Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7 -
submitted
12-07-2020 19:40
General
-
Target
SecuriteInfo.com.Trojan.DownLoader33.63103.7154.21167.exe
-
Size
1.2MB
-
MD5
6c828880cf1a66e50d5f9f199421c069
-
SHA1
d6bad18b6025d9bea349f178bcbf416010c3b4bd
-
SHA256
f8185c5af3e891bdb81a646bb410777393f7ba6db6f4fc0727948c4b95264334
-
SHA512
1dc753ec63419e7fa8773fdc1b4da3d026217fbde17ef4eb86ee5e965c312bcc75d1cf1f44a9512c147fa3893b6a2b001d44dbf42fd4f3d972b27bbe31be462a
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious use of WriteProcessMemory 515 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader33.63103.7154.21167.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader33.63103.7154.21167.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Public\Natso.bat3⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Public\Runex.bat3⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Natso.batMD5
5cc1682955fd9f5800a8f1530c9a4334
SHA1e09b6a4d729f2f4760ee42520ec30c3192c85548
SHA2565562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3
SHA51280767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6
-
C:\Users\Public\Runex.batMD5
f6828e22e6abe87c624e4683fac5889b
SHA1b93d63354d4ddb226dab90955576a6d2cad05ba0
SHA256e1b1884353a51436f90dfed9f85ed9dd98fccfbd13dee7aa54fd901f77fe5e9c
SHA51226afb36afcb3f286b85ebd72061e26f84c33075d3d0767cc93f50ec414a85838c86049e0c56ff43011d1a309b98ae355cbe412203429ac243010dc971ac81ec1
-
memory/1088-124-0x0000000050480000-0x00000000504C0000-memory.dmpFilesize
256KB
-
memory/1412-0-0x0000000000000000-mapping.dmp
-
memory/1412-1-0x0000000000000000-mapping.dmp
-
memory/1412-2-0x0000000000000000-mapping.dmp
-
memory/1412-3-0x0000000000000000-mapping.dmp
-
memory/1412-4-0x0000000000000000-mapping.dmp
-
memory/1412-5-0x0000000000000000-mapping.dmp
-
memory/1412-6-0x0000000000000000-mapping.dmp
-
memory/1412-7-0x0000000000000000-mapping.dmp
-
memory/1412-8-0x0000000000000000-mapping.dmp
-
memory/1412-9-0x0000000000000000-mapping.dmp
-
memory/1412-10-0x0000000000000000-mapping.dmp
-
memory/1412-11-0x0000000000000000-mapping.dmp
-
memory/1412-12-0x0000000000000000-mapping.dmp
-
memory/1412-13-0x0000000000000000-mapping.dmp
-
memory/1412-14-0x0000000000000000-mapping.dmp
-
memory/1412-15-0x0000000000000000-mapping.dmp
-
memory/1412-16-0x0000000000000000-mapping.dmp
-
memory/1412-17-0x0000000000000000-mapping.dmp
-
memory/1412-18-0x0000000000000000-mapping.dmp
-
memory/1412-19-0x0000000000000000-mapping.dmp
-
memory/1412-20-0x0000000000000000-mapping.dmp
-
memory/1412-21-0x0000000000000000-mapping.dmp
-
memory/1412-22-0x0000000000000000-mapping.dmp
-
memory/1412-23-0x0000000000000000-mapping.dmp
-
memory/1412-24-0x0000000000000000-mapping.dmp
-
memory/1412-25-0x0000000000000000-mapping.dmp
-
memory/1412-26-0x0000000000000000-mapping.dmp
-
memory/1412-27-0x0000000000000000-mapping.dmp
-
memory/1412-28-0x0000000000000000-mapping.dmp
-
memory/1412-29-0x0000000000000000-mapping.dmp
-
memory/1412-30-0x0000000000000000-mapping.dmp
-
memory/1412-31-0x0000000000000000-mapping.dmp
-
memory/1412-32-0x0000000000000000-mapping.dmp
-
memory/1412-33-0x0000000000000000-mapping.dmp
-
memory/1412-34-0x0000000000000000-mapping.dmp
-
memory/1412-35-0x0000000000000000-mapping.dmp
-
memory/1412-36-0x0000000000000000-mapping.dmp
-
memory/1412-37-0x0000000000000000-mapping.dmp
-
memory/1412-38-0x0000000000000000-mapping.dmp
-
memory/1412-39-0x0000000000000000-mapping.dmp
-
memory/1412-40-0x0000000000000000-mapping.dmp
-
memory/1412-41-0x0000000000000000-mapping.dmp
-
memory/1412-42-0x0000000000000000-mapping.dmp
-
memory/1412-43-0x0000000000000000-mapping.dmp
-
memory/1412-44-0x0000000000000000-mapping.dmp
-
memory/1412-45-0x0000000000000000-mapping.dmp
-
memory/1412-46-0x0000000000000000-mapping.dmp
-
memory/1412-47-0x0000000000000000-mapping.dmp
-
memory/1412-48-0x0000000000000000-mapping.dmp
-
memory/1412-49-0x0000000000000000-mapping.dmp
-
