Overview

overview

10

Static

static

10

tmp/6862cf...50.exe

windows7_x64

10

tmp/6862cf...50.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    01-12-2021 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp/6862cf51b5546665e90e27a0a188ea8c468097f86b8b5d68fa0521f4cd3a9550.exe

  • Size

    463KB

  • MD5

    63ead0514c5352dc4a7af34b8205366f

  • SHA1

    b28b346574521b65b67b59838dfc22b70bfd533e

  • SHA256

    6862cf51b5546665e90e27a0a188ea8c468097f86b8b5d68fa0521f4cd3a9550

  • SHA512

    aa23453ea399961760f2469688da8be1f6525b7ef9f8f19b655e6f97925795ce103e307282e60a587eb8886c90fc9c9f303ce266b3313fc11497cbc92b2b7e62

Score
10/10
remcosrat

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp\6862cf51b5546665e90e27a0a188ea8c468097f86b8b5d68fa0521f4cd3a9550.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp\6862cf51b5546665e90e27a0a188ea8c468097f86b8b5d68fa0521f4cd3a9550.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pvhmwittnfgudtxlycgu.vbs"
      2⤵
      • Deletes itself
      PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\pvhmwittnfgudtxlycgu.vbs
    MD5

    d086e89742c815ec9ade756bb8a9bade

    SHA1

    fca5af7cf420db4f029c9c69a6f8902b21c8233b

    SHA256

    956966190f2f73b05818d1c346cb21e860e209c7c71a2786ee51d3f442bb13c4

    SHA512

    a3bad018dcbcd73a5f70f47acdb9c2ccb2281ef0926c8479bfbc2c7e0ee72846b5d085f577642c710ded846d3b3850febcbeb048beb6aa9a3dad277707894cad

    Download Submit
  • memory/2112-118-0x0000000000000000-mapping.dmp
    Download