Analysis
-
max time kernel
151s -
max time network
132s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
Resource
win10v20201028
General
-
Target
CONFIRMACION DEL PEDIDO CVE6535,PDF.exe
-
Size
372KB
-
MD5
a962399ee6a55b52ad2432702a800597
-
SHA1
2ae09b6b627b86bb4a6e2e7b2d33fdc6f8e1579f
-
SHA256
329886b8af71b45a41f94d0d9a69761b6b6fe80d36b7f7a6201fd97dc33234d5
-
SHA512
7914d464cbba0de5392a19d9bd986be7246fca19d15cad5303cf81f1a9dd56cbf94729bd5d1f7f2b2b3e0cb545bb689cc6114b8ee08a8c508c4f8d1eeb86b8a6
Malware Config
Extracted
remcos
thankyoulord.ddns.net:5050
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral2/memory/2432-6-0x0000000002A80000-0x0000000002A83000-memory.dmp coreentity -
Processes:
resource yara_rule behavioral2/memory/2432-7-0x000000000A9B0000-0x000000000A9D7000-memory.dmp rezer0 -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
CONFIRMACION DEL PEDIDO CVE6535,PDF.exedescription pid process target process PID 2432 set thread context of 3124 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CONFIRMACION DEL PEDIDO CVE6535,PDF.exedescription pid process Token: SeDebugPrivilege 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
CONFIRMACION DEL PEDIDO CVE6535,PDF.exepid process 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
CONFIRMACION DEL PEDIDO CVE6535,PDF.exedescription pid process target process PID 2432 wrote to memory of 3948 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe schtasks.exe PID 2432 wrote to memory of 3948 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe schtasks.exe PID 2432 wrote to memory of 3948 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe schtasks.exe PID 2432 wrote to memory of 3124 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 2432 wrote to memory of 3124 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 2432 wrote to memory of 3124 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 2432 wrote to memory of 3124 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 2432 wrote to memory of 3124 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 2432 wrote to memory of 3124 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 2432 wrote to memory of 3124 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 2432 wrote to memory of 3124 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 2432 wrote to memory of 3124 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe PID 2432 wrote to memory of 3124 2432 CONFIRMACION DEL PEDIDO CVE6535,PDF.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"C:\Users\Admin\AppData\Local\Temp\CONFIRMACION DEL PEDIDO CVE6535,PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CfGuVGvIV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC058.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC058.tmpMD5
e3b3df55dbac304978868a58e602b677
SHA142ba13f72c8cba8665b9ebf43468b95a12358bed
SHA2561c92fbfb17d3a5ad0a27e600b9137015a4e06f59571feea3f07bdd1f6e1566fe
SHA5126a394c04557cbe460af948178454af43c4d31d8e8b0216f9778c9a0be3a9130e500fc7102b6aaaab9147d60bc4d78f5a48625c9923b2c10a05d7b55543c68a55
-
memory/2432-4-0x0000000007560000-0x0000000007561000-memory.dmpFilesize
4KB
-
memory/2432-3-0x00000000079C0000-0x00000000079C1000-memory.dmpFilesize
4KB
-
memory/2432-0-0x0000000073970000-0x000000007405E000-memory.dmpFilesize
6.9MB
-
memory/2432-5-0x0000000007520000-0x0000000007521000-memory.dmpFilesize
4KB
-
memory/2432-6-0x0000000002A80000-0x0000000002A83000-memory.dmpFilesize
12KB
-
memory/2432-7-0x000000000A9B0000-0x000000000A9D7000-memory.dmpFilesize
156KB
-
memory/2432-8-0x000000000AA80000-0x000000000AA81000-memory.dmpFilesize
4KB
-
memory/2432-1-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/3124-11-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3124-12-0x0000000000413A84-mapping.dmp
-
memory/3124-13-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3948-9-0x0000000000000000-mapping.dmp