memory/1412-50-0x0000000000000000-mapping.dmp
-
memory/1412-51-0x0000000000000000-mapping.dmp
-
memory/1412-52-0x0000000000000000-mapping.dmp
-
memory/1412-53-0x0000000000000000-mapping.dmp
-
memory/1412-54-0x0000000000000000-mapping.dmp
-
memory/1412-55-0x0000000000000000-mapping.dmp
-
memory/1412-56-0x0000000000000000-mapping.dmp
-
memory/1412-57-0x0000000000000000-mapping.dmp
-
memory/1412-58-0x0000000000000000-mapping.dmp
-
memory/1412-59-0x0000000000000000-mapping.dmp
-
memory/1412-60-0x0000000000000000-mapping.dmp
-
memory/1412-61-0x0000000000000000-mapping.dmp
-
memory/1412-62-0x0000000000000000-mapping.dmp
-
memory/1412-63-0x0000000000000000-mapping.dmp
-
memory/1412-64-0x0000000000000000-mapping.dmp
-
memory/1412-65-0x0000000000000000-mapping.dmp
-
memory/1412-66-0x0000000000000000-mapping.dmp
-
memory/1412-67-0x0000000000000000-mapping.dmp
-
memory/1412-68-0x0000000000000000-mapping.dmp
-
memory/1412-69-0x0000000000000000-mapping.dmp
-
memory/1412-70-0x0000000000000000-mapping.dmp
-
memory/1412-71-0x0000000000000000-mapping.dmp
-
memory/1412-72-0x0000000000000000-mapping.dmp
-
memory/1412-73-0x0000000000000000-mapping.dmp
-
memory/1412-74-0x0000000000000000-mapping.dmp
-
memory/1412-75-0x0000000000000000-mapping.dmp
-
memory/1412-76-0x0000000000000000-mapping.dmp
-
memory/1412-77-0x0000000000000000-mapping.dmp
-
memory/1412-78-0x0000000000000000-mapping.dmp
-
memory/1412-79-0x0000000000000000-mapping.dmp
-
memory/1412-80-0x0000000000000000-mapping.dmp
-
memory/1412-81-0x0000000000000000-mapping.dmp
-
memory/1412-82-0x0000000000000000-mapping.dmp
-
memory/1412-83-0x0000000000000000-mapping.dmp
-
memory/1412-84-0x0000000000000000-mapping.dmp
-
memory/1412-85-0x0000000000000000-mapping.dmp
-
memory/1412-86-0x0000000000000000-mapping.dmp
-
memory/1412-87-0x0000000000000000-mapping.dmp
-
memory/1412-88-0x0000000000000000-mapping.dmp
-
memory/1412-89-0x0000000000000000-mapping.dmp
-
memory/1412-90-0x0000000000000000-mapping.dmp
-
memory/1412-91-0x0000000000000000-mapping.dmp
-
memory/1412-92-0x0000000000000000-mapping.dmp
-
memory/1412-93-0x0000000000000000-mapping.dmp
-
memory/1412-94-0x0000000000000000-mapping.dmp
-
memory/1412-95-0x0000000000000000-mapping.dmp
-
memory/1412-96-0x0000000000000000-mapping.dmp
-
memory/1412-97-0x0000000000000000-mapping.dmp
-
memory/1412-98-0x0000000000000000-mapping.dmp
-
memory/1412-99-0x0000000000000000-mapping.dmp
-
memory/1412-100-0x0000000000000000-mapping.dmp
-
memory/1412-101-0x0000000000000000-mapping.dmp
-
memory/1412-102-0x0000000000000000-mapping.dmp
-
memory/1412-103-0x0000000000000000-mapping.dmp
-
memory/1412-104-0x0000000000000000-mapping.dmp
-
memory/1412-105-0x0000000000000000-mapping.dmp
-
memory/1412-106-0x0000000000000000-mapping.dmp
-
memory/1412-107-0x0000000000000000-mapping.dmp
-
memory/1412-108-0x0000000000000000-mapping.dmp
-
memory/1412-109-0x0000000000000000-mapping.dmp
-
memory/1412-110-0x0000000000000000-mapping.dmp
-
memory/1412-111-0x0000000000000000-mapping.dmp
-
memory/1412-112-0x0000000000000000-mapping.dmp
-
memory/1412-113-0x0000000000000000-mapping.dmp
-
memory/1412-114-0x0000000000000000-mapping.dmp
-
memory/1412-115-0x0000000000000000-mapping.dmp
-
memory/1412-116-0x0000000000000000-mapping.dmp
-
memory/1412-117-0x0000000000000000-mapping.dmp
-
memory/1412-118-0x0000000000000000-mapping.dmp
-
memory/1412-119-0x0000000000000000-mapping.dmp
-
memory/1412-120-0x0000000000000000-mapping.dmp
-
memory/1412-121-0x0000000000000000-mapping.dmp
-
memory/1412-122-0x0000000000000000-mapping.dmp
-
memory/1412-123-0x0000000000000000-mapping.dmp
-
memory/1412-125-0x0000000000000000-mapping.dmp
-
memory/2224-126-0x0000000000000000-mapping.dmp
-
memory/2236-127-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2236-128-0x000000000040DC84-mapping.dmp
-
memory/2236-129-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2340-130-0x0000000000000000-mapping.dmp
-
memory/2400-133-0x0000000000000000-mapping.dmp