Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-01-2021 08:19
Static task
static1
Behavioral task
behavioral1
Sample
Request ## HMI 8130-3##.pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Request ## HMI 8130-3##.pdf.exe
Resource
win10v20201028
General
-
Target
Request ## HMI 8130-3##.pdf.exe
-
Size
1013KB
-
MD5
d91456035c9e48c7b8da1ebcd4d6cdbc
-
SHA1
65fae97ec1480deb5421bc967e316ce10977c9db
-
SHA256
059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642
-
SHA512
8b614bb9b11fda452a39a8a86ddcd1d82d285f329063a8d4755fc1b6c0e46f92b9c7a79641f60ed4739fe4203b5a7e2fdeda9ee45e3cf0960c17b4ee9e6a9731
Malware Config
Extracted
remcos
richiealvin2021.duckdns.org:1989
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
windows update.exepid process 1160 windows update.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 756 cmd.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\ vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows update = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsoft office\\windows update.exe\"" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Request ## HMI 8130-3##.pdf.exedescription pid process target process PID 1992 set thread context of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Request ## HMI 8130-3##.pdf.exepid process 1992 Request ## HMI 8130-3##.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Request ## HMI 8130-3##.pdf.exedescription pid process Token: SeDebugPrivilege 1992 Request ## HMI 8130-3##.pdf.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
Request ## HMI 8130-3##.pdf.exevbc.exeWScript.execmd.exedescription pid process target process PID 1992 wrote to memory of 752 1992 Request ## HMI 8130-3##.pdf.exe schtasks.exe PID 1992 wrote to memory of 752 1992 Request ## HMI 8130-3##.pdf.exe schtasks.exe PID 1992 wrote to memory of 752 1992 Request ## HMI 8130-3##.pdf.exe schtasks.exe PID 1992 wrote to memory of 752 1992 Request ## HMI 8130-3##.pdf.exe schtasks.exe PID 1992 wrote to memory of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 1992 wrote to memory of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 1992 wrote to memory of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 1992 wrote to memory of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 1992 wrote to memory of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 1992 wrote to memory of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 1992 wrote to memory of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 1992 wrote to memory of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 1992 wrote to memory of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 1992 wrote to memory of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 1992 wrote to memory of 1928 1992 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 1928 wrote to memory of 1824 1928 vbc.exe WScript.exe PID 1928 wrote to memory of 1824 1928 vbc.exe WScript.exe PID 1928 wrote to memory of 1824 1928 vbc.exe WScript.exe PID 1928 wrote to memory of 1824 1928 vbc.exe WScript.exe PID 1824 wrote to memory of 756 1824 WScript.exe cmd.exe PID 1824 wrote to memory of 756 1824 WScript.exe cmd.exe PID 1824 wrote to memory of 756 1824 WScript.exe cmd.exe PID 1824 wrote to memory of 756 1824 WScript.exe cmd.exe PID 756 wrote to memory of 1160 756 cmd.exe windows update.exe PID 756 wrote to memory of 1160 756 cmd.exe windows update.exe PID 756 wrote to memory of 1160 756 cmd.exe windows update.exe PID 756 wrote to memory of 1160 756 cmd.exe windows update.exe PID 756 wrote to memory of 1160 756 cmd.exe windows update.exe PID 756 wrote to memory of 1160 756 cmd.exe windows update.exe PID 756 wrote to memory of 1160 756 cmd.exe windows update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request ## HMI 8130-3##.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request ## HMI 8130-3##.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fxVYDCoPb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBA4.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe"C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
ecc04d2275a312f55c1ab894dc4dd602
SHA158e66fb27ffe1bf77d8afcd76540d008b34f6d0c
SHA256964b848431157771cf78be4819cd22cb42b942a02a69f945b3e3af94a623b852
SHA512308b25c650710da0831fa62a6883cc49904f9799468eb30fe02a64db11f3e90124c93c317a470d5b5c51aaeb6b50cb9d3c7f4f1205b2000a94093b6fcb84dbe5
-
C:\Users\Admin\AppData\Local\Temp\tmpBA4.tmpMD5
b5b7ef6551fc82c035bdb1f7fabd887b
SHA115df5d990fc3ecfeebdc7c62a20231b0ecef28d4
SHA256e14c861f5ac2822bc033426c0552abecc0b86d5e17a02a3f1f8aafd336f67d07
SHA51269ce5004ebf65ff2677f6cf16f39e120d408e64f914fa1f79cbd6a306b57217a94680d6d08442c0a0e88daf1117dd2e4fd0afdcab97df675aef3d0269dcce96b
-
C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exeMD5
34aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exeMD5
34aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
\Users\Admin\AppData\Roaming\microsoft office\windows update.exeMD5
34aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/752-2-0x0000000000000000-mapping.dmp
-
memory/756-9-0x0000000000000000-mapping.dmp
-
memory/1160-13-0x0000000000000000-mapping.dmp
-
memory/1824-7-0x0000000000000000-mapping.dmp
-
memory/1824-10-0x00000000026D0000-0x00000000026D4000-memory.dmpFilesize
16KB
-
memory/1928-6-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1928-4-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1928-5-0x0000000000413FA4-mapping.dmp