Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 22:24
Static task
static1
Behavioral task
behavioral1
Sample
Application Form.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
Application Form.exe
-
Size
620KB
-
MD5
ea431733561c16e385bedd8478522598
-
SHA1
b56c6bf369510cad2dec8356b330a96d6a060bab
-
SHA256
9888381eb68d98f0581ab81845f2fc9e15af6ba1193a131bdf60497e3a3d1247
-
SHA512
bcc536bb79caf6e43ba661669e8e166b94a7f78a5b094a11f851876c889d573b5801dd655240be163ea7a2f56f6fefb5698e64f9791dff0ce08126eb7760f9be
Malware Config
Extracted
Family
remcos
C2
Toolz.mywire.org:4499
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Application Form.exedescription pid process target process PID 3848 set thread context of 1524 3848 Application Form.exe Application Form.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Application Form.exepid process 1524 Application Form.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Application Form.exeApplication Form.exepid process 648 Application Form.exe 3848 Application Form.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Application Form.exepid process 1524 Application Form.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Application Form.exeApplication Form.exedescription pid process target process PID 648 wrote to memory of 3732 648 Application Form.exe Application Form.exe PID 648 wrote to memory of 3732 648 Application Form.exe Application Form.exe PID 648 wrote to memory of 3732 648 Application Form.exe Application Form.exe PID 648 wrote to memory of 3848 648 Application Form.exe Application Form.exe PID 648 wrote to memory of 3848 648 Application Form.exe Application Form.exe PID 648 wrote to memory of 3848 648 Application Form.exe Application Form.exe PID 3848 wrote to memory of 1524 3848 Application Form.exe Application Form.exe PID 3848 wrote to memory of 1524 3848 Application Form.exe Application Form.exe PID 3848 wrote to memory of 1524 3848 Application Form.exe Application Form.exe PID 3848 wrote to memory of 1524 3848 Application Form.exe Application Form.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Application Form.exe"C:\Users\Admin\AppData\Local\Temp\Application Form.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\AppData\Local\Temp\Application Form.exe"C:\Users\Admin\AppData\Local\Temp\Application Form.exe"2⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\Application Form.exe"C:\Users\Admin\AppData\Local\Temp\Application Form.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\AppData\Local\Temp\Application Form.exe"C:\Users\Admin\AppData\Local\Temp\Application Form.exe"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1524