Overview

overview

10

Static

static

ShippingDoc.exe

windows7_x64

10

ShippingDoc.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    13-04-2021 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ShippingDoc.exe

  • Size

    831KB

  • MD5

    ff5098c6521717d54914919b3ccfa844

  • SHA1

    24a79eaf402211e3fa16588b14d8ee10482e13e0

  • SHA256

    2fde996ea514f77000c3c0b10b5587866e644346030c4535e122d93b5cf940da

  • SHA512

    1e31e107fe588507392e5e79263ff5d922429dcc38ab571aef33eadcc2500ea44a03ac5bb35eaaceb6ec0847c82e89f5f1a84ff61df0f108bdb2bd048a487300

Score
10/10
remcospersistencerat

Malware Config

Extracted

Family

remcos

C2

79.134.225.19:2555

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ShippingDoc.exe
    "C:\Users\Admin\AppData\Local\Temp\ShippingDoc.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\SysWOW64\DpiScaling.exe
      C:\Windows\System32\DpiScaling.exe
      2⤵
        PID:3288

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3288-119-0x0000000000000000-mapping.dmp
      Download
    • memory/3288-121-0x0000000003350000-0x0000000003351000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3288-120-0x0000000003290000-0x0000000003291000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3288-123-0x00000000032F0000-0x00000000032F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3288-125-0x0000000000400000-0x0000000000479000-memory.dmp
      Filesize

      484KB

      Download
    • memory/3288-124-0x0000000010590000-0x000000001060C000-memory.dmp
      Filesize

      496KB

      Download
    • memory/3876-114-0x0000000000640000-0x0000000000641000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3876-116-0x0000000002420000-0x000000000243A000-memory.dmp
      Filesize

      104KB

      Download