Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
30-03-2021 13:41
Static task
static1
Behavioral task
behavioral1
Sample
Attached pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Attached pdf.exe
Resource
win10v20201028
General
-
Target
Attached pdf.exe
-
Size
617KB
-
MD5
83c9cee1f209ec02934e3895d5c51dfa
-
SHA1
2ba1dac5e2fef7a948b21efcc267b3096656cf68
-
SHA256
93e8c5b7f7c4b18efb1f1c09c5ad9c5d8782611b9417f19063cdd17f3cdd92ee
-
SHA512
2df5a3c0f01f3aed5dd1d1cee3ef30e99b0b7e5e1692c6818f720d6d00bcb2b23a56b2334422ae618a57ffe87ceab0c5b54d6d43bfd463e77956eaa3feb656a2
Malware Config
Extracted
remcos
rem1.camdvr.org:2404
rem16.hopto.org:2404
rem1666.hopto.org:2404
rem16.camdvr.org:2404
remmusic.freeddns.org:2404
sunwap1.ddns.net:2404
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Attached pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Znoaho = "C:\\Users\\Public\\Libraries\\ohaonZ.url" Attached pdf.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ieinstal.exepid process 1764 ieinstal.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Attached pdf.exedescription pid process target process PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe PID 1924 wrote to memory of 1764 1924 Attached pdf.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Attached pdf.exe"C:\Users\Admin\AppData\Local\Temp\Attached pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1764-4-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1764-5-0x0000000000000000-mapping.dmp
-
memory/1764-6-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB
-
memory/1764-9-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1764-14-0x0000000010540000-0x0000000010564000-memory.dmpFilesize
144KB
-
memory/1764-15-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1924-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1924-3-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB