Overview

overview

10

Static

static

3

e7d3639283...18.exe

windows7-x64

10

e7d3639283...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    17-09-2024 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e7d36392836c350b47e1e485465f2446_JaffaCakes118.exe

  • Size

    648KB

  • MD5

    e7d36392836c350b47e1e485465f2446

  • SHA1

    b4cfaca779557d14cbccf09accefaf4ec8cec30e

  • SHA256

    e037f166b8e3066f5b8fc2f4dea6cf0d052dde5234b46c81e3d5ecf73dc713c2

  • SHA512

    c6f530cbfcf8d145e06c7850b1c51f2dc9efbd893229d12a2fe035be89d3c32979c803f4122f77278aa7d3595f70b99cd3fb867adeaea51fbafbaae7d265a3a1

  • SSDEEP

    6144:DHtgbfyyNili9mp2kS4/JfrtkXl5w5R0koDQY1/rIPpGV8eY2M:TtcK+iEJ6RraXfwBoUY1/r8KB

Score
10/10
remcosdiscoverypersistencerat

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7d36392836c350b47e1e485465f2446_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e7d36392836c350b47e1e485465f2446_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\RemD\RemD.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Users\Admin\AppData\Roaming\RemD\RemD.exe
          C:\Users\Admin\AppData\Roaming\RemD\RemD.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            5⤵
              PID:2900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\install.vbs
      Filesize

      410B

      MD5

      991cad69a8a5ac8e22281a335b88e2b3

      SHA1

      58568a006ade6e2ca7fa25673b036bcefa303a7d

      SHA256

      95d975c5b36f23f9121390f8f4a1373b1cbb8045765e1c9fa68e114e2f592d60

      SHA512

      298dc73384bf23e913f9a92e83040d84171ef86630652f82f73367fec9e6c61eb8a6055afe03d997870e529e4e88c0f9571b6da8ca934311afdbb67aca3132ba

      Download Submit

    • C:\Users\Admin\AppData\Roaming\RemD\RemD.exe
      Filesize

      648KB

      MD5

      e7d36392836c350b47e1e485465f2446

      SHA1

      b4cfaca779557d14cbccf09accefaf4ec8cec30e

      SHA256

      e037f166b8e3066f5b8fc2f4dea6cf0d052dde5234b46c81e3d5ecf73dc713c2

      SHA512

      c6f530cbfcf8d145e06c7850b1c51f2dc9efbd893229d12a2fe035be89d3c32979c803f4122f77278aa7d3595f70b99cd3fb867adeaea51fbafbaae7d265a3a1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Remc\logs.dat
      Filesize

      79B

      MD5

      4c5a202abda4dc922459e6a263e3eb3f

      SHA1

      c9b493ec437e1fbf68b28e7ba972c26b7dd6f90f

      SHA256

      a1c61aea64b28a71f979c19f47cd92065ebdf12249e8d7fc22255cd5f7aafbe1

      SHA512

      e14001b4a956838e96c76c2b94bd1f2384df16aa77dbb2c4d8955d095c541a254b23dd80d34bc4c395459c84e7198c389d4f05c631674fb4e2edcc5bacd7a02a

      Download Submit

    • memory/2576-3-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2576-4-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2576-7-0x0000000072940000-0x0000000072A60000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2576-10-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2576-11-0x0000000072940000-0x0000000072A60000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2576-2-0x0000000077CB0000-0x0000000077D86000-memory.dmp

      Filesize

      856KB

      Download

    • memory/2708-19-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2708-22-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2900-32-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2900-37-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2900-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2900-34-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2900-30-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2900-28-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2900-26-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2900-24-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download