Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 06:03
Static task
static1
Behavioral task
behavioral1
Sample
z9ERDG51.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
z9ERDG51.exe
Resource
win10v20201028
General
-
Target
z9ERDG51.exe
-
Size
92KB
-
MD5
cc6a463987484ace0a9f98e327c85c2b
-
SHA1
1867031e6a7d7057d7d96cfd4ad99eba14afde1e
-
SHA256
08f15e4acb5af5b3095304fbfd9370d33ea57a561da66bc1239477cdc6530dc3
-
SHA512
9e8286d422cb012826eeb390073cbeb58b8685b86befd3b620dfce0b5e489db04ce15f91682cd000ac8508ea54e474935eaad3ef6aeaf7d6f4de159609bc9e19
Malware Config
Extracted
remcos
185.185.3.40:2404
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
z9ERDG51.exesystem32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SysWOW64\\System32\\system32.exe\"" z9ERDG51.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\SysWOW64\\System32\\system32.exe\"" z9ERDG51.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SysWOW64\\System32\\system32.exe\"" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\Windows\\SysWOW64\\System32\\system32.exe\"" system32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
z9ERDG51.exesystem32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run z9ERDG51.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\system32 = "\"C:\\Windows\\SysWOW64\\System32\\system32.exe\"" z9ERDG51.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\system32 = "\"C:\\Windows\\SysWOW64\\System32\\system32.exe\"" system32.exe -
Executes dropped EXE 1 IoCs
Processes:
system32.exepid process 4060 system32.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
z9ERDG51.exesystem32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Windows\\SysWOW64\\System32\\system32.exe\"" z9ERDG51.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Windows\\SysWOW64\\System32\\system32.exe\"" system32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Windows\\SysWOW64\\System32\\system32.exe\"" system32.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ z9ERDG51.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\system32 = "\"C:\\Windows\\SysWOW64\\System32\\system32.exe\"" z9ERDG51.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ z9ERDG51.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
system32.exez9ERDG51.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ system32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ z9ERDG51.exe -
Drops file in System32 directory 3 IoCs
Processes:
z9ERDG51.exedescription ioc process File created C:\Windows\SysWOW64\System32\system32.exe z9ERDG51.exe File opened for modification C:\Windows\SysWOW64\System32\system32.exe z9ERDG51.exe File opened for modification C:\Windows\SysWOW64\System32 z9ERDG51.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
z9ERDG51.execmd.exedescription pid process target process PID 756 wrote to memory of 2408 756 z9ERDG51.exe cmd.exe PID 756 wrote to memory of 2408 756 z9ERDG51.exe cmd.exe PID 756 wrote to memory of 2408 756 z9ERDG51.exe cmd.exe PID 2408 wrote to memory of 2688 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 2688 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 2688 2408 cmd.exe PING.EXE PID 2408 wrote to memory of 4060 2408 cmd.exe system32.exe PID 2408 wrote to memory of 4060 2408 cmd.exe system32.exe PID 2408 wrote to memory of 4060 2408 cmd.exe system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\z9ERDG51.exe"C:\Users\Admin\AppData\Local\Temp\z9ERDG51.exe"1⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 23⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\System32\system32.exe"C:\Windows\SysWOW64\System32\system32.exe"3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batMD5
0388d8b82bed97af63fc35118dedf1b5
SHA11befd7d16a9d58ff84d0c8782edd3c12c56991d7
SHA2569153d5342603a00ad6030e5d20f3eb54a0470ba3fb6762d365b6a781e76dbd4a
SHA512d7648007e2673c5fd4f354abd0dfda70c9d7361ceb0e2ff191d46765c9a895f2cd5435db1357b0ad04085a8fd2ead798df76c183a83f814fe554c16223143d58
-
C:\Windows\SysWOW64\System32\system32.exeMD5
cc6a463987484ace0a9f98e327c85c2b
SHA11867031e6a7d7057d7d96cfd4ad99eba14afde1e
SHA25608f15e4acb5af5b3095304fbfd9370d33ea57a561da66bc1239477cdc6530dc3
SHA5129e8286d422cb012826eeb390073cbeb58b8685b86befd3b620dfce0b5e489db04ce15f91682cd000ac8508ea54e474935eaad3ef6aeaf7d6f4de159609bc9e19
-
C:\Windows\SysWOW64\System32\system32.exeMD5
cc6a463987484ace0a9f98e327c85c2b
SHA11867031e6a7d7057d7d96cfd4ad99eba14afde1e
SHA25608f15e4acb5af5b3095304fbfd9370d33ea57a561da66bc1239477cdc6530dc3
SHA5129e8286d422cb012826eeb390073cbeb58b8685b86befd3b620dfce0b5e489db04ce15f91682cd000ac8508ea54e474935eaad3ef6aeaf7d6f4de159609bc9e19
-
memory/2408-0-0x0000000000000000-mapping.dmp
-
memory/2688-2-0x0000000000000000-mapping.dmp
-
memory/4060-3-0x0000000000000000-mapping.dmp
-
memory/4060-4-0x0000000000000000-mapping.dmp