Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-01-2021 18:00
Static task
static1
Behavioral task
behavioral1
Sample
ACTION2021.scr
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ACTION2021.scr
Resource
win10v20201028
General
-
Target
ACTION2021.scr
-
Size
1.4MB
-
MD5
c6ed7e791f0c36826d3c55e196dd7bd4
-
SHA1
97e94a141b7d479fd14373f724ce3232c2b0c429
-
SHA256
c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
-
SHA512
17b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f
Malware Config
Extracted
remcos
masters4733.sytes.net:8686
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
start.exestart.exestart.exestart.exepid process 844 start.exe 344 start.exe 1088 start.exe 1236 start.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 556 cmd.exe 556 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
ACTION2021.scrstart.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ ACTION2021.scr Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\start = "\"C:\\Users\\Admin\\AppData\\Roaming\\start\\start.exe\"" ACTION2021.scr Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ start.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\start = "\"C:\\Users\\Admin\\AppData\\Roaming\\start\\start.exe\"" start.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
ACTION2021.scrstart.exestart.exedescription pid process target process PID 848 set thread context of 1488 848 ACTION2021.scr ACTION2021.scr PID 844 set thread context of 344 844 start.exe start.exe PID 344 set thread context of 1088 344 start.exe start.exe PID 344 set thread context of 1236 344 start.exe start.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ACTION2021.scrstart.exepid process 848 ACTION2021.scr 848 ACTION2021.scr 1088 start.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ACTION2021.scrdescription pid process Token: SeDebugPrivilege 848 ACTION2021.scr -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
start.exepid process 344 start.exe -
Suspicious use of WriteProcessMemory 76 IoCs
Processes:
ACTION2021.scrACTION2021.scrcmd.exeWScript.execmd.exestart.exestart.execmd.exedescription pid process target process PID 848 wrote to memory of 1448 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1448 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1448 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1448 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1488 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1488 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1488 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1488 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1488 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1488 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1488 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1488 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1488 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1488 848 ACTION2021.scr ACTION2021.scr PID 848 wrote to memory of 1488 848 ACTION2021.scr ACTION2021.scr PID 1488 wrote to memory of 880 1488 ACTION2021.scr cmd.exe PID 1488 wrote to memory of 880 1488 ACTION2021.scr cmd.exe PID 1488 wrote to memory of 880 1488 ACTION2021.scr cmd.exe PID 1488 wrote to memory of 880 1488 ACTION2021.scr cmd.exe PID 880 wrote to memory of 1536 880 cmd.exe reg.exe PID 880 wrote to memory of 1536 880 cmd.exe reg.exe PID 880 wrote to memory of 1536 880 cmd.exe reg.exe PID 880 wrote to memory of 1536 880 cmd.exe reg.exe PID 1488 wrote to memory of 1580 1488 ACTION2021.scr WScript.exe PID 1488 wrote to memory of 1580 1488 ACTION2021.scr WScript.exe PID 1488 wrote to memory of 1580 1488 ACTION2021.scr WScript.exe PID 1488 wrote to memory of 1580 1488 ACTION2021.scr WScript.exe PID 1580 wrote to memory of 556 1580 WScript.exe cmd.exe PID 1580 wrote to memory of 556 1580 WScript.exe cmd.exe PID 1580 wrote to memory of 556 1580 WScript.exe cmd.exe PID 1580 wrote to memory of 556 1580 WScript.exe cmd.exe PID 556 wrote to memory of 844 556 cmd.exe start.exe PID 556 wrote to memory of 844 556 cmd.exe start.exe PID 556 wrote to memory of 844 556 cmd.exe start.exe PID 556 wrote to memory of 844 556 cmd.exe start.exe PID 844 wrote to memory of 344 844 start.exe start.exe PID 844 wrote to memory of 344 844 start.exe start.exe PID 844 wrote to memory of 344 844 start.exe start.exe PID 844 wrote to memory of 344 844 start.exe start.exe PID 844 wrote to memory of 344 844 start.exe start.exe PID 844 wrote to memory of 344 844 start.exe start.exe PID 844 wrote to memory of 344 844 start.exe start.exe PID 844 wrote to memory of 344 844 start.exe start.exe PID 844 wrote to memory of 344 844 start.exe start.exe PID 844 wrote to memory of 344 844 start.exe start.exe PID 844 wrote to memory of 344 844 start.exe start.exe PID 344 wrote to memory of 560 344 start.exe cmd.exe PID 344 wrote to memory of 560 344 start.exe cmd.exe PID 344 wrote to memory of 560 344 start.exe cmd.exe PID 344 wrote to memory of 560 344 start.exe cmd.exe PID 560 wrote to memory of 1332 560 cmd.exe reg.exe PID 560 wrote to memory of 1332 560 cmd.exe reg.exe PID 560 wrote to memory of 1332 560 cmd.exe reg.exe PID 560 wrote to memory of 1332 560 cmd.exe reg.exe PID 344 wrote to memory of 1088 344 start.exe start.exe PID 344 wrote to memory of 1088 344 start.exe start.exe PID 344 wrote to memory of 1088 344 start.exe start.exe PID 344 wrote to memory of 1088 344 start.exe start.exe PID 344 wrote to memory of 1088 344 start.exe start.exe PID 344 wrote to memory of 1088 344 start.exe start.exe PID 344 wrote to memory of 1088 344 start.exe start.exe PID 344 wrote to memory of 1088 344 start.exe start.exe PID 344 wrote to memory of 1088 344 start.exe start.exe PID 344 wrote to memory of 800 344 start.exe start.