Overview

overview

10

Static

static

4

99d258fb84...b7.exe

windows7_x64

10

99d258fb84...b7.exe

windows10_x64

10

Analysis

  • max time kernel
    20s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    08-05-2021 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe

  • Size

    2.9MB

  • MD5

    14e8869c598322275ae390eb2e6f36af

  • SHA1

    e904d47a554aea9ea53d85eeaf1d9bac939e9e09

  • SHA256

    99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7

  • SHA512

    a7017b5be156634afdf218e2b2b50633ba2b27492ddce9fa07bca1ed8237fa981667596a4777864cf475858ab0885f257819bacfe94d321293f6cce6c790d3ff

Score
10/10
remcoslinkpdfpersistenceratupx

Malware Config

Extracted

Family

remcos

C2

daya4659.ddns.net:8282

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 13 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Suspicious use of SetThreadContext 6 IoCs
  • HTTP links in PDF interactive object 12 IoCs

    Detects HTTP links in interactive objects within PDF files.

    pdflink
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
    "C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
      "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
        "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:556
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1388
            • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:1172
              • C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
                "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                PID:1612
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\SysWOW64\svchost.exe
                  8⤵
                    PID:788
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\SysWOW64\svchost.exe
                    8⤵
                      PID:1896
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      8⤵
                        PID:1700
                    • C:\Windows\SysWOW64\schtasks.exe
                      "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
                      7⤵
                      • Creates scheduled task(s)
                      PID:1968
            • C:\Windows\SysWOW64\schtasks.exe
              "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
              3⤵
              • Creates scheduled task(s)
              PID:472
          • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
            "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
            2⤵
            • Suspicious use of SetWindowsHookEx
            PID:1768
          • C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
            "C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe"
            2⤵
              PID:1756
            • C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
              "C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe"
              2⤵
                PID:1784
              • C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
                "C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe"
                2⤵
                  PID:1764
                • C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
                  "C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe"
                  2⤵
                    PID:1736
                  • C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
                    "C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe"
                    2⤵
                      PID:1708
                    • C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe
                      "C:\Users\Admin\AppData\Local\Temp\99d258fb84b82382de0faa36e57a0bb13eb7c107098ab06c64d88cbf1b8e2db7.exe"
                      2⤵
                        PID:784
                      • C:\Windows\SysWOW64\schtasks.exe
                        "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
                        2⤵
                        • Creates scheduled task(s)
                        PID:300
                    • C:\Windows\system32\taskeng.exe
                      taskeng.exe {2E891039-E8C4-4A17-AF3D-9AEC041EA442} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
                      1⤵
                        PID:1112
                        • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                          C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:1688
                          • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                            "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:1696
                          • C:\Windows\SysWOW64\schtasks.exe
                            "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
                            3⤵
                            • Creates scheduled task(s)
                            PID:1996
                        • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                          C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                          2⤵
                          • Executes dropped EXE
                          PID:620
                          • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                            "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:944
                          • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                            "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:1788
                          • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                            "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:1988
                          • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                            "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2012
                          • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                            "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:808
                          • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                            "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:1620
                          • C:\Windows\SysWOW64\schtasks.exe
                            "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
                            3⤵
                            • Creates scheduled task(s)
                            PID:536
                        • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                          C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                          2⤵
                            PID:2000
                            • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                              "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
                              3⤵
                                PID:1516
                              • C:\Windows\SysWOW64\schtasks.exe
                                "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
                                3⤵
                                • Creates scheduled task(s)
                                PID:1752
                            • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                              C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                              2⤵
                                PID:1092
                                • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                                  "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
                                  3⤵
                                    PID:1664
                                  • C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
                                    "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
                                    3⤵
                                      PID:1596
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
                                      3⤵
                                      • Creates scheduled task(s)
                                      PID:1616
                                  • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                                    C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                                    2⤵
                                      PID:852
                                      • C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
                                        "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
                                        3⤵
                                          PID:1468

                                    Network

                                    MITRE ATT&CK Enterprise v6

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • memory/556-73-0x0000000000080000-0x00000000000A0000-memory.dmp

                                      Filesize

                                      128KB

                                      Download

                                    • memory/556-85-0x0000000000080000-0x00000000000A0000-memory.dmp

                                      Filesize

                                      128KB

                                      Download

                                    • memory/788-111-0x0000000000400000-0x0000000000526000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/788-107-0x0000000000400000-0x0000000000526000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/1468-190-0x00000000000C0000-0x00000000000E0000-memory.dmp

                                      Filesize

                                      128KB

                                      Download

                                    • memory/1468-181-0x00000000000C0000-0x00000000000E0000-memory.dmp

                                      Filesize

                                      128KB

                                      Download

                                    • memory/1596-173-0x0000000000401000-0x0000000000476000-memory.dmp

                                      Filesize

                                      468KB

                                      Download

                                    • memory/1596-165-0x0000000000400000-0x00000000004C0000-memory.dmp

                                      Filesize

                                      768KB

                                      Download

                                    • memory/1596-172-0x0000000000476000-0x00000000004BF000-memory.dmp

                                      Filesize

                                      292KB

                                      Download

                                    • memory/1596-169-0x0000000000400000-0x00000000004C0000-memory.dmp

                                      Filesize

                                      768KB

                                      Download

                                    • memory/1612-104-0x00000000000D0000-0x00000000000F0000-memory.dmp

                                      Filesize

                                      128KB

                                      Download

                                    • memory/1612-95-0x00000000000D0000-0x00000000000F0000-memory.dmp

                                      Filesize

                                      128KB

                                      Download

                                    • memory/1696-142-0x0000000000080000-0x00000000000A0000-memory.dmp

                                      Filesize

                                      128KB

                                      Download

                                    • memory/1700-146-0x0000000000400000-0x0000000000526000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/1896-115-0x0000000000400000-0x0000000000526000-memory.dmp

                                      Filesize

                                      1.1MB

                                      Download

                                    • memory/2000-59-0x00000000765F1000-0x00000000765F3000-memory.dmp

                                      Filesize

                                      8KB

                                      Download

                                    • memory/2000-82-0x0000000000750000-0x0000000000751000-memory.dmp

                                      Filesize

                                      4KB

                                      Download