Overview

overview

10

Static

static

SBA_DISA.EXE

windows7_x64

10

SBA_DISA.EXE

windows10_x64

10

Resubmissions

02-04-2020 15:00

200402-pmb85r8w5s 10

02-04-2020 14:48

200402-2xn5k91z3n 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v200217
  • submitted
    02-04-2020 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SBA_DISA.EXE

  • Size

    152KB

  • MD5

    43927d58e211d5a2d2670bf46b1d9884

  • SHA1

    89dba75b13a506ee5042b5636c06555baf85050c

  • SHA256

    a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

  • SHA512

    12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

Score
10/10
remcospersistenceratspyware

Malware Config

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 15 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 111 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE
    "C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3864
    • C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE
      "C:\Users\Admin\AppData\Local\Temp\SBA_DISA.EXE"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Users\Admin\Sugaryse\benzinforh.exe
        "C:\Users\Admin\Sugaryse\benzinforh.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3936
        • C:\Users\Admin\Sugaryse\benzinforh.exe
          "C:\Users\Admin\Sugaryse\benzinforh.exe"
          4⤵
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Modifies system certificate store
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4000
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\SysWOW64\svchost.exe
            5⤵
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2644
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\SysWOW64\svchost.exe
              6⤵
                PID:2284
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\SysWOW64\svchost.exe
                6⤵
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:1944
            • C:\Users\Admin\Sugaryse\dwn.exe
              "C:\Users\Admin\Sugaryse\dwn.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:968
              • C:\Users\Admin\Sugaryse\dwn.exe
                "C:\Users\Admin\Sugaryse\dwn.exe"
                6⤵
                • Loads dropped DLL
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:4016
            • C:\Users\Admin\Sugaryse\benzinforh.exe
              C:\Users\Admin\Sugaryse\benzinforh.exe /stext "C:\Users\Admin\AppData\Local\Temp\cuezfnvnbiuccvwnbnfok"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:4020
            • C:\Users\Admin\Sugaryse\benzinforh.exe
              C:\Users\Admin\Sugaryse\benzinforh.exe /stext "C:\Users\Admin\AppData\Local\Temp\mxjsggfhoqnhebsrkysqnpvt"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2088
            • C:\Users\Admin\Sugaryse\benzinforh.exe
              C:\Users\Admin\Sugaryse\benzinforh.exe /stext "C:\Users\Admin\AppData\Local\Temp\orpcgyqicyfmppgvbimjyupkbeq"
              5⤵
              • Executes dropped EXE
              PID:3760
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\SysWOW64\svchost.exe
              5⤵
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:2876
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\SysWOW64\svchost.exe
                6⤵
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:668
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\SysWOW64\svchost.exe
              5⤵
              • Adds Run key to start application
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:860
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\SysWOW64\svchost.exe
                6⤵
                  PID:3608
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\SysWOW64\svchost.exe
                  6⤵
                    PID:2500
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\SysWOW64\svchost.exe
                    6⤵
                      PID:3696
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      6⤵
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:3928
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\SysWOW64\svchost.exe
                    5⤵
                    • Adds Run key to start application
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of SetWindowsHookEx
                    PID:3764
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\SysWOW64\svchost.exe
                      6⤵
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:1996
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\SysWOW64\svchost.exe
                    5⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:3992

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          Install Root Certificate

          1
          T1130

          Credential Access

          Credentials in Files

          1
          T1081

          Discovery

          Lateral Movement

          Collection

          Data from Local System

          1
          T1005

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72
            MD5

            9dc91d1ae0ad42bc7ea59d04f5764cde

            SHA1

            9c8b4cfc2333d7a459571ed90ee63d18a342b09e

            SHA256

            9d7cc95d37e7f03d74ec159888a058d5a7e8f10c974f167ee2094334671a687d

            SHA512

            bf849ccda5a8d1266b97eff77a75a9063ae37d1ae6af3141f40a94d1a1d334691aa86cabe909a4bc134ec41fac7bf957cef9a01e86482fb10fb5484b09e7b283

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29
            MD5

            869c8fb2e075d4fa18e18b14a6105ea5

            SHA1

            58a73030ac4ec92b6777dc3f2f85af3c96e9fc55

            SHA256

            d2bfa48276a89799e6f2d529b15cd27318c32431daa2e13cf38528e09b04de2e

            SHA512

            1552265fdc1b8c125638ae54443e1a20bdd00eb9ca7dce03a6a37a780ae548c747b5ecf1a772ed2db804bd5c1cfe85d3246b85b6daf2279f750072ff0a1cfefd

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
            MD5

            e550da03aee5b546b436cd553d3233b9

            SHA1

            7d4f842c50f4136f10c6c6a2e891bfc4a182a0ed

            SHA256

            9abfd4e29b96cca442502b1de6071fe0293455df22b4eff19fa3e6df060947e7

            SHA512

            e758228aa2b04ec44ded777ae2318ecf6e9278b6b5981d29d10378e0f66885fabccab48ece78fc279755e710fb531575b58a4fe28469d199736eeb24aa62c767

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72
            MD5

            9d8e8dc0a8b2dc2fc1829e3894cbf47f

            SHA1

            f93bf785c3ac00ed38d851694d04e576d0bc97ba

            SHA256

            cbbd1cd95a9f6dbcce83282be1a96a3b3f9f364a6a62cd01e7efc0815b063e01

            SHA512

            ca4f9f9470487043e70ce32f6b4a5c8a34677630522908672568bd25c12a01ca0ac5419eb48f8aa96fa84d2357b5af8fc4a44aee9b6127bc48b8dc8a256fbc13

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BE8B021F9E811DFC8C8A28572A17C05A_BA8650709FF65A42B9202D73C10A8F29
            MD5

            c5a5342ce2902b3f4cb540cc30f364b5

            SHA1

            68a9bd03c1b84a3f02839cd06bfea46fbaea9937

            SHA256

            317bb9fcad3d6e5a685ae49930c3335a50a73c37993349223b91898be86d7c39

            SHA512

            80eb5eaa53581bcdc3d35803f9a3a4278ca1f6b0aad679314e0c39822d6f55dc798c05cb41513827b07b87662da2a8f0fe3c18f916c9e3a4c905e14d1d0e673c

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
            MD5

            8cc93fcd0cf41adade260de10a0584f3

            SHA1

            a79b33c0e8f2860db5f0f70970bee59f1221afde

            SHA256

            275370349395b8a2a6e8e06a6fb9121f7457de4f63a9c77bcb935d69175ab621

            SHA512

            bf5312cd6cfcb26322ab6389553ad36c2cc94a11a1605f4ae68e0aef811b8b0cd5e28d5a545bea204207839c870f8e8cd4666fc8263f1e934f9667dd171c30d6

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\K3PAB8M0.cookie
            MD5

            a2b3552fae99d93c613195f89b79935f

            SHA1

            a3aca690785d60077a1665e698c69a6baaa65e11

            SHA256

            f7afa4344319327cc0b30a40295e16a601f9edaa62fc9dd32305c06ee7e8b9c8

            SHA512

            f6558ec0a2b1b8f2ce47921e595df88c7f850d3a271fdd0713b948fb21d1aa21f32a5f57009c9b66725a790ede329bc03fa90303ad854767ce112e1097140a7f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\cuezfnvnbiuccvwnbnfok
            MD5

            789064d8c49c486f874b6efae420cc61

            SHA1

            24aeacf5398df3acac56cbeb50980cc23ade6028

            SHA256

            01ed0cd7f645777ed9307bc566656bf459a9daa0e00311dedfd514889aec5bf3

            SHA512

            9859fb64ca0565af253af0cdb49b63b759a38d6d988462cc4c2b2ca11d53680ed082aa8df29fce360e483d092d22d472e61085ea809056af682f09ea69b8b863

            Download Submit
          • C:\Users\Admin\Sugaryse\benzinforh.exe
            MD5

            43927d58e211d5a2d2670bf46b1d9884

            SHA1

            89dba75b13a506ee5042b5636c06555baf85050c

            SHA256

            a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

            SHA512

            12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

            Download Submit
          • C:\Users\Admin\Sugaryse\benzinforh.exe
            MD5

            43927d58e211d5a2d2670bf46b1d9884

            SHA1

            89dba75b13a506ee5042b5636c06555baf85050c

            SHA256

            a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

            SHA512

            12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

            Download Submit
          • C:\Users\Admin\Sugaryse\benzinforh.exe
            MD5

            43927d58e211d5a2d2670bf46b1d9884

            SHA1

            89dba75b13a506ee5042b5636c06555baf85050c

            SHA256

            a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

            SHA512

            12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

            Download Submit
          • C:\Users\Admin\Sugaryse\benzinforh.exe
            MD5

            43927d58e211d5a2d2670bf46b1d9884

            SHA1

            89dba75b13a506ee5042b5636c06555baf85050c

            SHA256

            a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

            SHA512

            12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

            Download Submit
          • C:\Users\Admin\Sugaryse\benzinforh.exe
            MD5

            43927d58e211d5a2d2670bf46b1d9884

            SHA1

            89dba75b13a506ee5042b5636c06555baf85050c

            SHA256

            a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

            SHA512

            12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

            Download Submit
          • C:\Users\Admin\Sugaryse\benzinforh.exe
            MD5

            43927d58e211d5a2d2670bf46b1d9884

            SHA1

            89dba75b13a506ee5042b5636c06555baf85050c

            SHA256

            a6cc856405546af76f769ae3148e782571675af436ae9701c17d081266d6c835

            SHA512

            12982c56cf7b9864b60829336b4c33a1caee4061fccf434fa9809f71b3259c3823cb6786656d639bc0fabe0a683793df4a6ba34d9f35b47801688b3f28bb5521

            Download Submit
          • C:\Users\Admin\Sugaryse\benzinforh.vbs
            MD5

            b2f77fbcd220c98436c0c42b0d0fb01f

            SHA1

            3f3b0cd67cae27cad373ca5af477e0ab00d11515

            SHA256

            6457cced6b0101ae70e6c281ee5813578a30486a61433c03df3fac9d2ca681de

            SHA512

            510a2743bcf216196f19813daaf85257686202a912426f30cad0a3459a75949d810016e25187a07abe345836c6c2eab849d46333e0d948952f3686a8b2d561c0

            Download Submit
          • C:\Users\Admin\Sugaryse\benzinforh.vbs
            MD5

            b2f77fbcd220c98436c0c42b0d0fb01f

            SHA1

            3f3b0cd67cae27cad373ca5af477e0ab00d11515

            SHA256

            6457cced6b0101ae70e6c281ee5813578a30486a61433c03df3fac9d2ca681de

            SHA512

            510a2743bcf216196f19813daaf85257686202a912426f30cad0a3459a75949d810016e25187a07abe345836c6c2eab849d46333e0d948952f3686a8b2d561c0

            Download Submit
          • C:\Users\Admin\Sugaryse\benzinforh.vbs
            MD5

            b2f77fbcd220c98436c0c42b0d0fb01f

            SHA1

            3f3b0cd67cae27cad373ca5af477e0ab00d11515

            SHA256

            6457cced6b0101ae70e6c281ee5813578a30486a61433c03df3fac9d2ca681de

            SHA512

            510a2743bcf216196f19813daaf85257686202a912426f30cad0a3459a75949d810016e25187a07abe345836c6c2eab849d46333e0d948952f3686a8b2d561c0

            Download Submit
          • C:\Users\Admin\Sugaryse\benzinforh.vbs
            MD5

            b2f77fbcd220c98436c0c42b0d0fb01f

            SHA1

            3f3b0cd67cae27cad373ca5af477e0ab00d11515

            SHA256

            6457cced6b0101ae70e6c281ee5813578a30486a61433c03df3fac9d2ca681de

            SHA512

            510a2743bcf216196f19813daaf85257686202a912426f30cad0a3459a75949d810016e25187a07abe345836c6c2eab849d46333e0d948952f3686a8b2d561c0

            Download Submit
          • C:\Users\Admin\Sugaryse\dwn.exe
            MD5

            daeefcc7e346e447891d46b6611aa5be

            SHA1

            9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

            SHA256

            14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

            SHA512

            5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

            Download Submit
          • C:\Users\Admin\Sugaryse\dwn.exe
            MD5

            daeefcc7e346e447891d46b6611aa5be

            SHA1

            9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

            SHA256

            14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

            SHA512

            5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

            Download Submit
          • C:\Users\Admin\Sugaryse\dwn.exe
            MD5

            daeefcc7e346e447891d46b6611aa5be

            SHA1

            9dfc5d1e7f5276eb125a2d551ff1738ffd61802d

            SHA256

            14591bdae3b5e9cf9988efa782bf96425851dad41c83d4644732b73e02d8d3b1

            SHA512

            5cf5ecd8282d0c3e4b584bb1e695a344180d9c9c05613c1f47b51bfc16fdd15461bfbe28869cd8a1b49ab81a0e142a0dda27d8197fcaad640c9d5f9575788565

            Download Submit
          • memory/2088-21-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

            Download
          • memory/2088-18-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

            Download
          • memory/2088-26-0x0000000000400000-0x0000000000424000-memory.dmp
            Filesize

            144KB

            Download
          • memory/2644-7-0x0000000000400000-0x0000000000426000-memory.dmp
            Filesize

            152KB

            Download
          • memory/3760-25-0x0000000000400000-0x000000000041E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/3760-24-0x0000000000400000-0x000000000041E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/3760-20-0x0000000000400000-0x000000000041E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/4020-16-0x0000000000400000-0x0000000000457000-memory.dmp
            Filesize

            348KB

            Download
          • memory/4020-22-0x0000000000400000-0x0000000000457000-memory.dmp
            Filesize

            348KB

            Download