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr"C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr"C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr"C:\Users\Admin\AppData\Local\Temp\ACTION2021.scr"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\start\start.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\start\start.exeC:\Users\Admin\AppData\Roaming\start\start.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\start\start.exe"C:\Users\Admin\AppData\Roaming\start\start.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f8⤵
- Modifies registry key
-
C:\Users\Admin\AppData\Roaming\start\start.exeC:\Users\Admin\AppData\Roaming\start\start.exe /stext "C:\Users\Admin\AppData\Local\Temp\yhcamtbcvyceyiwjqivyusqjl"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\start\start.exeC:\Users\Admin\AppData\Roaming\start\start.exe /stext "C:\Users\Admin\AppData\Local\Temp\ldvdnexxfomvlcgzqdctisgjcsaaoaic"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\start\start.exeC:\Users\Admin\AppData\Roaming\start\start.exe /stext "C:\Users\Admin\AppData\Local\Temp\jbitmmmvjgurjokvhtqzfflaueqrv"7⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
a9df62f02c776af7a9eb2a1f9a4fb408
SHA1e6f5add446a134ff353d10eff8ea26f30b7cd839
SHA256196620c6cc4a5f5382d44d597229d72ac5fe42e1e4e9faa63527d414fedc8e86
SHA5128c7d143dc9c623246148b8e7dd8e0487fb6988a12e9614b37c48246e501c88c946001edcdf019201c89b8fe5dd3604674dfd8d96c4ae1b706ac48c64c09dae07
-
C:\Users\Admin\AppData\Local\Temp\yhcamtbcvyceyiwjqivyusqjlMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\start\start.exeMD5
c6ed7e791f0c36826d3c55e196dd7bd4
SHA197e94a141b7d479fd14373f724ce3232c2b0c429
SHA256c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
SHA51217b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f
-
C:\Users\Admin\AppData\Roaming\start\start.exeMD5
c6ed7e791f0c36826d3c55e196dd7bd4
SHA197e94a141b7d479fd14373f724ce3232c2b0c429
SHA256c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
SHA51217b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f
-
C:\Users\Admin\AppData\Roaming\start\start.exeMD5
c6ed7e791f0c36826d3c55e196dd7bd4
SHA197e94a141b7d479fd14373f724ce3232c2b0c429
SHA256c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
SHA51217b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f
-
C:\Users\Admin\AppData\Roaming\start\start.exeMD5
c6ed7e791f0c36826d3c55e196dd7bd4
SHA197e94a141b7d479fd14373f724ce3232c2b0c429
SHA256c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
SHA51217b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f
-
C:\Users\Admin\AppData\Roaming\start\start.exeMD5
c6ed7e791f0c36826d3c55e196dd7bd4
SHA197e94a141b7d479fd14373f724ce3232c2b0c429
SHA256c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
SHA51217b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f
-
\Users\Admin\AppData\Roaming\start\start.exeMD5
c6ed7e791f0c36826d3c55e196dd7bd4
SHA197e94a141b7d479fd14373f724ce3232c2b0c429
SHA256c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
SHA51217b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f
-
\Users\Admin\AppData\Roaming\start\start.exeMD5
c6ed7e791f0c36826d3c55e196dd7bd4
SHA197e94a141b7d479fd14373f724ce3232c2b0c429
SHA256c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e
SHA51217b21afde88b6d4ebb2340da7fb506ee62da93172e62e8da7bd4cf505fbe0df305f65523b555b9804d938411f00571a2718ec4ca900482c264173e2a42121a4f
-
memory/344-26-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/344-24-0x0000000000413FA4-mapping.dmp
-
memory/556-13-0x0000000000000000-mapping.dmp
-
memory/560-27-0x0000000000000000-mapping.dmp
-
memory/844-17-0x0000000000000000-mapping.dmp
-
memory/844-19-0x0000000074850000-0x0000000074F3E000-memory.dmpFilesize
6.9MB
-
memory/844-20-0x0000000000960000-0x0000000000961000-memory.dmpFilesize
4KB
-
memory/848-2-0x00000000748D0000-0x0000000074FBE000-memory.dmpFilesize
6.9MB
-
memory/848-5-0x0000000000410000-0x000000000043C000-memory.dmpFilesize
176KB
-
memory/848-3-0x0000000001060000-0x0000000001061000-memory.dmpFilesize
4KB
-
memory/880-9-0x0000000000000000-mapping.dmp
-
memory/1088-29-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1088-33-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1088-37-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1088-30-0x0000000000476274-mapping.dmp
-
memory/1236-36-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1236-32-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1236-34-0x0000000000455238-mapping.dmp
-
memory/1236-38-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1332-28-0x0000000000000000-mapping.dmp
-
memory/1488-8-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1488-7-0x0000000000413FA4-mapping.dmp
-
memory/1488-6-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1536-10-0x0000000000000000-mapping.dmp
-
memory/1576-39-0x000007FEF6580000-0x000007FEF67FA000-memory.dmpFilesize
2.5MB
-
memory/1580-11-0x0000000000000000-mapping.dmp