Overview

overview

10

Static

static

1

CONTRACT F...df.exe

windows7_x64

10

CONTRACT F...df.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    20-04-2021 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CONTRACT FB20172837,pdf.exe

  • Size

    212KB

  • MD5

    3144fd0af0fcde5fa43d9b4afb5a1fc1

  • SHA1

    347149e4cf1d740a41f2d739f95bb46097f72803

  • SHA256

    03b97c8344d63354e9d3802da05d8124eca355514b3d26dae4d596b925ffe824

  • SHA512

    21182f46eeff57779114127032a8322022eb67218593957dea4b44b255865c504be9c12b1a2b4a38077fb4ab83189f82cf23be04f03b33f89834ed17c4b0f9d9

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

blessmegod.ddns.net:3866

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CONTRACT FB20172837,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\CONTRACT FB20172837,pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Users\Admin\AppData\Local\Temp\CONTRACT FB20172837,pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\CONTRACT FB20172837,pdf.exe"
      2⤵
        PID:3008

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsq3B3C.tmp\ccx0w1.dll
      MD5

      02f57fa409bc0e90f681bb6c1efff03e

      SHA1

      b35fda756ae422c1c52f7e4c89de22f763e74167

      SHA256

      dffd555b29e6719fe45c788e09be1edf73ce1af415e23869ab0915b0159dac09

      SHA512

      e2a45f199aa7e57e264b91388b0a6f04a65ec943b5ea2680c57053c891c6844c47384710b134006f57942e3ea2a17ee70ca860ab81471f7b4bca6950a5df691a

      Download Submit
    • memory/3008-117-0x0000000000413FA4-mapping.dmp
      Download
    • memory/3008-118-0x0000000000400000-0x0000000000421000-memory.dmp
      Filesize

      132KB

      Download
    • memory/3920-115-0x0000000002DD0000-0x0000000002DD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3920-116-0x0000000002DD1000-0x0000000002DD6000-memory.dmp
      Filesize

      20KB

      Download