Managed XDR

1493456.eml (Remcos) — malware analysis report

File info

Filename
1493456.eml
File type
SMTP mail, ASCII text, with CRLF line terminators
File size
1.6 MB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
2e23774d281a89dc2b2e015cad4a4f4a1ef732ba
SHA256
44e789ca2290f251e0ea81e877fcd37c90d3e1d1630eb3f9feac79b56d61413e
MD5
9c049d918463427d850dfe3cc64f4de3

Malwares

  • Remcos

Signatures

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1106 susp_callbacks: Suspicious usage of some WinAPI with callbacks

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1053.005 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1548.002 uac_bypass_mocking_dir: UAC bypass with the use of mocking directory
T1055 injection_thread: Code injection to a remote process using CreateRemoteThread or NtQueueApcThread
T1055.012 injection_runpe: Injects code into another process
T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1548.002 uac_bypass_mocking_dir: UAC bypass with the use of mocking directory
T1055 injection_thread: Code injection to a remote process using CreateRemoteThread or NtQueueApcThread
T1070.004 deletes_self: Moves to different location or removes the original executable file
T1055.012 injection_runpe: Injects code into another process
T1027.002 unnamed_memory_regions_contains_pe: One or several unnamed memory regions are PE files
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1562 dep_disable: Disables DEP
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1562 registry_hide_tracing: Modifies File/Console tracing settings (often used to hide iocs from the system)
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Credential Access

T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files

Discovery

T1033 recon_beacon: The process has sent information about the computer over the network
T1497.003 antisandbox_sleep_utilities: Uses Windows utilities for pausing the execution
T1057 process_interest: Enumerates processes
T1497.002 antivm_usbstor: Reads information about usbdevices from regkey
T1016.001 system_network_configuration_discovery: System network configuration discovery detected

Command and Control

T1071.001 recon_beacon: The process has sent information about the computer over the network
T1071.001 network_cnc_http: Suspicious HTTP traffic
T1071.001 network_http: Performs HTTP requests
T1071.001 wininet_openurl: Performs HTTP/HTTPS-requests using InternetOpenUrl

Other

yara_rules: Static rules
suricata_alert: Malicious traffic detected
ce_info: Remcos Configuration Data found
creates_exe: Creates executable files in the file system
ip_domains: Identifies an IP address using external resources
dbatloader_behaviour: DBatLoader/ModiLoader behaviour
suspicious_process_network: Unusual process network activity detected
no_graphical_activity: No graphic activity
create_rpc_bindings: Creates RPC connection
get_policy_info: Retrieves information about a Policy object
creates_in_programdata: Creates files in the ProgramData directory
checktokenmembership: Checks user token with CheckTokenMembership call
enables_execute_access_on_stack: Enable execution access on stack

Related reports