Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
21-01-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
Payment Invoice PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment Invoice PDF.exe
Resource
win10v20201028
General
-
Target
Payment Invoice PDF.exe
-
Size
531KB
-
MD5
d0cf67cc18970f999e6fb9fad2f96493
-
SHA1
d5adc1b8c78a138969f0bb7b50219ad9ad682e5c
-
SHA256
8084639a37257615b09beac5c8f681aa2115ece62fcb003fc8ddadb0d833fdb7
-
SHA512
d4316989136e547180e6abd118d74e192ed16a1a314b6949e93e16b3a417c1329174646eca1673813d17ca68100da5c017f3905bc0af9f845f9b62abea54db92
Malware Config
Extracted
remcos
mikegrace2021.ddns.net:1999
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Invoice PDF.exedescription pid process target process PID 1064 set thread context of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Payment Invoice PDF.exepid process 1064 Payment Invoice PDF.exe 1064 Payment Invoice PDF.exe 1064 Payment Invoice PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment Invoice PDF.exedescription pid process Token: SeDebugPrivilege 1064 Payment Invoice PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Payment Invoice PDF.exepid process 1472 Payment Invoice PDF.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
Payment Invoice PDF.exedescription pid process target process PID 1064 wrote to memory of 1568 1064 Payment Invoice PDF.exe schtasks.exe PID 1064 wrote to memory of 1568 1064 Payment Invoice PDF.exe schtasks.exe PID 1064 wrote to memory of 1568 1064 Payment Invoice PDF.exe schtasks.exe PID 1064 wrote to memory of 1568 1064 Payment Invoice PDF.exe schtasks.exe PID 1064 wrote to memory of 268 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 268 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 268 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 268 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 112 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 112 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 112 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 112 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 1064 wrote to memory of 1472 1064 Payment Invoice PDF.exe Payment Invoice PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tuILphceR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3D2F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3D2F.tmpMD5
ade1488ca98663b02670a3ddeba06b4c
SHA1828fbf196c26e6f589011a3a215dea74dd037840
SHA256504aae2e4dc994b2fcd75f09a663dbdcd287822bda40121986f2e210cecd94de
SHA5125e7ec166dbeb6ae0336b8701fec89efddc24154cbc73d749249d3aa3bf3f57e20d26680884f63decd9f9ef75584b7838c2db8a2d7c140e3f19db85176bfae23d
-
memory/1064-2-0x00000000740B0000-0x000000007479E000-memory.dmpFilesize
6.9MB
-
memory/1064-3-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/1064-5-0x00000000003B0000-0x00000000003D3000-memory.dmpFilesize
140KB
-
memory/1064-6-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/1064-7-0x0000000004410000-0x0000000004469000-memory.dmpFilesize
356KB
-
memory/1472-10-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1472-11-0x0000000000413FA4-mapping.dmp
-
memory/1472-12-0x0000000076101000-0x0000000076103000-memory.dmpFilesize
8KB
-
memory/1472-13-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1568-8-0x0000000000000000-mapping.dmp