Overview

overview

10

Static

static

10

ORDER#9494.exe

windows7_x64

10

ORDER#9494.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 12:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER#9494.exe

  • Size

    724KB

  • MD5

    64cceafcc81b85f1bedd61dd285ca75a

  • SHA1

    4ab324d8dc4faae991dee59f64f372ad13bc8cfa

  • SHA256

    c7bd80117055942f0f622a346479856e7272fb071dd1d709387dd4c8fd4f2ea5

  • SHA512

    340bc6ac5c61624bb7a00a1ec560d58a3c696a99b45b082588d99673dd02b21a6cb0a73c9e5c40c785aba7c44ff627e0ed7f0f52cfebd886dfacf02305cc78d8

Score
10/10
remcospersistencerat

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER#9494.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER#9494.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Users\Admin\AppData\Local\Temp\ORDER#9494.exe
      C:\Users\Admin\AppData\Local\Temp\ORDER#9494.exe
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:2808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2808-4-0x0000000000400000-0x0000000000422000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2808-5-0x0000000000421000-mapping.dmp
    Download
  • memory/2808-6-0x0000000000400000-0x0000000000422000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4776-2-0x0000000000660000-0x0000000000661000-memory.dmp
    Filesize

    4KB

    Download