Overview

overview

10

Static

static

SecuriteIn...04.exe

windows7_x64

10

SecuriteIn...04.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    21-01-2021 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe

  • Size

    1.3MB

  • MD5

    33c35598a22a81d9d62986a910bc4d46

  • SHA1

    9177c4636517c04dad78521286ffe8928b3c8672

  • SHA256

    0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38

  • SHA512

    4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0

Score
10/10
remcospersistenceransomwarerat

Malware Config

Extracted

Family

remcos

C2

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Delays execution with timeout.exe 6 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 74 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3340
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3164
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:3148
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3432
      • C:\Windows\SysWOW64\timeout.exe
        timeout 1
        3⤵
        • Delays execution with timeout.exe
        PID:4052
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe"
      2⤵
        PID:4488
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe"
        2⤵
          PID:4496
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.3504.exe"
          2⤵
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4480
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4572
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\vlc.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1280
              • C:\Users\Admin\AppData\Roaming\vlc.exe
                C:\Users\Admin\AppData\Roaming\vlc.exe
                5⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of SetThreadContext
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1520
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c timeout 1
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1828
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout 1
                    7⤵
                    • Delays execution with timeout.exe
                    PID:2384
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c timeout 1
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2592
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout 1
                    7⤵
                    • Delays execution with timeout.exe
                    PID:2864
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c timeout 1
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2696
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout 1
                    7⤵
                    • Delays execution with timeout.exe
                    PID:4736
                • C:\Users\Admin\AppData\Roaming\vlc.exe
                  "C:\Users\Admin\AppData\Roaming\vlc.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:4744
                • C:\Users\Admin\AppData\Roaming\vlc.exe
                  "C:\Users\Admin\AppData\Roaming\vlc.exe"
                  6⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of SetWindowsHookEx
                  PID:4404
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 1560
                  6⤵
                  • Program crash
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:208
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4772 -s 1560
          2⤵
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4632

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\install.vbs
        MD5

        0fd303b21c1a43c6a9078e6f5280ca85

        SHA1

        0db8f1ae34f4e2e72184e337951fde826c0bd26f

        SHA256

        5d8c6cfdf8fc198c4fd279487e5c1620ece89e39781c6337f4cb5e111e606ddc

        SHA512

        be4cdd48940bead0274c7cf08abd9bc75b5db468159cbf883198712d0bb15ad81a069638c628eba62237cfa0a197f845c0d9e1f4727c9608a8d642f7aba38671

        Download Submit
      • C:\Users\Admin\AppData\Roaming\vlc.exe
        MD5

        33c35598a22a81d9d62986a910bc4d46

        SHA1

        9177c4636517c04dad78521286ffe8928b3c8672

        SHA256

        0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38

        SHA512

        4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0

        Download Submit
      • C:\Users\Admin\AppData\Roaming\vlc.exe
        MD5

        33c35598a22a81d9d62986a910bc4d46

        SHA1

        9177c4636517c04dad78521286ffe8928b3c8672

        SHA256

        0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38

        SHA512

        4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0

        Download Submit
      • C:\Users\Admin\AppData\Roaming\vlc.exe
        MD5

        33c35598a22a81d9d62986a910bc4d46

        SHA1

        9177c4636517c04dad78521286ffe8928b3c8672

        SHA256

        0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38

        SHA512

        4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0

        Download Submit
      • C:\Users\Admin\AppData\Roaming\vlc.exe
        MD5

        33c35598a22a81d9d62986a910bc4d46

        SHA1

        9177c4636517c04dad78521286ffe8928b3c8672

        SHA256

        0a5a4665f8d532812a8c8992b8ecc0e58efb56e7730382268ca3ca65a0f74f38

        SHA512

        4dba8eeb9f9d2861c13dd9107a90e98d89412ef815aa19ed502cc292d6afed79ff582bdc5faad1d9b9d74c73e887a5bb83a49c64c69e04cc53270bbb3fae03d0

        Download Submit
      • memory/208-49-0x0000000004540000-0x0000000004541000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1280-25-0x0000000000000000-mapping.dmp
        Download
      • memory/1520-40-0x0000000004EF0000-0x0000000004EF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1520-29-0x0000000073370000-0x0000000073A5E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1520-26-0x0000000000000000-mapping.dmp
        Download
      • memory/1828-37-0x0000000000000000-mapping.dmp
        Download
      • memory/2384-38-0x0000000000000000-mapping.dmp
        Download
      • memory/2592-39-0x0000000000000000-mapping.dmp
        Download
      • memory/2696-42-0x0000000000000000-mapping.dmp
        Download
      • memory/2864-41-0x0000000000000000-mapping.dmp
        Download
      • memory/3148-14-0x0000000000000000-mapping.dmp
        Download
      • memory/3164-13-0x0000000000000000-mapping.dmp
        Download
      • memory/3340-12-0x0000000000000000-mapping.dmp
        Download
      • memory/3432-15-0x0000000000000000-mapping.dmp
        Download
      • memory/4052-16-0x0000000000000000-mapping.dmp
        Download
      • memory/4172-11-0x0000000000000000-mapping.dmp
        Download
      • memory/4404-46-0x0000000000413FA4-mapping.dmp
        Download
      • memory/4404-48-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/4480-24-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/4480-18-0x0000000000413FA4-mapping.dmp
        Download
      • memory/4480-17-0x0000000000400000-0x0000000000421000-memory.dmp
        Filesize

        132KB

        Download
      • memory/4572-19-0x0000000000000000-mapping.dmp
        Download
      • memory/4632-20-0x0000000004380000-0x0000000004381000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4736-43-0x0000000000000000-mapping.dmp
        Download
      • memory/4772-7-0x0000000004B50000-0x0000000004B51000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4772-2-0x0000000073370000-0x0000000073A5E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4772-8-0x0000000004E00000-0x0000000004E01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4772-6-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4772-9-0x0000000004B10000-0x0000000004B11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4772-5-0x0000000004A10000-0x0000000004A11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4772-10-0x0000000004DB0000-0x0000000004DE0000-memory.dmp
        Filesize

        192KB

        Download
      • memory/4772-3-0x00000000000C0000-0x00000000000C1000-memory.dmp
        Filesize

        4KB

        Download