Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-02-2021 23:12
General
-
Target
Quote.exe
-
Size
233KB
-
MD5
a96067cac28b1f5c3de4e1b6c7d0a402
-
SHA1
51c65c8ece4bfd5c7d1b09105440f3f02d3b14ca
-
SHA256
79e70809a85e291f9da3d391131208ce7645dd512eb6bb71811154b43da23222
-
SHA512
1627058a9a884965bce4ece1ccf03c24a849cd79fe883c923ae2eb56c8e0bbb730cf823e550c080685af1f906a38f2847a65dc8ed236181d97eee9ddcfc3f96e
Score
10/10
Malware Config
Extracted
Family
remcos
C2
103.89.88.238:4299
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quote.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quote.exe"C:\Users\Admin\AppData\Local\Temp\Quote.exe"2⤵
- Suspicious use of SetWindowsHookEx
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
-
Filesize
8KB