Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-04-2021 02:24
General
-
Target
REQUEST FOR QUOTATION - PR30016810.exe
-
Size
1.2MB
-
MD5
ff100e2d9f8b2f265f22f164d67d83d6
-
SHA1
ddeec70d99fcaa98db7f417ad5fc2fa724b0c252
-
SHA256
c85d33153d768a2f98066c8ba07e58890cbac4c185e4ef45739fb03750e1088b
-
SHA512
0030f38b15e4f455ff970a433e1428eff4511665a417ebc264ae19ea2be5ceda369cbc1d60bb914280d3a8e4b2dffd2c37e93a4362ce39b1bbe5d83418d593fc
Malware Config
Extracted
remcos
103.89.88.238:4292
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION - PR30016810.exe"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION - PR30016810.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mSizPqyiUZWldD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F7F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION - PR30016810.exe"C:\Users\Admin\AppData\Local\Temp\REQUEST FOR QUOTATION - PR30016810.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp8F7F.tmpMD5
e39c810b8df1de7ffafc4f1ec5e76452
SHA1292543e7692e025854f71640c7f7c28088f6d45d
SHA2561f24cbb136ffbe6c10739f72008150eb4a28c8c11e747b32bcb56e1746dc303d
SHA512246d82847338b97478da2ee3a04b78d944d29df67a6f0769dc57276e019b8954b8e1a434a4c0bba8f55a10d52e67c563cb7c17691dba534ca8fb3781dd49cda9
-
memory/512-121-0x0000000005340000-0x0000000005346000-memory.dmpFilesize
24KB
-
memory/512-123-0x0000000005E20000-0x0000000005ECE000-memory.dmpFilesize
696KB
-
memory/512-118-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/512-119-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/512-120-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/512-114-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/512-122-0x00000000050A0000-0x000000000559E000-memory.dmpFilesize
5.0MB
-
memory/512-117-0x00000000055A0000-0x00000000055A1000-memory.dmpFilesize
4KB
-
memory/512-124-0x0000000008380000-0x00000000083F7000-memory.dmpFilesize
476KB
-
memory/512-116-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/2124-125-0x0000000000000000-mapping.dmp
-
memory/2772-127-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2772-128-0x000000000042EEEF-mapping.dmp
-
memory/2772-129-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB