Overview

overview

10

Static

static

REQUEST FO...10.exe

windows7_x64

10

REQUEST FO...10.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    16-04-2021 02:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REQUEST FOR QUOTATION - PR30016810.exe

  • Size

    1.2MB

  • MD5

    ff100e2d9f8b2f265f22f164d67d83d6

  • SHA1

    ddeec70d99fcaa98db7f417ad5fc2fa724b0c252

  • SHA256

    c85d33153d768a2f98066c8ba07e58890cbac4c185e4ef45739fb03750e1088b

  • SHA512

    0030f38b15e4f455ff970a433e1428eff4511665a417ebc264ae19ea2be5ceda369cbc1d60bb914280d3a8e4b2dffd2c37e93a4362ce39b1bbe5d83418d593fc

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

103.89.88.238:4292

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION - PR30016810.exe
    "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION - PR30016810.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mSizPqyiUZWldD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFDEE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:396
    • C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION - PR30016810.exe
      "C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION - PR30016810.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpFDEE.tmp
    MD5

    7e82f867493c8209e13c4b9ce64f48ad

    SHA1

    ad52fe373935fd2dc2c945c037d812a0e9ffeb39

    SHA256

    d7c64b8321e848f86b5c687314113eb6f3a03f1af784507ae90cc8b6dfba836e

    SHA512

    044165ae5c8a648ff2fdf37d99ff995176f984b0f822771685f75a7798a1ab2f50ccc5e32ff6074a11915aab903956d2debbf11038979d9de14303d4b9d6bfa9

    Download Submit
  • memory/396-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1592-68-0x000000000042EEEF-mapping.dmp
    Download
  • memory/1592-67-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1592-69-0x00000000769B1000-0x00000000769B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1592-70-0x0000000000400000-0x0000000000478000-memory.dmp
    Filesize

    480KB

    Download
  • memory/1640-59-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1640-61-0x0000000004ED0000-0x0000000004ED1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1640-62-0x0000000000360000-0x0000000000366000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1640-63-0x0000000005190000-0x000000000523E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/1640-64-0x0000000002220000-0x0000000002297000-memory.dmp
    Filesize

    476KB

    Download