Overview

overview

10

Static

static

Payment In...DF.exe

windows7_x64

10

Payment In...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    21-01-2021 06:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Payment Invoice PDF.exe

  • Size

    531KB

  • MD5

    d0cf67cc18970f999e6fb9fad2f96493

  • SHA1

    d5adc1b8c78a138969f0bb7b50219ad9ad682e5c

  • SHA256

    8084639a37257615b09beac5c8f681aa2115ece62fcb003fc8ddadb0d833fdb7

  • SHA512

    d4316989136e547180e6abd118d74e192ed16a1a314b6949e93e16b3a417c1329174646eca1673813d17ca68100da5c017f3905bc0af9f845f9b62abea54db92

Score
10/10
remcosransomwarerat

Malware Config

Extracted

Family

remcos

C2

mikegrace2021.ddns.net:1999

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1064
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tuILphceR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D2F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1568
    • C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"
      2⤵
        PID:268
      • C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"
        2⤵
          PID:112
        • C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe
          "C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:1472

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp3D2F.tmp
        MD5

        ade1488ca98663b02670a3ddeba06b4c

        SHA1

        828fbf196c26e6f589011a3a215dea74dd037840

        SHA256

        504aae2e4dc994b2fcd75f09a663dbdcd287822bda40121986f2e210cecd94de

        SHA512

        5e7ec166dbeb6ae0336b8701fec89efddc24154cbc73d749249d3aa3bf3f57e20d26680884f63decd9f9ef75584b7838c2db8a2d7c140e3f19db85176bfae23d

        Download Submit
      • memory/1064-2-0x00000000740B0000-0x000000007479E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1064-3-0x0000000000860000-0x0000000000861000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1064-5-0x00000000003B0000-0x00000000003D3000-memory.dmp
        Filesize

        140KB

        Download
      • memory/1064-6-0x0000000000510000-0x0000000000511000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1064-7-0x0000000004410000-0x0000000004469000-memory.dmp
        Filesize

        356KB

        Download
      • memory/1472-10-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1472-11-0x0000000000413FA4-mapping.dmp
        Download
      • memory/1472-12-0x0000000076101000-0x0000000076103000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1472-13-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/1568-8-0x0000000000000000-mapping.dmp
        Download