Analysis
-
max time kernel
151s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
Resource
win10v20201028
General
-
Target
CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
-
Size
372KB
-
MD5
a962399ee6a55b52ad2432702a800597
-
SHA1
2ae09b6b627b86bb4a6e2e7b2d33fdc6f8e1579f
-
SHA256
329886b8af71b45a41f94d0d9a69761b6b6fe80d36b7f7a6201fd97dc33234d5
-
SHA512
7914d464cbba0de5392a19d9bd986be7246fca19d15cad5303cf81f1a9dd56cbf94729bd5d1f7f2b2b3e0cb545bb689cc6114b8ee08a8c508c4f8d1eeb86b8a6
Malware Config
Extracted
remcos
thankyoulord.ddns.net:5050
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/1848-4-0x0000000000230000-0x0000000000233000-memory.dmp coreentity -
Processes:
resource yara_rule behavioral1/memory/1848-5-0x0000000007330000-0x0000000007357000-memory.dmp rezer0 -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
CONFIRMACION DEL PEDIDO CVE6535,PDF.exedescription pid process target process PID 1848 set thread context of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CONFIRMACION DEL PEDIDO CVE6535,PDF.exedescription pid process Token: SeDebugPrivilege 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CONFIRMACION DEL PEDIDO CVE6535,PDF.exepid process 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
CONFIRMACION DEL PEDIDO CVE6535,PDF.exedescription pid process target process PID 1848 wrote to memory of 1448 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe schtasks.exe PID 1848 wrote to memory of 1448 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe schtasks.exe PID 1848 wrote to memory of 1448 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe schtasks.exe PID 1848 wrote to memory of 1448 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe schtasks.exe PID 1848 wrote to memory of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 1848 wrote to memory of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 1848 wrote to memory of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 1848 wrote to memory of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 1848 wrote to memory of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 1848 wrote to memory of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 1848 wrote to memory of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 1848 wrote to memory of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 1848 wrote to memory of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 1848 wrote to memory of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 1848 wrote to memory of 960 1848 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CfGuVGvIV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A5B.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4A5B.tmpMD5
6f034f247ff434fdf03cbe467d528312
SHA1894bae0158a82ede3c4c8e48349d49f621cf9032
SHA25668a695d53c232920102c555e384bcbc6efc6eac421011b4ceaf9b30c2ce6fd7d
SHA51243d86aab0e7e4565dad4abddc9a1645030fa2ab9c6a26359f7ed0d1354212fcae11ca535299eaecad6998b9c7a8a9fd3be0e6cea01cc3e5e78ba9707464b3fe1
-
memory/960-8-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/960-9-0x0000000000413A84-mapping.dmp
-
memory/960-10-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/1448-6-0x0000000000000000-mapping.dmp
-
memory/1848-0-0x00000000742C0000-0x00000000749AE000-memory.dmpFilesize
6.9MB
-
memory/1848-1-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/1848-4-0x0000000000230000-0x0000000000233000-memory.dmpFilesize
12KB
-
memory/1848-5-0x0000000007330000-0x0000000007357000-memory.dmpFilesize
156KB
-
memory/1984-3-0x000007FEF6680000-0x000007FEF68FA000-memory.dmpFilesize
2.5MB