Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 11:12
General
-
Target
24c2540e588585a4daf8b3fe1112a78d.exe
-
Size
1.0MB
-
MD5
24c2540e588585a4daf8b3fe1112a78d
-
SHA1
d48b28ebb1a010eae20a10aa4d1d6c5a79ea6f96
-
SHA256
08fe7e61eafc062a5f50981fae0f578442cdfd31a00e2398389c8bea37485f02
-
SHA512
d1add494d6d6e658126d7fbd35c9b1adfa54e0417125ff55d1ab9290fb0670ad97fa723e5764b6cc06082968f7b1267ebfccd53e9cbee112b0c9cface2021923
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious use of WriteProcessMemory 511 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\24c2540e588585a4daf8b3fe1112a78d.exe"C:\Users\Admin\AppData\Local\Temp\24c2540e588585a4daf8b3fe1112a78d.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Notepad.exe"C:\Windows\System32\Notepad.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Public\Natso.bat3⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I4⤵
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Public\Natso.bat3⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Natso.batMD5
5cc1682955fd9f5800a8f1530c9a4334
SHA1e09b6a4d729f2f4760ee42520ec30c3192c85548
SHA2565562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3
SHA51280767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6
-
memory/112-120-0x0000000050480000-0x000000005049A000-memory.dmpFilesize
104KB
-
memory/684-129-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/684-127-0x000000000040DC84-mapping.dmp
-
memory/684-126-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/928-131-0x0000000000000000-mapping.dmp
-
memory/980-124-0x0000000000000000-mapping.dmp
-
memory/1164-128-0x0000000000000000-mapping.dmp
-
memory/1516-125-0x0000000000000000-mapping.dmp
-
memory/1820-130-0x0000000000000000-mapping.dmp
-
memory/1880-122-0x0000000000000000-mapping.dmp
-
memory/1932-61-0x0000000000000000-mapping.dmp
-
memory/1932-56-0x0000000000000000-mapping.dmp
-
memory/1932-8-0x0000000000000000-mapping.dmp
-
memory/1932-9-0x0000000000000000-mapping.dmp
-
memory/1932-10-0x0000000000000000-mapping.dmp
-
memory/1932-11-0x0000000000000000-mapping.dmp
-
memory/1932-12-0x0000000000000000-mapping.dmp
-
memory/1932-13-0x0000000000000000-mapping.dmp
-
memory/1932-14-0x0000000000000000-mapping.dmp
-
memory/1932-15-0x0000000000000000-mapping.dmp
-
memory/1932-16-0x0000000000000000-mapping.dmp
-
memory/1932-68-0x0000000000000000-mapping.dmp
-
memory/1932-18-0x0000000000000000-mapping.dmp
-
memory/1932-19-0x0000000000000000-mapping.dmp
-
memory/1932-20-0x0000000000000000-mapping.dmp
-
memory/1932-21-0x0000000000000000-mapping.dmp
-
memory/1932-22-0x0000000000000000-mapping.dmp
-
memory/1932-23-0x0000000000000000-mapping.dmp
-
memory/1932-24-0x0000000000000000-mapping.dmp
-
memory/1932-25-0x0000000000000000-mapping.dmp
-
memory/1932-26-0x0000000000000000-mapping.dmp
-
memory/1932-27-0x0000000000000000-mapping.dmp
-
memory/1932-28-0x0000000000000000-mapping.dmp
-
memory/1932-29-0x0000000000000000-mapping.dmp
-
memory/1932-30-0x0000000000000000-mapping.dmp
-
memory/1932-31-0x0000000000000000-mapping.dmp
-
memory/1932-32-0x0000000000000000-mapping.dmp
-
memory/1932-33-0x0000000000000000-mapping.dmp
-
memory/1932-34-0x0000000000000000-mapping.dmp
-
memory/1932-35-0x0000000000000000-mapping.dmp
-
memory/1932-36-0x0000000000000000-mapping.dmp
-
memory/1932-37-0x0000000000000000-mapping.dmp
-
memory/1932-66-0x0000000000000000-mapping.dmp
-
memory/1932-39-0x0000000000000000-mapping.dmp
-
memory/1932-40-0x0000000000000000-mapping.dmp
-
memory/1932-41-0x0000000000000000-mapping.dmp
-
memory/1932-42-0x0000000000000000-mapping.dmp
-
memory/1932-43-0x0000000000000000-mapping.dmp
-
memory/1932-44-0x0000000000000000-mapping.dmp
-
memory/1932-45-0x0000000000000000-mapping.dmp
-
memory/1932-46-0x0000000000000000-mapping.dmp
-
memory/1932-47-0x0000000000000000-mapping.dmp
-
