Analysis
-
max time kernel
12s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
15-01-2021 15:51
Static task
static1
Behavioral task
behavioral1
Sample
HESAP BILGISI.PDF.exe
Resource
win7v20201028
General
-
Target
HESAP BILGISI.PDF.exe
-
Size
361KB
-
MD5
0b3fd095b95a6e7ff50a33e9bd83af8d
-
SHA1
e8910f1987f3c2b39b37885790aea305c8e09fec
-
SHA256
a81dc80c4e292405023f9c59504e55045ca754901cd06185d041642ce91a33b2
-
SHA512
3dda5d4cd455034b8035985e2c783d7f2a8cb084ccf20dea04245c94368aff2053dab688c4512c51a127bce259aef485847ac2ebee86b66b1895e3300fa0c8d9
Malware Config
Extracted
remcos
72.11.157.241:4445
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
HESAP BILGISI.PDF.exedescription pid process target process PID 2028 set thread context of 2044 2028 HESAP BILGISI.PDF.exe HESAP BILGISI.PDF.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
HESAP BILGISI.PDF.exepid process 2028 HESAP BILGISI.PDF.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
HESAP BILGISI.PDF.exepid process 2044 HESAP BILGISI.PDF.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
HESAP BILGISI.PDF.exepid process 2044 HESAP BILGISI.PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
HESAP BILGISI.PDF.exepid process 2044 HESAP BILGISI.PDF.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
HESAP BILGISI.PDF.execmd.exedescription pid process target process PID 2028 wrote to memory of 1640 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 1640 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 1640 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 1640 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 1584 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 1584 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 1584 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 1584 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 1984 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 1984 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 1984 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 1984 2028 HESAP BILGISI.PDF.exe cmd.exe PID 2028 wrote to memory of 2044 2028 HESAP BILGISI.PDF.exe HESAP BILGISI.PDF.exe PID 2028 wrote to memory of 2044 2028 HESAP BILGISI.PDF.exe HESAP BILGISI.PDF.exe PID 2028 wrote to memory of 2044 2028 HESAP BILGISI.PDF.exe HESAP BILGISI.PDF.exe PID 2028 wrote to memory of 2044 2028 HESAP BILGISI.PDF.exe HESAP BILGISI.PDF.exe PID 2028 wrote to memory of 2044 2028 HESAP BILGISI.PDF.exe HESAP BILGISI.PDF.exe PID 1984 wrote to memory of 1888 1984 cmd.exe schtasks.exe PID 1984 wrote to memory of 1888 1984 cmd.exe schtasks.exe PID 1984 wrote to memory of 1888 1984 cmd.exe schtasks.exe PID 1984 wrote to memory of 1888 1984 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HESAP BILGISI.PDF.exe"C:\Users\Admin\AppData\Local\Temp\HESAP BILGISI.PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\8aae0b435fd34ae29e083423960fb4e2.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN name /XML "C:\Users\Admin\AppData\Local\Temp\8aae0b435fd34ae29e083423960fb4e2.xml"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\HESAP BILGISI.PDF.exe"C:\Users\Admin\AppData\Local\Temp\HESAP BILGISI.PDF.exe"2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8aae0b435fd34ae29e083423960fb4e2.xmlMD5
a035055e1c80bc652520df45650c690f
SHA137b8364ad46e17199eb5a7ee89bb506bba384adb
SHA2562b9948d34674d0fc0f9cb290da8298441b56205f6e341e3cfa1954df42c2b655
SHA512678279d1bfc8a71c27a5a2c3afa5fd266882a62610863a3e4ebc2489f17827ed4c680c89e6b8b52621320500294d2df9888259ccdc5d38def43e739c1f325fc1
-
memory/1584-3-0x0000000000000000-mapping.dmp
-
memory/1640-2-0x0000000000000000-mapping.dmp
-
memory/1888-8-0x0000000000000000-mapping.dmp
-
memory/1984-4-0x0000000000000000-mapping.dmp
-
memory/2044-5-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2044-6-0x00000000004172EC-mapping.dmp
-
memory/2044-7-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/2044-9-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB