Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:44
Static task
static1
Behavioral task
behavioral1
Sample
200630 Kloepfel Consulting GmbH.scr
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
200630 Kloepfel Consulting GmbH.scr
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
200630 Kloepfel Consulting GmbH.scr
-
Size
680KB
-
MD5
cd8d11d11a4a2c38bfb1ba89a9e8cef6
-
SHA1
27cdc50b73ce48a9d2e773fbda57fe11a67a1d40
-
SHA256
9d288f2ea49daa4323d1a496c42cbffdfbb148b634345ecc9147265bbdc43491
-
SHA512
d7efb6e34026658f0e098c028f7613ace62c36e5d10fd64185f5d5b1bb3d0d95e100e164512032d404c265c9ef448ff69c4c2055ad81a2bdff6f64d2972e27da
Score
10/10
Malware Config
Extracted
Family
remcos
C2
coronanancy14-50163.portmap.io:50163
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ieinstal.exepid process 1904 ieinstal.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
200630 Kloepfel Consulting GmbH.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Ydgn = "C:\\Users\\Admin\\AppData\\Local\\Ydgn\\Ydgn.hta" 200630 Kloepfel Consulting GmbH.scr -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
200630 Kloepfel Consulting GmbH.scrdescription pid process target process PID 1612 wrote to memory of 1904 1612 200630 Kloepfel Consulting GmbH.scr ieinstal.exe PID 1612 wrote to memory of 1904 1612 200630 Kloepfel Consulting GmbH.scr ieinstal.exe PID 1612 wrote to memory of 1904 1612 200630 Kloepfel Consulting GmbH.scr ieinstal.exe PID 1612 wrote to memory of 1904 1612 200630 Kloepfel Consulting GmbH.scr ieinstal.exe PID 1612 wrote to memory of 1904 1612 200630 Kloepfel Consulting GmbH.scr ieinstal.exe PID 1612 wrote to memory of 1904 1612 200630 Kloepfel Consulting GmbH.scr ieinstal.exe PID 1612 wrote to memory of 1904 1612 200630 Kloepfel Consulting GmbH.scr ieinstal.exe PID 1612 wrote to memory of 1904 1612 200630 Kloepfel Consulting GmbH.scr ieinstal.exe PID 1612 wrote to memory of 1904 1612 200630 Kloepfel Consulting GmbH.scr ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
200630 Kloepfel Consulting GmbH.scrdescription pid process target process PID 1612 set thread context of 1904 1612 200630 Kloepfel Consulting GmbH.scr ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\200630 Kloepfel Consulting GmbH.scr"C:\Users\Admin\AppData\Local\Temp\200630 Kloepfel Consulting GmbH.scr" /S1⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Suspicious use of SetWindowsHookEx