Malware Analysis Report

2024-11-13 18:50

Sample ID 240713-acz9gsyhlh
Target remcos_a.exe
SHA256 8dbaaf8394250340e282a70a69dad00c21424e68d56cfc46816c1d0c2a2a0bd6
Tags
remcos
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dbaaf8394250340e282a70a69dad00c21424e68d56cfc46816c1d0c2a2a0bd6

Threat Level: Known bad

The file remcos_a.exe was found to be: Known bad.

Malicious Activity Summary

remcos

Remcos family

Program crash

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-13 00:04

Signatures

Remcos family

remcos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-13 00:04

Reported

2024-07-13 00:10

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

204s

Command Line

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2700 -ip 2700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-13 00:04

Reported

2024-07-13 00:10

Platform

win11-20240709-en

Max time kernel

211s

Max time network

274s

Command Line

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 944 -ip 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 628

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-13 00:04

Reported

2024-07-13 00:10

Platform

win10-20240404-en

Max time kernel

300s

Max time network

255s

Command Line

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\remcos_a.exe

"C:\Users\Admin\AppData\Local\Temp\remcos_a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.f.f.f.d.b.b.8.0.9.8.2.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 157.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

N/A