Analysis
-
max time kernel
65s -
max time network
130s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-01-2021 08:22
Static task
static1
Behavioral task
behavioral1
Sample
BID_TENDER_DOCUMENTS-#01.08.2020.exe
Resource
win7v20201028
General
-
Target
BID_TENDER_DOCUMENTS-#01.08.2020.exe
-
Size
778KB
-
MD5
1df1ba3f5339b6185d2588efb1d35859
-
SHA1
db75794e44a59da19d4540257e8b4389cd31b87a
-
SHA256
200c65040041056006600f5a6ed2bbc3281a6e440a12d24a84544d65e157288e
-
SHA512
0fcbdb5b4c4eb8af7a6c0130226696b73e666fdf8fe40b351201963772d94e9898b7bbbcecac512a4746022bacc2f7fc59083390698d47e34c2beffe7151733b
Malware Config
Extracted
remcos
212.83.46.26:4023
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
BID_TENDER_DOCUMENTS-#01.08.2020.exedescription pid process target process PID 808 set thread context of 1064 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
BID_TENDER_DOCUMENTS-#01.08.2020.exedescription pid process target process PID 808 wrote to memory of 756 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe schtasks.exe PID 808 wrote to memory of 756 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe schtasks.exe PID 808 wrote to memory of 756 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe schtasks.exe PID 808 wrote to memory of 756 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe schtasks.exe PID 808 wrote to memory of 1064 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe PID 808 wrote to memory of 1064 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe PID 808 wrote to memory of 1064 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe PID 808 wrote to memory of 1064 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe PID 808 wrote to memory of 1064 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe PID 808 wrote to memory of 1064 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe PID 808 wrote to memory of 1064 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe PID 808 wrote to memory of 1064 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe PID 808 wrote to memory of 1064 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe PID 808 wrote to memory of 1064 808 BID_TENDER_DOCUMENTS-#01.08.2020.exe BID_TENDER_DOCUMENTS-#01.08.2020.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BID_TENDER_DOCUMENTS-#01.08.2020.exe"C:\Users\Admin\AppData\Local\Temp\BID_TENDER_DOCUMENTS-#01.08.2020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XvInCaX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp59B4.tmp"2⤵
- Creates scheduled task(s)
PID:756 -
C:\Users\Admin\AppData\Local\Temp\BID_TENDER_DOCUMENTS-#01.08.2020.exe"C:\Users\Admin\AppData\Local\Temp\BID_TENDER_DOCUMENTS-#01.08.2020.exe"2⤵PID:1064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp59B4.tmpMD5
7c838f62bcd436d8f4842182a3c3fd22
SHA132fd1f16192246d3c96073f2c55deaa42c37d278
SHA256c2be7643cb66c0480614ee7717aa671f550830d329bca1a832dc9be9f869a3a3
SHA512fd8b7a5bc886c2acf838b83ec584c122fbf12b9d0da04eabbd1d44fb7b32845fc6c147ee73ab6be63cc36685f0f1e0f0a6797a6a2d66198d2b9cf583a9aefc3f
-
memory/756-7-0x0000000000000000-mapping.dmp
-
memory/808-2-0x0000000073F40000-0x000000007462E000-memory.dmpFilesize
6.9MB
-
memory/808-3-0x00000000013B0000-0x00000000013B1000-memory.dmpFilesize
4KB
-
memory/808-5-0x00000000002D0000-0x00000000002E2000-memory.dmpFilesize
72KB
-
memory/808-6-0x0000000005190000-0x0000000005205000-memory.dmpFilesize
468KB
-
memory/1064-9-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1064-10-0x000000000040FD88-mapping.dmp
-
memory/1064-11-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB