Overview

overview

10

Static

static

Ver PDF es...ar.exe

windows7_x64

10

Ver PDF es...ar.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-04-2021 20:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ver PDF estado de cuentas y confirmar Ver PDF estado de cuentas y confirmar.exe

  • Size

    550KB

  • MD5

    6cfd8918e9b9511f8d7fcc93308011eb

  • SHA1

    c9be2597c17d8b4daac89b9f7aa76e330c7e8bf3

  • SHA256

    fb119105227d38bf4e5acbc6a5dc5abfeabbbcfb3b32d635c940510293554e26

  • SHA512

    73efd2d0b3876eaef362d542a6a8aeb76762d4465eda9a86106c63ca6b5bc008e49432d5f465b8c8069d895abf5e6d7fab4591488f3d3e613234f82cbb91f005

Score
10/10
remcosrat

Malware Config

Extracted

Family

remcos

C2

covid19remoc.duckdns.org:1013

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ver PDF estado de cuentas y confirmar Ver PDF estado de cuentas y confirmar.exe
    "C:\Users\Admin\AppData\Local\Temp\Ver PDF estado de cuentas y confirmar Ver PDF estado de cuentas y confirmar.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\khlFKKQXbK" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA473.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:356
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:3956
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1360

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpA473.tmp
      MD5

      88d1b6911e8be66ccbd6819d0b96b3f7

      SHA1

      34e989c68f0030391ac960e160f58e31ed113223

      SHA256

      de7e86203e77032a23431af895ba58761793fb557001364ca6348b45a078a9dd

      SHA512

      acf2be8d286ef4074d8c4fbd8fbf90ac34461417dddf535b77d566c47d83de9cc9b2306b5beb5f08eb6e42cf8560df68e9e7b6aef327ddc71689de7a74e8e9bf

      Download Submit
    • memory/356-124-0x0000000000000000-mapping.dmp
      Download
    • memory/1360-128-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1360-127-0x0000000000413A84-mapping.dmp
      Download
    • memory/1360-126-0x0000000000400000-0x0000000000420000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1736-118-0x00000000057B0000-0x0000000005842000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1736-121-0x0000000005C70000-0x0000000005C75000-memory.dmp
      Filesize

      20KB

      Download
    • memory/1736-122-0x00000000076B0000-0x000000000771A000-memory.dmp
      Filesize

      424KB

      Download
    • memory/1736-123-0x0000000008FF0000-0x0000000009011000-memory.dmp
      Filesize

      132KB

      Download
    • memory/1736-120-0x0000000009040000-0x0000000009041000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1736-119-0x0000000005820000-0x0000000005821000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1736-114-0x0000000000F50000-0x0000000000F51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1736-117-0x0000000005890000-0x0000000005891000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1736-116-0x0000000005D90000-0x0000000005D91000-memory.dmp
      Filesize

      4KB

      Download