Analysis
-
max time kernel
98s -
max time network
150s -
platform
windows10_x64 -
resource
win10v191014 -
submitted
13-02-2020 20:57
Static task
static1
Behavioral task
behavioral1
Sample
Replycant.exe
Resource
win7v200213
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Replycant.exe
Resource
win10v191014
windows10_x64
0 signatures
0 seconds
General
-
Target
Replycant.exe
-
Size
496KB
-
MD5
d04c9993c11e884472533b869576fdb5
-
SHA1
103657d9912a422ba94d5da365acc800a46cad5e
-
SHA256
dd811507f8068ee522a68aeb52ce6eb14f5b4382e6da2386c305087eebbc853e
-
SHA512
5d8c28d9b1a875db96282ea532fac16ddc07d81ce5c11a849b077f0c73cba6d00cb1ccd109ca6447c337ae6a081b7a47f9cb3edcc631d305c9753beed698e83c
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Replycant.exeبابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exepid process 4976 Replycant.exe 4976 Replycant.exe 1880 بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe 1880 بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Replycant.exeبابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exedescription pid process target process PID 4976 wrote to memory of 1880 4976 Replycant.exe بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe PID 4976 wrote to memory of 1880 4976 Replycant.exe بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe PID 4976 wrote to memory of 1880 4976 Replycant.exe بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe PID 1880 wrote to memory of 4084 1880 بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe svchost.exe PID 1880 wrote to memory of 4084 1880 بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe svchost.exe PID 1880 wrote to memory of 4084 1880 بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe svchost.exe PID 1880 wrote to memory of 4084 1880 بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exepid process 1880 بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe -
Trickbot's 32bit loader
Detects Trickbot's 32bit loader.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Replycant.exe"C:\Users\Admin\AppData\Local\Temp\Replycant.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe"C:\ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe
-
C:\ProgramData\بابկողպեքドアЕЕقفلпԴուь;;;ռըсロックロック.exe
-
memory/1880-4-0x00000000023F0000-0x0000000002421000-memory.dmpFilesize
196KB
-
memory/1880-3-0x0000000002190000-0x00000000021C4000-memory.dmpFilesize
208KB
-
memory/4976-0-0x0000000002390000-0x00000000023C4000-memory.dmpFilesize
208KB