memory/1932-48-0x0000000000000000-mapping.dmp
-
memory/1932-49-0x0000000000000000-mapping.dmp
-
memory/1932-50-0x0000000000000000-mapping.dmp
-
memory/1932-51-0x0000000000000000-mapping.dmp
-
memory/1932-52-0x0000000000000000-mapping.dmp
-
memory/1932-53-0x0000000000000000-mapping.dmp
-
memory/1932-54-0x0000000000000000-mapping.dmp
-
memory/1932-55-0x0000000000000000-mapping.dmp
-
memory/1932-67-0x0000000000000000-mapping.dmp
-
memory/1932-57-0x0000000000000000-mapping.dmp
-
memory/1932-58-0x0000000000000000-mapping.dmp
-
memory/1932-59-0x0000000000000000-mapping.dmp
-
memory/1932-60-0x0000000000000000-mapping.dmp
-
memory/1932-6-0x0000000000000000-mapping.dmp
-
memory/1932-62-0x0000000000000000-mapping.dmp
-
memory/1932-63-0x0000000000000000-mapping.dmp
-
memory/1932-64-0x0000000000000000-mapping.dmp
-
memory/1932-65-0x0000000000000000-mapping.dmp
-
memory/1932-38-0x0000000000000000-mapping.dmp
-
memory/1932-7-0x0000000000000000-mapping.dmp
-
memory/1932-17-0x0000000000000000-mapping.dmp
-
memory/1932-69-0x0000000000000000-mapping.dmp
-
memory/1932-70-0x0000000000000000-mapping.dmp
-
memory/1932-71-0x0000000000000000-mapping.dmp
-
memory/1932-72-0x0000000000000000-mapping.dmp
-
memory/1932-73-0x0000000000000000-mapping.dmp
-
memory/1932-74-0x0000000000000000-mapping.dmp
-
memory/1932-75-0x0000000000000000-mapping.dmp
-
memory/1932-76-0x0000000000000000-mapping.dmp
-
memory/1932-77-0x0000000000000000-mapping.dmp
-
memory/1932-78-0x0000000000000000-mapping.dmp
-
memory/1932-79-0x0000000000000000-mapping.dmp
-
memory/1932-80-0x0000000000000000-mapping.dmp
-
memory/1932-81-0x0000000000000000-mapping.dmp
-
memory/1932-82-0x0000000000000000-mapping.dmp
-
memory/1932-83-0x0000000000000000-mapping.dmp
-
memory/1932-84-0x0000000000000000-mapping.dmp
-
memory/1932-85-0x0000000000000000-mapping.dmp
-
memory/1932-86-0x0000000000000000-mapping.dmp
-
memory/1932-87-0x0000000000000000-mapping.dmp
-
memory/1932-88-0x0000000000000000-mapping.dmp
-
memory/1932-89-0x0000000000000000-mapping.dmp
-
memory/1932-90-0x0000000000000000-mapping.dmp
-
memory/1932-91-0x0000000000000000-mapping.dmp
-
memory/1932-92-0x0000000000000000-mapping.dmp
-
memory/1932-93-0x0000000000000000-mapping.dmp
-
memory/1932-94-0x0000000000000000-mapping.dmp
-
memory/1932-95-0x0000000000000000-mapping.dmp
-
memory/1932-96-0x0000000000000000-mapping.dmp
-
memory/1932-97-0x0000000000000000-mapping.dmp
-
memory/1932-98-0x0000000000000000-mapping.dmp
-
memory/1932-99-0x0000000000000000-mapping.dmp
-
memory/1932-100-0x0000000000000000-mapping.dmp
-
memory/1932-101-0x0000000000000000-mapping.dmp
-
memory/1932-102-0x0000000000000000-mapping.dmp
-
memory/1932-103-0x0000000000000000-mapping.dmp
-
memory/1932-104-0x0000000000000000-mapping.dmp
-
memory/1932-105-0x0000000000000000-mapping.dmp
-
memory/1932-106-0x0000000000000000-mapping.dmp
-
memory/1932-107-0x0000000000000000-mapping.dmp
-
memory/1932-108-0x0000000000000000-mapping.dmp
-
memory/1932-109-0x0000000000000000-mapping.dmp
-
memory/1932-110-0x0000000000000000-mapping.dmp
-
memory/1932-111-0x0000000000000000-mapping.dmp
-
memory/1932-112-0x0000000000000000-mapping.dmp
-
memory/1932-113-0x0000000000000000-mapping.dmp
-
memory/1932-114-0x0000000000000000-mapping.dmp
-
memory/1932-115-0x0000000000000000-mapping.dmp
-
memory/1932-116-0x0000000000000000-mapping.dmp
-
memory/1932-5-0x0000000000000000-mapping.dmp
-
memory/1932-4-0x0000000000000000-mapping.dmp
-
memory/1932-3-0x0000000000000000-mapping.dmp
-
memory/1932-2-0x0000000000000000-mapping.dmp
-
memory/1932-1-0x0000000000000000-mapping.dmp
-
memory/1932-0-0x0000000000000000-mapping.dmp
-
memory/1932-117-0x0000000000000000-mapping.dmp
-
memory/1932-118-0x0000000000000000-mapping.dmp
-
memory/1932-119-0x0000000000000000-mapping.dmp
-
memory/1932-121-0x0000000000000000-mapping.dmp