Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 14:58
Static task
static1
Behavioral task
behavioral1
Sample
ORDER3898.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ORDER3898.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
ORDER3898.exe
-
Size
716KB
-
MD5
41a4bbdc8c2f1ff444d2fb7ab9fbeaf5
-
SHA1
25170e511f605a28205d83c87cd8ba73d7580ce7
-
SHA256
595a6f87c8d7f4d41ff378424f03f27187b5abb95f8e8ca2507a00f01bacd11b
-
SHA512
12dec3f07ba86b9e17c097d65f15fc3961a274b9d7a66499700e718a5d169affca5d1510ac8be3d1dad215e963d0e90ec4a703ac4798fe7078a1d9f47f4c2108
Score
10/10
Malware Config
Extracted
Family
remcos
C2
79.134.225.19:2556
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ORDER3898.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ajlnx = "C:\\Users\\Admin\\xnljA.url" ORDER3898.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 15 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
ORDER3898.exedescription pid process target process PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe PID 1192 wrote to memory of 544 1192 ORDER3898.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER3898.exe"C:\Users\Admin\AppData\Local\Temp\ORDER3898.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/544-3-0x00000000030F0000-0x00000000030F1000-memory.dmpFilesize
4KB
-
memory/544-4-0x0000000000000000-mapping.dmp
-
memory/544-5-0x00000000031B0000-0x00000000031B1000-memory.dmpFilesize
4KB
-
memory/544-7-0x0000000003150000-0x0000000003151000-memory.dmpFilesize
4KB
-
memory/544-12-0x0000000010540000-0x0000000010565000-memory.dmpFilesize
148KB
-
memory/544-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1192-2-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB