Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 17:57
Static task
static1
Behavioral task
behavioral1
Sample
December SOA.exe
Resource
win7v20201028
General
-
Target
December SOA.exe
-
Size
942KB
-
MD5
196f910a3335186350701c40afd852b7
-
SHA1
41461908d87d6ce39eebba80aea20bcd2fbfd8c0
-
SHA256
ed8b7563a60bab9c7a5e4b7a79bb01fa744000fdc3a3bfab837418190d22752e
-
SHA512
3a058f8d08e3a3d5da211eb8c05d92eb259a424100df11974156f9e90a2d9c662c23bddee2c9ff7c81bc2d860a9fc98c52e35d1b2087601379d7e1680b79b483
Malware Config
Extracted
remcos
194.5.97.66:1840
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
December SOA.exedescription pid process target process PID 64 set thread context of 1524 64 December SOA.exe December SOA.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
December SOA.exepid process 64 December SOA.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
December SOA.exedescription pid process Token: SeDebugPrivilege 64 December SOA.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
December SOA.exepid process 1524 December SOA.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
December SOA.exedescription pid process target process PID 64 wrote to memory of 2772 64 December SOA.exe schtasks.exe PID 64 wrote to memory of 2772 64 December SOA.exe schtasks.exe PID 64 wrote to memory of 2772 64 December SOA.exe schtasks.exe PID 64 wrote to memory of 1524 64 December SOA.exe December SOA.exe PID 64 wrote to memory of 1524 64 December SOA.exe December SOA.exe PID 64 wrote to memory of 1524 64 December SOA.exe December SOA.exe PID 64 wrote to memory of 1524 64 December SOA.exe December SOA.exe PID 64 wrote to memory of 1524 64 December SOA.exe December SOA.exe PID 64 wrote to memory of 1524 64 December SOA.exe December SOA.exe PID 64 wrote to memory of 1524 64 December SOA.exe December SOA.exe PID 64 wrote to memory of 1524 64 December SOA.exe December SOA.exe PID 64 wrote to memory of 1524 64 December SOA.exe December SOA.exe PID 64 wrote to memory of 1524 64 December SOA.exe December SOA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\December SOA.exe"C:\Users\Admin\AppData\Local\Temp\December SOA.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TUhqyHpeWrHJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A53.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\December SOA.exe"C:\Users\Admin\AppData\Local\Temp\December SOA.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6A53.tmpMD5
6efb2d98397217977d04d7691cdf6074
SHA1d9a2ec17f17e1f137e071c55c34e8f4a1b0ac12a
SHA256174ddda241018f28a763c5d92920692d9a437ae6b8f0de121783bfaae590ed53
SHA512ab44780f147b7de61e76792cd2aff6b6e1ef8b03250d5524887a8bfab348aa8de794e7e7d10d5bee905db9128c373d27a203292f12ace81952961f6a0ec000b1
-
memory/1524-4-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1524-5-0x0000000000413FA4-mapping.dmp
-
memory/1524-6-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2772-2-0x0000000000000000-mapping.dmp