Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10-07-2020 17:48
Static task
static1
Behavioral task
behavioral1
Sample
Remittance advice.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Remittance advice.exe
Resource
win10
General
-
Target
Remittance advice.exe
-
Size
832KB
-
MD5
6b72bf98756a106ce4ffb0d7ef1be954
-
SHA1
2153b926fbb23eac4af1235f3dc3ff867cbaf174
-
SHA256
ab12a111885480b3518449ff615d118b0ba908e4f3f0179c8da797c7c815cbfe
-
SHA512
34e79cbde4f94b779af05677e04e8276bb303d2270c545e43a7ab31a54ab5fa4bafb875fa51c9e24d2de714b4e156bdf062df502d3d86ed2c6e61a0efe7d5e13
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
Remittance advice.exeRemittance advice.exehelp.exepid process 1032 Remittance advice.exe 1052 Remittance advice.exe 1052 Remittance advice.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe -
Drops file in Program Files directory 1 IoCs
Processes:
help.exedescription ioc process File opened for modification C:\Program Files (x86)\Nsdv\gdirfgx.exe help.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
help.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer help.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
Remittance advice.exeRemittance advice.exehelp.exepid process 1032 Remittance advice.exe 1052 Remittance advice.exe 1052 Remittance advice.exe 1052 Remittance advice.exe 1492 help.exe 1492 help.exe 1492 help.exe 1492 help.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE 1320 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Remittance advice.exeExplorer.EXEhelp.exedescription pid process target process PID 1032 wrote to memory of 732 1032 Remittance advice.exe notepad.exe PID 1032 wrote to memory of 732 1032 Remittance advice.exe notepad.exe PID 1032 wrote to memory of 732 1032 Remittance advice.exe notepad.exe PID 1032 wrote to memory of 732 1032 Remittance advice.exe notepad.exe PID 1032 wrote to memory of 732 1032 Remittance advice.exe notepad.exe PID 1032 wrote to memory of 732 1032 Remittance advice.exe notepad.exe PID 1032 wrote to memory of 1052 1032 Remittance advice.exe Remittance advice.exe PID 1032 wrote to memory of 1052 1032 Remittance advice.exe Remittance advice.exe PID 1032 wrote to memory of 1052 1032 Remittance advice.exe Remittance advice.exe PID 1032 wrote to memory of 1052 1032 Remittance advice.exe Remittance advice.exe PID 1320 wrote to memory of 1492 1320 Explorer.EXE help.exe PID 1320 wrote to memory of 1492 1320 Explorer.EXE help.exe PID 1320 wrote to memory of 1492 1320 Explorer.EXE help.exe PID 1320 wrote to memory of 1492 1320 Explorer.EXE help.exe PID 1492 wrote to memory of 1348 1492 help.exe cmd.exe PID 1492 wrote to memory of 1348 1492 help.exe cmd.exe PID 1492 wrote to memory of 1348 1492 help.exe cmd.exe PID 1492 wrote to memory of 1348 1492 help.exe cmd.exe PID 1492 wrote to memory of 560 1492 help.exe Firefox.exe PID 1492 wrote to memory of 560 1492 help.exe Firefox.exe PID 1492 wrote to memory of 560 1492 help.exe Firefox.exe PID 1492 wrote to memory of 560 1492 help.exe Firefox.exe PID 1492 wrote to memory of 560 1492 help.exe Firefox.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1348 cmd.exe -
Drops startup file 1 IoCs
Processes:
notepad.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Remittance advice.vbs notepad.exe -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
help.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HTODEFSHWLH0 = "C:\\Program Files (x86)\\Nsdv\\gdirfgx.exe" help.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Remittance advice.exeRemittance advice.exehelp.exedescription pid process target process PID 1032 set thread context of 1052 1032 Remittance advice.exe Remittance advice.exe PID 1052 set thread context of 1320 1052 Remittance advice.exe Explorer.EXE PID 1492 set thread context of 1320 1492 help.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Remittance advice.exehelp.exedescription pid process Token: SeDebugPrivilege 1052 Remittance advice.exe Token: SeDebugPrivilege 1492 help.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Remittance advice.exe"C:\Users\Admin\AppData\Local\Temp\Remittance advice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"3⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Remittance advice.exe"C:\Users\Admin\AppData\Local\Temp\Remittance advice.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- System policy modification
- Suspicious behavior: MapViewOfSection
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Adds Run entry to policy start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Remittance advice.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\5L3Q2S75\5L3logim.jpeg
-
C:\Users\Admin\AppData\Roaming\5L3Q2S75\5L3logrf.ini
-
C:\Users\Admin\AppData\Roaming\5L3Q2S75\5L3logri.ini
-
C:\Users\Admin\AppData\Roaming\5L3Q2S75\5L3logrv.ini
-
memory/560-9-0x0000000000000000-mapping.dmp
-
memory/560-10-0x000000013FB80000-0x000000013FC13000-memory.dmpFilesize
588KB
-
memory/732-1-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/732-0-0x0000000000000000-mapping.dmp
-
memory/1052-3-0x000000000041E290-mapping.dmp
-
memory/1052-2-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1348-6-0x0000000000000000-mapping.dmp
-
memory/1492-8-0x00000000032C0000-0x000000000338E000-memory.dmpFilesize
824KB
-
memory/1492-7-0x0000000000730000-0x0000000000836000-memory.dmpFilesize
1.0MB
-
memory/1492-5-0x00000000002B0000-0x00000000002B6000-memory.dmpFilesize
24KB
-
memory/1492-4-0x0000000000000000-mapping.dmp