Overview

overview

10

Static

static

Qotation.exe

windows7_x64

10

Qotation.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Qotation.exe

  • Size

    330KB

  • MD5

    28b8acaf74bd16212a1d2fb732e88c6d

  • SHA1

    993b52b65b755aa59f4d1f4390e3e0cd6c2ffacf

  • SHA256

    b72df5535e69fb7ea6dd6638059825c267e176baa3213a2f513d76d2455f1776

  • SHA512

    0da3543e18958730fe92ebc318fdcc7f8744a37bbadaea096f3a327b4207efc8a5b67819284aa7bb9fd293122c4daed5acbcb27842a45cfab6b10dfc4a88ed59

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

whatgodcannotdodoestnotexist.duckdns.org:2889

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Qotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Qotation.exe"
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:988
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\955056a4c04c43a3ad2c1d5c7e436ce5.xml"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2252
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\955056a4c04c43a3ad2c1d5c7e436ce5.xml"
        3⤵
        • Creates scheduled task(s)
        PID:3612
    • C:\Users\Admin\AppData\Local\Temp\Qotation.exe
      "C:\Users\Admin\AppData\Local\Temp\Qotation.exe"
      2⤵
        PID:2388
      • C:\Users\Admin\AppData\Local\Temp\Qotation.exe
        "C:\Users\Admin\AppData\Local\Temp\Qotation.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2540
        • C:\Users\Admin\AppData\Local\Temp\Qotation.exe
          "C:\Users\Admin\AppData\Local\Temp\Qotation.exe"
          3⤵
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2648
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:568
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2272
              • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
                C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:3840
                • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
                  C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
                  7⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious use of SetWindowsHookEx
                  PID:3284

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\955056a4c04c43a3ad2c1d5c7e436ce5.xml
      MD5

      aa2f6636e997aaa0b01fbc78b1dabe52

      SHA1

      fd462100fc91975dcbea8e361cf1eb8a70f6ad54

      SHA256

      d710b6eda22285684579d8b547e5be2f48883c4bf8db39993b00df30f9dc8723

      SHA512

      6540a3bbdbd3ab51679d5b32380e6c288bf6eba2777d067d40bfe65642ccafecd18028b102dfa46ac189d84282da2b6cb202a4f307587c5639f86834788f5104

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      MD5

      b92d64fe5b1d1f59df4b738262aea8df

      SHA1

      c8fb1981759c2d9bb2ec91b705985fba5fc7af63

      SHA256

      fa20e9aab03dc8e9f1910aaf0cf42662379fa16ae3a22642084fb97fa3d4f83a

      SHA512

      2566248b93c0cfb0414f033b8dd18bbd4f88180093eac2861107289bcb4ee160f9593706ff1f7d1f2e4ecea430d67a5a2897551a4f9ebd82b707243e300520e2

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
      MD5

      28b8acaf74bd16212a1d2fb732e88c6d

      SHA1

      993b52b65b755aa59f4d1f4390e3e0cd6c2ffacf

      SHA256

      b72df5535e69fb7ea6dd6638059825c267e176baa3213a2f513d76d2455f1776

      SHA512

      0da3543e18958730fe92ebc318fdcc7f8744a37bbadaea096f3a327b4207efc8a5b67819284aa7bb9fd293122c4daed5acbcb27842a45cfab6b10dfc4a88ed59

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
      MD5

      28b8acaf74bd16212a1d2fb732e88c6d

      SHA1

      993b52b65b755aa59f4d1f4390e3e0cd6c2ffacf

      SHA256

      b72df5535e69fb7ea6dd6638059825c267e176baa3213a2f513d76d2455f1776

      SHA512

      0da3543e18958730fe92ebc318fdcc7f8744a37bbadaea096f3a327b4207efc8a5b67819284aa7bb9fd293122c4daed5acbcb27842a45cfab6b10dfc4a88ed59

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Remcos\remcos.exe
      MD5

      28b8acaf74bd16212a1d2fb732e88c6d

      SHA1

      993b52b65b755aa59f4d1f4390e3e0cd6c2ffacf

      SHA256

      b72df5535e69fb7ea6dd6638059825c267e176baa3213a2f513d76d2455f1776

      SHA512

      0da3543e18958730fe92ebc318fdcc7f8744a37bbadaea096f3a327b4207efc8a5b67819284aa7bb9fd293122c4daed5acbcb27842a45cfab6b10dfc4a88ed59

      Download Submit
    • memory/568-7-0x0000000000000000-mapping.dmp
      Download
    • memory/2252-2-0x0000000000000000-mapping.dmp
      Download
    • memory/2272-10-0x0000000000000000-mapping.dmp
      Download
    • memory/2540-3-0x0000000000000000-mapping.dmp
      Download
    • memory/2648-9-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/2648-4-0x0000000000413FA4-mapping.dmp
      Download
    • memory/3284-16-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/3284-14-0x0000000000413FA4-mapping.dmp
      Download
    • memory/3612-5-0x0000000000000000-mapping.dmp
      Download
    • memory/3840-11-0x0000000000000000-mapping.dmp
      Download