Overview

overview

10

Static

static

10a4a29824...3b.exe

windows7_x64

10

10a4a29824...3b.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    20-04-2021 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10a4a298243992f740dcdc8431daea3b.exe

  • Size

    739KB

  • MD5

    10a4a298243992f740dcdc8431daea3b

  • SHA1

    93fb528724a458ecd86edb8e6dd4413dec098caa

  • SHA256

    84035c7dd4f195653fd4dec1538e98f9181c74b8eebf9d6415d5cee1616c400c

  • SHA512

    2c055048c69be6ee9038566616600936fff3d5c72e97f0c53e3f5c928d63810f70ee966baa9f77c34e4da767336d0581f5e48a1261fd819da5a511a62c949bf0

Score
10/10
remcosevasionrattrojan

Malware Config

Extracted

Family

remcos

C2

arttronova124.duckdns.org:3030

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
    "C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
      "{path}"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • Modifies registry key
          PID:1660
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
          PID:1616

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    1
    T1089

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/556-66-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/556-67-0x000000000040FD88-mapping.dmp
      Download
    • memory/556-68-0x0000000075B31000-0x0000000075B33000-memory.dmp
      Filesize

      8KB

      Download
    • memory/556-71-0x0000000000400000-0x0000000000418000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1108-69-0x0000000000000000-mapping.dmp
      Download
    • memory/1660-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1668-60-0x0000000000F20000-0x0000000000F21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1668-62-0x0000000007170000-0x0000000007171000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1668-63-0x0000000000380000-0x0000000000385000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1668-64-0x000000000A410000-0x000000000A4A4000-memory.dmp
      Filesize

      592KB

      Download
    • memory/1668-65-0x0000000000AE0000-0x0000000000B28000-memory.dmp
      Filesize

      288KB

      Download