Analysis
-
max time kernel
62s -
max time network
106s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-01-2021 08:19
Static task
static1
Behavioral task
behavioral1
Sample
Request ## HMI 8130-3##.pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Request ## HMI 8130-3##.pdf.exe
Resource
win10v20201028
General
-
Target
Request ## HMI 8130-3##.pdf.exe
-
Size
1013KB
-
MD5
d91456035c9e48c7b8da1ebcd4d6cdbc
-
SHA1
65fae97ec1480deb5421bc967e316ce10977c9db
-
SHA256
059ac87b5d6736721984e912bc0dcca50506fba170787b6aedb85e94b9683642
-
SHA512
8b614bb9b11fda452a39a8a86ddcd1d82d285f329063a8d4755fc1b6c0e46f92b9c7a79641f60ed4739fe4203b5a7e2fdeda9ee45e3cf0960c17b4ee9e6a9731
Malware Config
Extracted
remcos
richiealvin2021.duckdns.org:1989
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
windows update.exepid process 1608 windows update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows update = "\"C:\\Users\\Admin\\AppData\\Roaming\\microsoft office\\windows update.exe\"" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Request ## HMI 8130-3##.pdf.exedescription pid process target process PID 4768 set thread context of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings vbc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Request ## HMI 8130-3##.pdf.exepid process 4768 Request ## HMI 8130-3##.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Request ## HMI 8130-3##.pdf.exedescription pid process Token: SeDebugPrivilege 4768 Request ## HMI 8130-3##.pdf.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
Request ## HMI 8130-3##.pdf.exevbc.exeWScript.execmd.exedescription pid process target process PID 4768 wrote to memory of 416 4768 Request ## HMI 8130-3##.pdf.exe schtasks.exe PID 4768 wrote to memory of 416 4768 Request ## HMI 8130-3##.pdf.exe schtasks.exe PID 4768 wrote to memory of 416 4768 Request ## HMI 8130-3##.pdf.exe schtasks.exe PID 4768 wrote to memory of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 4768 wrote to memory of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 4768 wrote to memory of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 4768 wrote to memory of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 4768 wrote to memory of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 4768 wrote to memory of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 4768 wrote to memory of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 4768 wrote to memory of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 4768 wrote to memory of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 4768 wrote to memory of 816 4768 Request ## HMI 8130-3##.pdf.exe vbc.exe PID 816 wrote to memory of 1104 816 vbc.exe WScript.exe PID 816 wrote to memory of 1104 816 vbc.exe WScript.exe PID 816 wrote to memory of 1104 816 vbc.exe WScript.exe PID 1104 wrote to memory of 1424 1104 WScript.exe cmd.exe PID 1104 wrote to memory of 1424 1104 WScript.exe cmd.exe PID 1104 wrote to memory of 1424 1104 WScript.exe cmd.exe PID 1424 wrote to memory of 1608 1424 cmd.exe windows update.exe PID 1424 wrote to memory of 1608 1424 cmd.exe windows update.exe PID 1424 wrote to memory of 1608 1424 cmd.exe windows update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Request ## HMI 8130-3##.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Request ## HMI 8130-3##.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fxVYDCoPb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47F7.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe"C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exe"5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
ecc04d2275a312f55c1ab894dc4dd602
SHA158e66fb27ffe1bf77d8afcd76540d008b34f6d0c
SHA256964b848431157771cf78be4819cd22cb42b942a02a69f945b3e3af94a623b852
SHA512308b25c650710da0831fa62a6883cc49904f9799468eb30fe02a64db11f3e90124c93c317a470d5b5c51aaeb6b50cb9d3c7f4f1205b2000a94093b6fcb84dbe5
-
C:\Users\Admin\AppData\Local\Temp\tmp47F7.tmpMD5
b42878e4c2d1a77d86a0b902497cbfec
SHA19a31ee1047b7aef9413af22bbc9d99117645bfb0
SHA2560721627e82a5eda150d7b06201f98a32cfc107ce6af713dd864dfde4c6593f63
SHA5125cf734fad128dcc4eeab4aa49b9f449495b25b5544e687591e9a05d925cb41691407109c360be1eea06bb0a4c772815d3f09e6f63cb3d96d78de473ed5db2eea
-
C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exeMD5
99d17ff97e92667bf238e5154e53c6a1
SHA1893d5e4fc27e23831dba69e39762fb494c7edc94
SHA256bb44568093a3b7299af075b09358bb4691abaa57c0496e8d97d289b05b58ad27
SHA51231c5a1425d3fd36a26dc85270a19d6d1a07a644466de4527798985b12aba1242a961e6df0990c6f0bbb7f21a4c4de31aa4baaaf18999894e7c6cb56f4689bddd
-
C:\Users\Admin\AppData\Roaming\microsoft office\windows update.exeMD5
99d17ff97e92667bf238e5154e53c6a1
SHA1893d5e4fc27e23831dba69e39762fb494c7edc94
SHA256bb44568093a3b7299af075b09358bb4691abaa57c0496e8d97d289b05b58ad27
SHA51231c5a1425d3fd36a26dc85270a19d6d1a07a644466de4527798985b12aba1242a961e6df0990c6f0bbb7f21a4c4de31aa4baaaf18999894e7c6cb56f4689bddd
-
memory/416-2-0x0000000000000000-mapping.dmp
-
memory/816-4-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/816-5-0x0000000000413FA4-mapping.dmp
-
memory/816-6-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1104-7-0x0000000000000000-mapping.dmp
-
memory/1424-9-0x0000000000000000-mapping.dmp
-
memory/1608-10-0x0000000000000000-mapping.dmp