Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
Assigned Document.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Assigned Document.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Assigned Document.exe
-
Size
836KB
-
MD5
f8d1358d21f301908cd951fc887d606b
-
SHA1
88d68c3dd045ec5245da41feb6130d49b62491f4
-
SHA256
ec84a8bda79a0fd968138e6eb7bed4da519a44b4f24f30eceae26606bf73d5f0
-
SHA512
37311fb807024e3ac1dfd558bbcb2d8b4f9eb9f6bf729cf9f65d7d94593ef3b29705a948eb6ded388bed4e0757a6ffa47dfb2cafbf8d590bcd4acd3ae02e32c5
Score
10/10
Malware Config
Extracted
Family
remcos
C2
remcos009s.duckdns.org:1980
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Assigned Document.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ugedr = "C:\\Users\\Admin\\rdegU.url" Assigned Document.exe -
Processes:
Assigned Document.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main Assigned Document.exe -
Processes:
Assigned Document.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Assigned Document.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Assigned Document.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Assigned Document.exepid process 1832 Assigned Document.exe 1832 Assigned Document.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Assigned Document.exedescription pid process target process PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe PID 1832 wrote to memory of 544 1832 Assigned Document.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Assigned Document.exe"C:\Users\Admin\AppData\Local\Temp\Assigned Document.exe"1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/544-6-0x0000000000000000-mapping.dmp
-
memory/544-7-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/544-5-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/544-9-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/544-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/544-14-0x0000000010540000-0x0000000010564000-memory.dmpFilesize
144KB
-
memory/1356-3-0x000007FEF5C30000-0x000007FEF5EAA000-memory.dmpFilesize
2.5MB
-
memory/1832-2-0x0000000075DE1000-0x0000000075DE3000-memory.dmpFilesize
8KB
-
memory/1832-4-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB