Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 07:57
Static task
static1
Behavioral task
behavioral1
Sample
ae8ba034c111e338ffc8cced610e23c7.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ae8ba034c111e338ffc8cced610e23c7.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
ae8ba034c111e338ffc8cced610e23c7.exe
-
Size
724KB
-
MD5
ae8ba034c111e338ffc8cced610e23c7
-
SHA1
edfd786403ebea26e612b0240b1ce980f170f245
-
SHA256
6cdb03bc316fbf184d610d24d85ca86ec2269413ae8ae8ac87f296afb08dacea
-
SHA512
bbae7a78743ded59170bab7fa5a2a240ab24fbe065f39d0c00d13655fefba4074d23e952ca994945a722f24dedee6d59c8d2ca0569f2497a1e3f82b1490c2b42
Score
10/10
Malware Config
Extracted
Family
remcos
C2
4sureme.ddns.net:4902
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ae8ba034c111e338ffc8cced610e23c7.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rvchn = "C:\\Users\\Admin\\nhcvR.url" ae8ba034c111e338ffc8cced610e23c7.exe -
Processes:
ae8ba034c111e338ffc8cced610e23c7.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 ae8ba034c111e338ffc8cced610e23c7.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 ae8ba034c111e338ffc8cced610e23c7.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ieinstal.exepid process 1592 ieinstal.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
ae8ba034c111e338ffc8cced610e23c7.exedescription pid process target process PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe PID 1656 wrote to memory of 1592 1656 ae8ba034c111e338ffc8cced610e23c7.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae8ba034c111e338ffc8cced610e23c7.exe"C:\Users\Admin\AppData\Local\Temp\ae8ba034c111e338ffc8cced610e23c7.exe"1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1592-3-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1592-4-0x0000000000000000-mapping.dmp
-
memory/1592-5-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/1592-7-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1592-8-0x0000000074D11000-0x0000000074D13000-memory.dmpFilesize
8KB
-
memory/1592-12-0x0000000010540000-0x0000000010564000-memory.dmpFilesize
144KB
-
memory/1592-14-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1656-2-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB