7a1e6ad083e914e2a437cd2cd67fc6f83223021f5361f3afea

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

mikegrace2021.ddns.net:1999

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dhl Delivery Shipping Cargo, PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Dhl Delivery Shipping Cargo, PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tTdcxEyBvTZSSn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7964.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1808
    • C:\Users\Admin\AppData\Local\Temp\Dhl Delivery Shipping Cargo, PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Dhl Delivery Shipping Cargo, PDF.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp7964.tmp
    MD5

    2c4a9f5961b4052634e3eb31ee3868cc

    SHA1

    7953430559cb21138f9b12f18ef812af67878fd5

    SHA256

    e5ffcbfa7930f5bdc4551601a51946708354a495eb3feeeae48eb414383503de

    SHA512

    0af12ddaa64900b5e93e8e9fee892d4982925244b4e2287b024bf30d6307058868cb8f6e1265f6f19699efc36a9c634bcf70cc34e97eb882e89b07f15513f02e

    Download Submit
  • memory/480-10-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/480-11-0x0000000000413FA4-mapping.dmp
    Download
  • memory/480-12-0x0000000075A61000-0x0000000075A63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/480-13-0x0000000000400000-0x0000000000421000-memory.dmp
    Filesize

    132KB

    Download
  • memory/1056-2-0x0000000073C60000-0x000000007434E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1056-3-0x0000000000C00000-0x0000000000C01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1056-5-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1056-6-0x0000000000540000-0x0000000000553000-memory.dmp
    Filesize

    76KB

    Download
  • memory/1056-7-0x0000000004D20000-0x0000000004DC5000-memory.dmp
    Filesize

    660KB

    Download
  • memory/1808-8-0x0000000000000000-mapping.dmp
    Download