Overview

overview

10

Static

static

Ver PDF es...ar.exe

windows7_x64

10

Ver PDF es...ar.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    23-04-2021 20:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ver PDF estado de cuentas y confirmar Ver PDF estado de cuentas y confirmar.exe

  • Size

    550KB

  • MD5

    6cfd8918e9b9511f8d7fcc93308011eb

  • SHA1

    c9be2597c17d8b4daac89b9f7aa76e330c7e8bf3

  • SHA256

    fb119105227d38bf4e5acbc6a5dc5abfeabbbcfb3b32d635c940510293554e26

  • SHA512

    73efd2d0b3876eaef362d542a6a8aeb76762d4465eda9a86106c63ca6b5bc008e49432d5f465b8c8069d895abf5e6d7fab4591488f3d3e613234f82cbb91f005

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

covid19remoc.duckdns.org:1013

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ver PDF estado de cuentas y confirmar Ver PDF estado de cuentas y confirmar.exe
    "C:\Users\Admin\AppData\Local\Temp\Ver PDF estado de cuentas y confirmar Ver PDF estado de cuentas y confirmar.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\khlFKKQXbK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F6B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:528
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:868

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp9F6B.tmp
    MD5

    7592713c5d198c6abbaec2a405835120

    SHA1

    469fd2b4fda46c10281ffab1650d70a9d4cd7e46

    SHA256

    1ba4c6bd7689a13b7e3d46ecd346e72bb1878a650fe3ab675261c0a018fe0312

    SHA512

    f7159aaf3ed2b93353f79373988a366f35d6114af76f6120bed8b93869dd69b4656358b8b6baf4c4d408f4d7ff8cbbe2dd671ff75c3df4fe0e8fe05ccb53a031

    Download Submit

  • memory/528-66-0x0000000000000000-mapping.dmp

    Download

  • memory/868-68-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/868-69-0x0000000000413A84-mapping.dmp

    Download

  • memory/868-70-0x00000000768B1000-0x00000000768B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/868-71-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1096-60-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-62-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-63-0x00000000005D0000-0x00000000005D5000-memory.dmp

    Filesize

    20KB

    Download

  • memory/1096-64-0x0000000004800000-0x000000000486A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1096-65-0x0000000000C80000-0x0000000000CA1000-memory.dmp

    Filesize

    132KB

    Download