Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 18:13
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION 18 1 2021.exe
Resource
win7v20201028
General
-
Target
QUOTATION 18 1 2021.exe
-
Size
1011KB
-
MD5
86bf1b4b8a10cbad324603bdfe946f90
-
SHA1
efa4298cbc45052986d42c59564ff37b56a61925
-
SHA256
721059bc4edd6685620382cf7c1f86f95f8b20317e4bb22d0e8d364705f73c2e
-
SHA512
78ed2a27fd6496f34314ba2b32e3d37d2f6dd2ac32fd5ec932865087ae2a622ca3dac4e2ae8db69bc014d805f39d6cf2e16edaf654e07d276e355d6c0bd2a106
Malware Config
Extracted
remcos
79.134.225.100:1011
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
QUOTATION 18 1 2021.exedescription pid process target process PID 776 set thread context of 1512 776 QUOTATION 18 1 2021.exe vbc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1512 vbc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
QUOTATION 18 1 2021.exedescription pid process target process PID 776 wrote to memory of 268 776 QUOTATION 18 1 2021.exe schtasks.exe PID 776 wrote to memory of 268 776 QUOTATION 18 1 2021.exe schtasks.exe PID 776 wrote to memory of 268 776 QUOTATION 18 1 2021.exe schtasks.exe PID 776 wrote to memory of 268 776 QUOTATION 18 1 2021.exe schtasks.exe PID 776 wrote to memory of 1512 776 QUOTATION 18 1 2021.exe vbc.exe PID 776 wrote to memory of 1512 776 QUOTATION 18 1 2021.exe vbc.exe PID 776 wrote to memory of 1512 776 QUOTATION 18 1 2021.exe vbc.exe PID 776 wrote to memory of 1512 776 QUOTATION 18 1 2021.exe vbc.exe PID 776 wrote to memory of 1512 776 QUOTATION 18 1 2021.exe vbc.exe PID 776 wrote to memory of 1512 776 QUOTATION 18 1 2021.exe vbc.exe PID 776 wrote to memory of 1512 776 QUOTATION 18 1 2021.exe vbc.exe PID 776 wrote to memory of 1512 776 QUOTATION 18 1 2021.exe vbc.exe PID 776 wrote to memory of 1512 776 QUOTATION 18 1 2021.exe vbc.exe PID 776 wrote to memory of 1512 776 QUOTATION 18 1 2021.exe vbc.exe PID 776 wrote to memory of 1512 776 QUOTATION 18 1 2021.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTATION 18 1 2021.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATION 18 1 2021.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dqRqOTc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp957C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp957C.tmpMD5
52fea57eddd02a6e6e664b2a8c1ddcc3
SHA1e99495ff75cbe4361baa0ddcd39c86e2de48150b
SHA256a4c614807c10d60d3b82bc6e8522bfc22a17bb52997caf883903fddc33bb158e
SHA5123e9d1dbb321dd6d294976926f4d18e281aa6c0b24137b3395215d5bf8eb6bf46aee5dfb3dd9470b468f9b67e7d060f63cd78fe9d06aa87a9e54848cdef4ccc84
-
memory/268-8-0x0000000000000000-mapping.dmp
-
memory/776-2-0x0000000073F20000-0x000000007460E000-memory.dmpFilesize
6.9MB
-
memory/776-3-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/776-5-0x0000000002520000-0x0000000002521000-memory.dmpFilesize
4KB
-
memory/776-6-0x0000000000410000-0x0000000000423000-memory.dmpFilesize
76KB
-
memory/776-7-0x0000000002440000-0x00000000024DF000-memory.dmpFilesize
636KB
-
memory/1512-10-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1512-11-0x0000000000413FA4-mapping.dmp
-
memory/1512-12-0x0000000076071000-0x0000000076073000-memory.dmpFilesize
8KB
-
memory/1512-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB