Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-01-2021 06:21
Static task
static1
Behavioral task
behavioral1
Sample
Payment Invoice PDF.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment Invoice PDF.exe
Resource
win10v20201028
General
-
Target
Payment Invoice PDF.exe
-
Size
531KB
-
MD5
d0cf67cc18970f999e6fb9fad2f96493
-
SHA1
d5adc1b8c78a138969f0bb7b50219ad9ad682e5c
-
SHA256
8084639a37257615b09beac5c8f681aa2115ece62fcb003fc8ddadb0d833fdb7
-
SHA512
d4316989136e547180e6abd118d74e192ed16a1a314b6949e93e16b3a417c1329174646eca1673813d17ca68100da5c017f3905bc0af9f845f9b62abea54db92
Malware Config
Extracted
remcos
mikegrace2021.ddns.net:1999
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment Invoice PDF.exedescription pid process target process PID 4768 set thread context of 976 4768 Payment Invoice PDF.exe Payment Invoice PDF.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Payment Invoice PDF.exepid process 4768 Payment Invoice PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment Invoice PDF.exedescription pid process Token: SeDebugPrivilege 4768 Payment Invoice PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Payment Invoice PDF.exepid process 976 Payment Invoice PDF.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Payment Invoice PDF.exedescription pid process target process PID 4768 wrote to memory of 552 4768 Payment Invoice PDF.exe schtasks.exe PID 4768 wrote to memory of 552 4768 Payment Invoice PDF.exe schtasks.exe PID 4768 wrote to memory of 552 4768 Payment Invoice PDF.exe schtasks.exe PID 4768 wrote to memory of 976 4768 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 4768 wrote to memory of 976 4768 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 4768 wrote to memory of 976 4768 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 4768 wrote to memory of 976 4768 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 4768 wrote to memory of 976 4768 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 4768 wrote to memory of 976 4768 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 4768 wrote to memory of 976 4768 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 4768 wrote to memory of 976 4768 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 4768 wrote to memory of 976 4768 Payment Invoice PDF.exe Payment Invoice PDF.exe PID 4768 wrote to memory of 976 4768 Payment Invoice PDF.exe Payment Invoice PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tuILphceR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"C:\Users\Admin\AppData\Local\Temp\Payment Invoice PDF.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4D65.tmpMD5
36786db62d2abc30b8ae9b97c62f8c11
SHA1acd74ff9847563f6aaeb5c15117e4577bb773671
SHA256fcf3059bbea8e1bb5950c2c70c97d48714b53015bef8be67c2ab99c6a19129f1
SHA512e3471031ee97bdf6ec3fa544dc4384253e7cb601d2fe855ca0d117d331ef49d1b588413a298ef6eab10d13641895512972977e2d0a29519e6e0185da8ee0f9c4
-
memory/552-13-0x0000000000000000-mapping.dmp
-
memory/976-17-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/976-16-0x0000000000413FA4-mapping.dmp
-
memory/976-15-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/4768-9-0x0000000005300000-0x0000000005301000-memory.dmpFilesize
4KB
-
memory/4768-2-0x00000000732D0000-0x00000000739BE000-memory.dmpFilesize
6.9MB
-
memory/4768-10-0x0000000005360000-0x0000000005383000-memory.dmpFilesize
140KB
-
memory/4768-11-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/4768-12-0x0000000005F00000-0x0000000005F59000-memory.dmpFilesize
356KB
-
memory/4768-8-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/4768-7-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/4768-6-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/4768-5-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/4768-3-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB