Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
Assigned Document.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Assigned Document.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Assigned Document.exe
-
Size
836KB
-
MD5
f8d1358d21f301908cd951fc887d606b
-
SHA1
88d68c3dd045ec5245da41feb6130d49b62491f4
-
SHA256
ec84a8bda79a0fd968138e6eb7bed4da519a44b4f24f30eceae26606bf73d5f0
-
SHA512
37311fb807024e3ac1dfd558bbcb2d8b4f9eb9f6bf729cf9f65d7d94593ef3b29705a948eb6ded388bed4e0757a6ffa47dfb2cafbf8d590bcd4acd3ae02e32c5
Score
10/10
Malware Config
Extracted
Family
remcos
C2
remcos009s.duckdns.org:1980
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Assigned Document.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ugedr = "C:\\Users\\Admin\\rdegU.url" Assigned Document.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Assigned Document.exepid process 580 Assigned Document.exe 580 Assigned Document.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Assigned Document.exedescription pid process target process PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe PID 580 wrote to memory of 1276 580 Assigned Document.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Assigned Document.exe"C:\Users\Admin\AppData\Local\Temp\Assigned Document.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-2-0x0000000000670000-0x0000000000671000-memory.dmpFilesize
4KB
-
memory/1276-3-0x0000000002D60000-0x0000000002D61000-memory.dmpFilesize
4KB
-
memory/1276-4-0x0000000000000000-mapping.dmp
-
memory/1276-5-0x0000000003150000-0x0000000003151000-memory.dmpFilesize
4KB
-
memory/1276-7-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/1276-12-0x0000000010540000-0x0000000010564000-memory.dmpFilesize
144KB
-
memory/1276-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB