Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-02-2021 13:02
Static task
static1
Behavioral task
behavioral1
Sample
REVISED ORDER 2322020.EXE
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
REVISED ORDER 2322020.EXE
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
REVISED ORDER 2322020.EXE
-
Size
1.1MB
-
MD5
7da140a904417492363f4418cb2a717b
-
SHA1
a06673b6a33f804a3f9f688231d30e1edf5378d4
-
SHA256
e4eb73c0e476457f54c9e3a5df6b25ef839e3aac74465ca666c2b2c0bcaaa1f7
-
SHA512
d75dba2342c80bed03d956f428947ec3e80b9e9423570eebf77c810a3671b728e76106baae606edbef8b96096c1d66165ee43967b2563e1170eb998813e5e03a
Score
10/10
Malware Config
Extracted
Family
remcos
C2
marstonstyl247.ddns.net:3234
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
REVISED ORDER 2322020.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ubjdt = "C:\\Users\\Public\\Libraries\\tdjbU.url" REVISED ORDER 2322020.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ieinstal.exepid process 592 ieinstal.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
REVISED ORDER 2322020.EXEdescription pid process target process PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe PID 276 wrote to memory of 592 276 REVISED ORDER 2322020.EXE ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REVISED ORDER 2322020.EXE"C:\Users\Admin\AppData\Local\Temp\REVISED ORDER 2322020.EXE"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/276-2-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/276-3-0x0000000000360000-0x000000000039A000-memory.dmpFilesize
232KB
-
memory/276-4-0x00000000765E1000-0x00000000765E3000-memory.dmpFilesize
8KB
-
memory/592-6-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/592-7-0x0000000000000000-mapping.dmp
-
memory/592-8-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/592-10-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/592-16-0x0000000010590000-0x000000001060C000-memory.dmpFilesize
496KB
-
memory/592-17-0x0000000000200000-0x0000000000279000-memory.dmpFilesize
484KB
-
memory/900-5-0x000007FEF63D0000-0x000007FEF664A000-memory.dmpFilesize
2.5MB