Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
28-04-2021 21:20
General
-
Target
DOCADJDELPROCEFRAUFISC346340003 DOCADJDELPROCEFRAUFISC346340005.exe
-
Size
1003KB
-
MD5
73fe7532d75c146f45f2d09ad844d573
-
SHA1
b982e7b808b140625cc1af5b5d093f03b0b44ce3
-
SHA256
08f234ec292a6a493c9c3e21cf1a08a91899bc929de74ed1a833a42da0891bb9
-
SHA512
b930b35292abba797900234f4e5a0a9b1f340e072a9af646fc2dce876fd5757b2bba6fca218e2fe5c7487757880ccfe71a1d624067903ebe833334811cb0dd34
Malware Config
Extracted
remcos
yuyitosjs.duckdns.org:1717
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOCADJDELPROCEFRAUFISC346340003 DOCADJDELPROCEFRAUFISC346340005.exe"C:\Users\Admin\AppData\Local\Temp\DOCADJDELPROCEFRAUFISC346340003 DOCADJDELPROCEFRAUFISC346340005.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fDecVP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpACB1.tmpMD5
5ee62c65933558e30ddaddee0f131e9c
SHA1ea59e628e6945ed3e39d3e1c2bfde13041f9deb7
SHA256ae45da0211c75fc5bd0f2ee8d1291f6ccbcf97fbf6f72a45854954529d288bf8
SHA51247f79447e3841a29774c36e1de71c4149de30241663fa9f4f4ab8a8b169f60844f323b20dd6f2737a0ee93e4f45ce438f33d362bb1e13897d94432be78ebe539
-
memory/2500-124-0x0000000000000000-mapping.dmp
-
memory/3456-118-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/3456-114-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/3456-119-0x0000000009030000-0x0000000009031000-memory.dmpFilesize
4KB
-
memory/3456-120-0x0000000004F70000-0x000000000546E000-memory.dmpFilesize
5.0MB
-
memory/3456-121-0x0000000005130000-0x000000000513E000-memory.dmpFilesize
56KB
-
memory/3456-122-0x00000000092B0000-0x000000000937A000-memory.dmpFilesize
808KB
-
memory/3456-123-0x000000000B9E0000-0x000000000BA62000-memory.dmpFilesize
520KB
-
memory/3456-117-0x0000000004F70000-0x0000000004F71000-memory.dmpFilesize
4KB
-
memory/3456-116-0x0000000005470000-0x0000000005471000-memory.dmpFilesize
4KB
-
memory/3924-126-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3924-127-0x0000000000413E54-mapping.dmp
-
memory/3924-128-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB