Analysis
-
max time kernel
15s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 18:14
Static task
static1
Behavioral task
behavioral1
Sample
Cotización de factura.exe
Resource
win7v20201028
General
-
Target
Cotización de factura.exe
-
Size
175KB
-
MD5
c615c0190a56b52735589ac7bc9a6f9a
-
SHA1
99dbc59464aac2260b46f3d3dfd6cbaac0dd3bbb
-
SHA256
5d18283ed1cb2d7e7bd78e87821b3aa2f2ea64b01e28736098a3922fea61fe71
-
SHA512
ce225236fcbf26bfe76d9d4862e0bacc9d59517c2a832231d76136f7f34640101be861888ad862de1acbf1f2297d33681325e215bc2cfc3f2a227f87712da93a
Malware Config
Extracted
remcos
45.137.22.52:8780
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Cotización de factura.exedescription pid process target process PID 424 set thread context of 2080 424 Cotización de factura.exe Cotización de factura.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Cotización de factura.exepid process 424 Cotización de factura.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Cotización de factura.exepid process 2080 Cotización de factura.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Cotización de factura.execmd.exedescription pid process target process PID 424 wrote to memory of 2224 424 Cotización de factura.exe cmd.exe PID 424 wrote to memory of 2224 424 Cotización de factura.exe cmd.exe PID 424 wrote to memory of 2224 424 Cotización de factura.exe cmd.exe PID 424 wrote to memory of 2080 424 Cotización de factura.exe Cotización de factura.exe PID 424 wrote to memory of 2080 424 Cotización de factura.exe Cotización de factura.exe PID 424 wrote to memory of 2080 424 Cotización de factura.exe Cotización de factura.exe PID 424 wrote to memory of 2080 424 Cotización de factura.exe Cotización de factura.exe PID 2224 wrote to memory of 2516 2224 cmd.exe schtasks.exe PID 2224 wrote to memory of 2516 2224 cmd.exe schtasks.exe PID 2224 wrote to memory of 2516 2224 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cotización de factura.exe"C:\Users\Admin\AppData\Local\Temp\Cotización de factura.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:424 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\e467ce807fc14e059ba8cc49dc5d2dff.xml"2⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\e467ce807fc14e059ba8cc49dc5d2dff.xml"3⤵
- Creates scheduled task(s)
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\Cotización de factura.exe"C:\Users\Admin\AppData\Local\Temp\Cotización de factura.exe"2⤵
- Suspicious use of SetWindowsHookEx
PID:2080
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\e467ce807fc14e059ba8cc49dc5d2dff.xmlMD5
a36564afc14b3eb0849c01a3afdb9944
SHA14dcee9fae3fde4e46b08529bc0ba067150686f07
SHA2569d4342f763c5d62a06f69aa6fdcb1caa376ff2f2c0972f36b487f73b4d221996
SHA512782082aa36ae056734e90fc079c813dfef59420571a1b70cde4cf15eb6c870f85b2bfe0748ef4db9df3d010c08671bff744d78178ba75bf2ba02b665f044ae89
-
memory/424-5-0x00000000012C0000-0x00000000012D7000-memory.dmpFilesize
92KB
-
memory/2080-3-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2080-4-0x000000000040FD88-mapping.dmp
-
memory/2224-2-0x0000000000000000-mapping.dmp
-
memory/2516-6-0x0000000000000000-mapping.dmp