Overview

overview

10

Static

static

10a4a29824...3b.exe

windows7_x64

10

10a4a29824...3b.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    20-04-2021 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10a4a298243992f740dcdc8431daea3b.exe

  • Size

    739KB

  • MD5

    10a4a298243992f740dcdc8431daea3b

  • SHA1

    93fb528724a458ecd86edb8e6dd4413dec098caa

  • SHA256

    84035c7dd4f195653fd4dec1538e98f9181c74b8eebf9d6415d5cee1616c400c

  • SHA512

    2c055048c69be6ee9038566616600936fff3d5c72e97f0c53e3f5c928d63810f70ee966baa9f77c34e4da767336d0581f5e48a1261fd819da5a511a62c949bf0

Score
10/10
remcosevasionrattrojan

Malware Config

Extracted

Family

remcos

C2

arttronova124.duckdns.org:3030

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
    "C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • Modifies registry key
          PID:892
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:300
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:520
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:520 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    9de206caaa1bd740bc03ac1feee87dbb

    SHA1

    c6e806ca628d6bf79db5e74399259b8a1ac51d6d

    SHA256

    dac9c59005aa386985ac8ae465c55f0b452637f401d5ce278e28ed07251f5f37

    SHA512

    c5b9e5dee8394544c3df168eec5c2b205a5ee56ea747752e84029e52eb691088e442903bbd0fc507e5c243c642b3df74de706a96328ac31e4202437c9c2ef071

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
    MD5

    c34b586d965ec837347511ec91b57f1f

    SHA1

    e2b50bfefa17dd3170cfaf1f37126a65d81656d5

    SHA256

    c1d8c304a6ab14a78042cf5983b5d1e548906803f0cd30da94461790641b2ba9

    SHA512

    033720be080eecb94706bd6968b9dd1cb38600ce88e205617314c03f3feaecee24d19b21de82214fe32b7a37924d73ee501cdf9ee962de243933ec3729ba2c4c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    a5b7336e454bf863429a9e926316d1ca

    SHA1

    3baa502dedd10d6ec4e029cdd054bea91925f400

    SHA256

    1e91a28915af513c65673e51bc484780ed9be08c0bd158ea03d962d496b45405

    SHA512

    603026a314193e6162557f2faafa36bda7a7574caeb01fbf59716fe37775dd29eb091f091eab0ea29da56fcf4e05e025b3c28c8d010ab7fe1d51bd72099d5587

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
    MD5

    a26d077f8e0ab390e079388867c62599

    SHA1

    61dcddb6080f761e15f8e564bcba681432fbfcc0

    SHA256

    303775defb4bf06076137fdc47040fee66b0bf63efd900f325803f2f681688a3

    SHA512

    2f2e71073b5fa76b1065d7b1e33df89d3d860b51b936e171fbcb3871296d64261f042ad43717891b846b2ef3a5ca90e5f7e828f75d82aed50cab9337f1dfc830

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OP1PA6ZJ.txt
    MD5

    9a7b0413a85bcdbddc292592ea7c587b

    SHA1

    37942c1050c3bf3b7c2e2d4894eedb87209992f9

    SHA256

    5b857757095139668c5a2cb371de37224ccb948301af73782fa0166c70716b07

    SHA512

    366303419b4003946163cc4564f4fe200784ded7d06f5b4ec2ef4c4dcb14bfd97bb21a1a71a04b6193fff9ab38415276fbd169a968b2b12093f3a6e0e2d15e5e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YOEPLMF2.txt
    MD5

    f8d99c01bf711dba9af2ba42b902975e

    SHA1

    67df25b1e574edf988c4d2f4de2195f73c7021fe

    SHA256

    0c6d87a4326d4585325394b97aef0427203bd31f0f8f45b8a9294b2107cc6361

    SHA512

    d6c45c37362edd50304190a162ee1e01c2211a0b2f60f981179cfeaf08a79f0fa753b6b4f597902d98c0686426dce4647fa4713e1f8225a0952e2a149a0d687e

    Download Submit
  • memory/300-70-0x0000000000400000-0x00000000004C0000-memory.dmp
    Filesize

    768KB

    Download
  • memory/300-71-0x00000000004BA1CE-mapping.dmp
    Download
  • memory/520-75-0x000007FEFC221000-0x000007FEFC223000-memory.dmp
    Filesize

    8KB

    Download
  • memory/520-74-0x0000000000000000-mapping.dmp
    Download
  • memory/780-65-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/780-72-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/780-67-0x00000000768B1000-0x00000000768B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/780-66-0x000000000040FD88-mapping.dmp
    Download
  • memory/892-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1200-59-0x0000000001340000-0x0000000001341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1200-64-0x0000000000780000-0x00000000007C8000-memory.dmp
    Filesize

    288KB

    Download
  • memory/1200-63-0x0000000007240000-0x00000000072D4000-memory.dmp
    Filesize

    592KB

    Download
  • memory/1200-62-0x00000000003F0000-0x00000000003F5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1200-61-0x0000000007310000-0x0000000007311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1300-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1492-68-0x0000000000000000-mapping.dmp
    Download