Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

remittance.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\remittance.exe.log

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmpAD34.tmp

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Non-ISO extended-ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Roaming\QgSBwlYTdt.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp264C.tmp

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp4136.tmp

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmp5403.tmp

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmpB828.tmp

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\tmpC057.tmp

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

data

dropped

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak

data

modified

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

data

dropped

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

data

dropped

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat

ASCII text, with no line terminators

dropped

There are 8 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\remittance.exe

"C:\Users\user\Desktop\remittance.exe"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QgSBwlYTdt" /XML "C:\Users\user\AppData\Local\Temp\tmpAD34.tmp

C:\Users\user\Desktop\remittance.exe

{path}

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmpB828.tmp

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe" /create /f /tn "DHCP Monitor Task" /xml "C:\Users\user\AppData\Local\Temp\tmpC057.tmp

C:\Users\user\Desktop\remittance.exe

C:\Users\user\Desktop\remittance.exe 0

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe"

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QgSBwlYTdt" /XML "C:\Users\user\AppData\Local\Temp\tmp264C.tmp

C:\Users\user\Desktop\remittance.exe

{path}

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QgSBwlYTdt" /XML "C:\Users\user\AppData\Local\Temp\tmp4136.tmp

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

{path}

C:\Windows\SysWOW64\schtasks.exe

C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QgSBwlYTdt" /XML "C:\Users\user\AppData\Local\Temp\tmp5403.tmp

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

{path}

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

{path}

C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

{path}

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
remittance.exe

Files

Processes

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reportremittance.exe

Files

Processes

IOC Report
remittance.exe