Overview

overview

10

Static

static

Atikmdag P....8.exe

windows7_x64

10

Atikmdag P....8.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    23-01-2021 11:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Atikmdag Patcher 1.4.8/Atikmdag-Patcher-1.4.8.exe

  • Size

    2.5MB

  • MD5

    7173128b01b36c0911e88fb6cc1c967b

  • SHA1

    db1d76ecf46d95275fa7b0ff7109dd4e6f7dd775

  • SHA256

    e86eb444fe0b44567389ad48953969a60c5bfccadfa1c0e2ec22ada7ad7bd01a

  • SHA512

    b89934ca1ba5ec69149d4267501837079cddc28569f60b84b225f6ea6acea8c1b55af163b05305e147b4dcb5f182f7cac2e127e6ec4acdde6c02a487887968b6

Score
10/10
remcosransomwarerat

Malware Config

Extracted

Family

remcos

C2

37.252.11.23:5858

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 167 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Atikmdag Patcher 1.4.8\Atikmdag-Patcher-1.4.8.exe
    "C:\Users\Admin\AppData\Local\Temp\Atikmdag Patcher 1.4.8\Atikmdag-Patcher-1.4.8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Local\Temp\Atikmdag Patcher 1.4.8\Atikmdag-Patcher-1.4.8.exe
      "C:\Users\Admin\AppData\Local\Temp\Atikmdag Patcher 1.4.8\Atikmdag-Patcher-1.4.8.exe" /VERYSILENT
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Program Files (x86)\Atikmdag-Patcher-1.4.8\0123456.exe
        "C:\Program Files (x86)\Atikmdag-Patcher-1.4.8\0123456.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Windows\SysWOW64\notepad.exe
          "C:\Windows\system32\notepad.exe"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1604
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe"
            5⤵
              PID:1708
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe"
              5⤵
                PID:1584
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe"
                5⤵
                  PID:1520
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe"
                  5⤵
                    PID:1680
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe"
                    5⤵
                      PID:1640
                    • C:\Windows\SysWOW64\notepad.exe
                      "C:\Windows\system32\notepad.exe"
                      5⤵
                      • Drops file in Windows directory
                      PID:1728
                • C:\Program Files (x86)\Atikmdag-Patcher-1.4.8\Atikmdag-Patcher-1.4.8.exe
                  "C:\Program Files (x86)\Atikmdag-Patcher-1.4.8\Atikmdag-Patcher-1.4.8.exe"
                  3⤵
                  • Executes dropped EXE
                  PID:1456

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Atikmdag-Patcher-1.4.8\0123456.exe
              MD5

              2b2ef3c10560429fbe52f2564ffd8b8d

              SHA1

              c1008e6cc117e8d1ad2e9102b0104d1185a394ec

              SHA256

              3becbcd34e174e88fba0aea3358c062a7238e544e85fe88394e83932ed519926

              SHA512

              a4895b5597cfd42445f30bdb5fb543c8aca06b98ee14d073c2520c984374ab797d721acf181ddd7b83cac7821d06e089d65884f6949cce603a01a69be5617388

              Download Submit
            • C:\Program Files (x86)\Atikmdag-Patcher-1.4.8\0123456.exe
              MD5

              2b2ef3c10560429fbe52f2564ffd8b8d

              SHA1

              c1008e6cc117e8d1ad2e9102b0104d1185a394ec

              SHA256

              3becbcd34e174e88fba0aea3358c062a7238e544e85fe88394e83932ed519926

              SHA512

              a4895b5597cfd42445f30bdb5fb543c8aca06b98ee14d073c2520c984374ab797d721acf181ddd7b83cac7821d06e089d65884f6949cce603a01a69be5617388

              Download Submit
            • C:\Program Files (x86)\Atikmdag-Patcher-1.4.8\Atikmdag-Patcher-1.4.8.exe
              MD5

              5616e95156f37d4445947144eb72d84b

              SHA1

              2ce32920b08f8b6a0959905010b3699fa9111f28

              SHA256

              f3b0e3ba3beb72ad455f478bca6347fbcabbce4ddfa2a6e34f72f11412502434

              SHA512

              27f5a5bbb8dd752b575a74a38ab2aa66c9e714fc9c3e7351005be86c856c6f3cc5bb39835ceb5bd3f7b0f08e4bceb5157970cbf8bd0b927d89b35e042b85552e

              Download Submit
            • \Program Files (x86)\Atikmdag-Patcher-1.4.8\0123456.exe
              MD5

              2b2ef3c10560429fbe52f2564ffd8b8d

              SHA1

              c1008e6cc117e8d1ad2e9102b0104d1185a394ec

              SHA256

              3becbcd34e174e88fba0aea3358c062a7238e544e85fe88394e83932ed519926

              SHA512

              a4895b5597cfd42445f30bdb5fb543c8aca06b98ee14d073c2520c984374ab797d721acf181ddd7b83cac7821d06e089d65884f6949cce603a01a69be5617388

              Download Submit
            • \Program Files (x86)\Atikmdag-Patcher-1.4.8\Atikmdag-Patcher-1.4.8.exe
              MD5

              5616e95156f37d4445947144eb72d84b

              SHA1

              2ce32920b08f8b6a0959905010b3699fa9111f28

              SHA256

              f3b0e3ba3beb72ad455f478bca6347fbcabbce4ddfa2a6e34f72f11412502434

              SHA512

              27f5a5bbb8dd752b575a74a38ab2aa66c9e714fc9c3e7351005be86c856c6f3cc5bb39835ceb5bd3f7b0f08e4bceb5157970cbf8bd0b927d89b35e042b85552e

              Download Submit
            • memory/1456-9-0x0000000000000000-mapping.dmp
              Download
            • memory/1536-15-0x0000000000230000-0x0000000000231000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1536-18-0x0000000000330000-0x000000000033A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/1536-12-0x0000000000000000-mapping.dmp
              Download
            • memory/1604-20-0x0000000000190000-0x0000000000198000-memory.dmp
              Filesize

              32KB

              Download
            • memory/1604-16-0x0000000000000000-mapping.dmp
              Download
            • memory/1604-19-0x0000000000090000-0x0000000000092000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1652-2-0x0000000075571000-0x0000000075573000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1652-3-0x0000000000240000-0x0000000000241000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1728-21-0x0000000000000000-mapping.dmp
              Download
            • memory/1728-23-0x0000000000080000-0x0000000000088000-memory.dmp
              Filesize

              32KB

              Download
            • memory/1728-25-0x0000000000400000-0x0000000000421000-memory.dmp
              Filesize

              132KB

              Download
            • memory/1896-4-0x0000000000000000-mapping.dmp
              Download
            • memory/1896-6-0x0000000074901000-0x0000000074903000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1896-7-0x00000000001D0000-0x00000000001D1000-memory.dmp
              Filesize

              4KB

              Download