Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-04-2021 08:24
Static task
static1
Behavioral task
behavioral1
Sample
Document.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Document.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Document.exe
-
Size
845KB
-
MD5
26382b4f3cc97798992f8c88c27febdd
-
SHA1
7e8971f121c2b09dea8760c1f1edc5b9931d24f8
-
SHA256
896d2dc1eab72419ab524333d3fba88c8ddf92b087f1c9af5d6ea402b0c77d89
-
SHA512
a15fb1bf882f23359fb86ec59fee5bc1fb2b7b0059550842c2d27489788834b843ca81ff0252d9b6359dbf9cd572bed9b65447a82571b3067b0515143d299b07
Score
10/10
Malware Config
Extracted
Family
remcos
C2
Bruno.camdvr.org:2404
Bruno1.camdvr.org:2404
Bruno2.camdvr.org:2404
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Document.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Emtgcw = "C:\\Users\\Public\\Libraries\\wcgtmE.url" Document.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ieinstal.exepid process 972 ieinstal.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Document.exedescription pid process target process PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe PID 548 wrote to memory of 972 548 Document.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document.exe"C:\Users\Admin\AppData\Local\Temp\Document.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/548-2-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/548-3-0x0000000000280000-0x000000000029A000-memory.dmpFilesize
104KB
-
memory/548-4-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB
-
memory/972-6-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/972-7-0x0000000000000000-mapping.dmp
-
memory/972-8-0x0000000000150000-0x0000000000151000-memory.dmpFilesize
4KB
-
memory/972-10-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/972-16-0x0000000010590000-0x000000001060C000-memory.dmpFilesize
496KB
-
memory/972-17-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1556-5-0x000007FEF8800000-0x000007FEF8A7A000-memory.dmpFilesize
2.5MB