Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
12-01-2021 17:57
Static task
static1
Behavioral task
behavioral1
Sample
December SOA.exe
Resource
win7v20201028
General
-
Target
December SOA.exe
-
Size
942KB
-
MD5
196f910a3335186350701c40afd852b7
-
SHA1
41461908d87d6ce39eebba80aea20bcd2fbfd8c0
-
SHA256
ed8b7563a60bab9c7a5e4b7a79bb01fa744000fdc3a3bfab837418190d22752e
-
SHA512
3a058f8d08e3a3d5da211eb8c05d92eb259a424100df11974156f9e90a2d9c662c23bddee2c9ff7c81bc2d860a9fc98c52e35d1b2087601379d7e1680b79b483
Malware Config
Extracted
remcos
194.5.97.66:1840
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
December SOA.exedescription pid process target process PID 932 set thread context of 1588 932 December SOA.exe December SOA.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
December SOA.exepid process 932 December SOA.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
December SOA.exedescription pid process Token: SeDebugPrivilege 932 December SOA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
December SOA.exepid process 1588 December SOA.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
December SOA.exedescription pid process target process PID 932 wrote to memory of 1384 932 December SOA.exe schtasks.exe PID 932 wrote to memory of 1384 932 December SOA.exe schtasks.exe PID 932 wrote to memory of 1384 932 December SOA.exe schtasks.exe PID 932 wrote to memory of 1384 932 December SOA.exe schtasks.exe PID 932 wrote to memory of 1588 932 December SOA.exe December SOA.exe PID 932 wrote to memory of 1588 932 December SOA.exe December SOA.exe PID 932 wrote to memory of 1588 932 December SOA.exe December SOA.exe PID 932 wrote to memory of 1588 932 December SOA.exe December SOA.exe PID 932 wrote to memory of 1588 932 December SOA.exe December SOA.exe PID 932 wrote to memory of 1588 932 December SOA.exe December SOA.exe PID 932 wrote to memory of 1588 932 December SOA.exe December SOA.exe PID 932 wrote to memory of 1588 932 December SOA.exe December SOA.exe PID 932 wrote to memory of 1588 932 December SOA.exe December SOA.exe PID 932 wrote to memory of 1588 932 December SOA.exe December SOA.exe PID 932 wrote to memory of 1588 932 December SOA.exe December SOA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\December SOA.exe"C:\Users\Admin\AppData\Local\Temp\December SOA.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TUhqyHpeWrHJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp129.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\December SOA.exe"C:\Users\Admin\AppData\Local\Temp\December SOA.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp129.tmpMD5
29184400ce70f2b5f97a013f1c4ce0d8
SHA18ab2d8a9231bfd7dc57ab03c2943e812ba6d4e03
SHA25674b6341943c4fcc58f21ffd752b4c8d2163b3161fc7f71f0593b3cb994468474
SHA512ea82c10d769a462bbcf0a18acf8398eac565def0a031397615cc6a00f3910376a0e028e458d2904413da875647a47666a24a0b9586d6ebb1af473f36208ac77a
-
memory/1384-2-0x0000000000000000-mapping.dmp
-
memory/1588-4-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1588-5-0x0000000000413FA4-mapping.dmp
-
memory/1588-6-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB