Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
22-02-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
QuotationInvoices.exe
Resource
win7v20201028
General
-
Target
QuotationInvoices.exe
-
Size
516KB
-
MD5
9c51e2991c6c9708d783aab030dcc0da
-
SHA1
64accc9e3f84e7365d8236c580b9644427e3f9e3
-
SHA256
572a6a6fa5277c2b4cc040710694d33b2def62ab74e2801893d33e92e7b105af
-
SHA512
c8725d2abba8f2ae1c483d948f2909ff73736e4efa415d6a26f91cf2226431720b13f15868b4177d8b581287a1d41c4c051913a0faf8f95f599f14b5133ab5b0
Malware Config
Extracted
remcos
greatglass.servebeer.com:1961
Signatures
-
Loads dropped DLL 2 IoCs
Processes:
QuotationInvoices.exepid process 1576 QuotationInvoices.exe 1576 QuotationInvoices.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
QuotationInvoices.exedescription pid process target process PID 1576 set thread context of 1972 1576 QuotationInvoices.exe QuotationInvoices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
QuotationInvoices.exepid process 1576 QuotationInvoices.exe 1576 QuotationInvoices.exe 1576 QuotationInvoices.exe 1576 QuotationInvoices.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
QuotationInvoices.exepid process 1576 QuotationInvoices.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
QuotationInvoices.exepid process 1972 QuotationInvoices.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
QuotationInvoices.exedescription pid process target process PID 1576 wrote to memory of 1972 1576 QuotationInvoices.exe QuotationInvoices.exe PID 1576 wrote to memory of 1972 1576 QuotationInvoices.exe QuotationInvoices.exe PID 1576 wrote to memory of 1972 1576 QuotationInvoices.exe QuotationInvoices.exe PID 1576 wrote to memory of 1972 1576 QuotationInvoices.exe QuotationInvoices.exe PID 1576 wrote to memory of 1972 1576 QuotationInvoices.exe QuotationInvoices.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QuotationInvoices.exe"C:\Users\Admin\AppData\Local\Temp\QuotationInvoices.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QuotationInvoices.exe"C:\Users\Admin\AppData\Local\Temp\QuotationInvoices.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsn2C1.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\xmtfn.dllMD5
7b57e6d08cc3767914ca51a604bc6d13
SHA1afe12dbf77d6fbcf8960d5761699d821afccb2b2
SHA25629e898a600f9a16d828d355709391981396735139e3a8fdb6adda75f0afc670b
SHA512106ceee1485de5abc7e977be4cb17e388d1ecb54fccd1b3add75afc2a5625a81416998e8e9822df8485ca8265fda804826d308c2cf27de2667ea80a359d823c0
-
memory/1576-2-0x0000000075A41000-0x0000000075A43000-memory.dmpFilesize
8KB
-
memory/1972-5-0x000000000042EDDB-mapping.dmp
-
memory/1972-7-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB