Overview

overview

10

Static

static

10a4a29824...3b.exe

windows7_x64

10

10a4a29824...3b.exe

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    129s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-04-2021 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10a4a298243992f740dcdc8431daea3b.exe

  • Size

    739KB

  • MD5

    10a4a298243992f740dcdc8431daea3b

  • SHA1

    93fb528724a458ecd86edb8e6dd4413dec098caa

  • SHA256

    84035c7dd4f195653fd4dec1538e98f9181c74b8eebf9d6415d5cee1616c400c

  • SHA512

    2c055048c69be6ee9038566616600936fff3d5c72e97f0c53e3f5c928d63810f70ee966baa9f77c34e4da767336d0581f5e48a1261fd819da5a511a62c949bf0

Score
10/10
remcosevasionratspywarestealertrojan

Malware Config

Extracted

Family

remcos

C2

arttronova124.duckdns.org:3030

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UAC bypass 3 TTPs
    evasiontrojan
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
    "C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Windows\SysWOW64\reg.exe
          C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • Modifies registry key
          PID:1336
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
          PID:3296
        • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
          C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe /stext "C:\Users\Admin\AppData\Local\Temp\iuqdwqckttzwntoqghgeayaqspq"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3560
        • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
          C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe /stext "C:\Users\Admin\AppData\Local\Temp\lowwxjnmhbrbyzcupraflduztwamfk"
          3⤵
            PID:3692
          • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
            C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe /stext "C:\Users\Admin\AppData\Local\Temp\vqbhxbyfvjjganqyzcnhoqpqccrnynpcgf"
            3⤵
              PID:3880
            • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
              C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe /stext "C:\Users\Admin\AppData\Local\Temp\ugyirzpeklkfaw"
              3⤵
                PID:2204
              • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
                C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe /stext "C:\Users\Admin\AppData\Local\Temp\xjebsjaygtcklcksc"
                3⤵
                  PID:2156
                • C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe
                  C:\Users\Admin\AppData\Local\Temp\10a4a298243992f740dcdc8431daea3b.exe /stext "C:\Users\Admin\AppData\Local\Temp\hdjtsckzubupnigelzbhs"
                  3⤵
                    PID:2464

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              Privilege Escalation

              Bypass User Account Control

              1
              T1088

              Defense Evasion

              Bypass User Account Control

              1
              T1088

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Credentials in Files

              1
              T1081

              Discovery

              Lateral Movement

              Collection

              Data from Local System

              1
              T1005

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\iuqdwqckttzwntoqghgeayaqspq
                MD5

                b2a343ffbe155a567d2d4e189dabb9f7

                SHA1

                c207b489395cdd2a9e4883ffef0447ea0390d194

                SHA256

                b03395166926f6d79c2141ce91af03b2cadd28eb87c181573956a25ff6df45ad

                SHA512

                306b357b6bb8ea7c71a50c681f199855d84ea1bf02e312841e5061d0b388d72620a102f3a545735bb9072c8697ae5bbd0a779a7e651886e6b6f8430127f17e50

                Download Submit
              • memory/648-116-0x0000000007F10000-0x0000000007F11000-memory.dmp
                Filesize

                4KB

                Download
              • memory/648-117-0x0000000007AB0000-0x0000000007AB1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/648-118-0x0000000007A10000-0x0000000007F0E000-memory.dmp
                Filesize

                5.0MB

                Download
              • memory/648-119-0x0000000007A80000-0x0000000007A81000-memory.dmp
                Filesize

                4KB

                Download
              • memory/648-120-0x0000000004FE0000-0x0000000004FE5000-memory.dmp
                Filesize

                20KB

                Download
              • memory/648-121-0x000000000B150000-0x000000000B151000-memory.dmp
                Filesize

                4KB

                Download
              • memory/648-122-0x000000000B0B0000-0x000000000B144000-memory.dmp
                Filesize

                592KB

                Download
              • memory/648-123-0x0000000009830000-0x0000000009878000-memory.dmp
                Filesize

                288KB

                Download
              • memory/648-114-0x0000000000B80000-0x0000000000B81000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1332-126-0x0000000000000000-mapping.dmp
                Download
              • memory/1336-127-0x0000000000000000-mapping.dmp
                Download
              • memory/2184-125-0x000000000040FD88-mapping.dmp
                Download
              • memory/2184-128-0x0000000000400000-0x0000000000418000-memory.dmp
                Filesize

                96KB

                Download
              • memory/2184-124-0x0000000000400000-0x0000000000418000-memory.dmp
                Filesize

                96KB

                Download
              • memory/3560-129-0x0000000000400000-0x0000000000457000-memory.dmp
                Filesize

                348KB

                Download
              • memory/3560-130-0x0000000000455274-mapping.dmp
                Download
              • memory/3560-134-0x0000000000400000-0x0000000000457000-memory.dmp
                Filesize

                348KB

                Download
              • memory/3880-131-0x0000000000400000-0x000000000041E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/3880-132-0x000000000041C238-mapping.dmp
                Download
              • memory/3880-133-0x0000000000400000-0x000000000041E000-memory.dmp
                Filesize

                120KB

                Download