Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 07:58
Static task
static1
Behavioral task
behavioral1
Sample
DOC20210403A266NR5282RBL20266178278_PDF.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DOC20210403A266NR5282RBL20266178278_PDF.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
DOC20210403A266NR5282RBL20266178278_PDF.exe
-
Size
845KB
-
MD5
7ccc15217d4c2a598b5b04ec928f32a4
-
SHA1
c3828f550527c84fa7150ae944167d3ee9ca726b
-
SHA256
8dc3da77d945f8df3206906bcf76f1096e4db213a9b7b5911d7f0e8eaf3c8b67
-
SHA512
6911909546c988ea561d19e1bb8dd0afe47690cc81cb62dca97eadf7be5bb11d1c6bc6caa27368f2d0f9461c618f10728a36ca59b43f8bf8f12d03743a1876c1
Score
10/10
Malware Config
Extracted
Family
remcos
C2
olorunwa.duckdns.org:6548
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DOC20210403A266NR5282RBL20266178278_PDF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qcatdn = "C:\\Users\\Public\\Libraries\\ndtacQ.url" DOC20210403A266NR5282RBL20266178278_PDF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DOC20210403A266NR5282RBL20266178278_PDF.exedescription pid process target process PID 1904 set thread context of 1148 1904 DOC20210403A266NR5282RBL20266178278_PDF.exe DOC20210403A266NR5282RBL20266178278_PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DOC20210403A266NR5282RBL20266178278_PDF.exepid process 1148 DOC20210403A266NR5282RBL20266178278_PDF.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
DOC20210403A266NR5282RBL20266178278_PDF.exedescription pid process target process PID 1904 wrote to memory of 1148 1904 DOC20210403A266NR5282RBL20266178278_PDF.exe DOC20210403A266NR5282RBL20266178278_PDF.exe PID 1904 wrote to memory of 1148 1904 DOC20210403A266NR5282RBL20266178278_PDF.exe DOC20210403A266NR5282RBL20266178278_PDF.exe PID 1904 wrote to memory of 1148 1904 DOC20210403A266NR5282RBL20266178278_PDF.exe DOC20210403A266NR5282RBL20266178278_PDF.exe PID 1904 wrote to memory of 1148 1904 DOC20210403A266NR5282RBL20266178278_PDF.exe DOC20210403A266NR5282RBL20266178278_PDF.exe PID 1904 wrote to memory of 1148 1904 DOC20210403A266NR5282RBL20266178278_PDF.exe DOC20210403A266NR5282RBL20266178278_PDF.exe PID 1904 wrote to memory of 1148 1904 DOC20210403A266NR5282RBL20266178278_PDF.exe DOC20210403A266NR5282RBL20266178278_PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOC20210403A266NR5282RBL20266178278_PDF.exe"C:\Users\Admin\AppData\Local\Temp\DOC20210403A266NR5282RBL20266178278_PDF.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DOC20210403A266NR5282RBL20266178278_PDF.exeC:\Users\Admin\AppData\Local\Temp\DOC20210403A266NR5282RBL20266178278_PDF.exe2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1148-65-0x0000000000580000-0x00000000005FB000-memory.dmpFilesize
492KB
-
memory/1148-66-0x000000000058162C-mapping.dmp
-
memory/1148-68-0x0000000000580000-0x00000000005FB000-memory.dmpFilesize
492KB
-
memory/1148-69-0x00000000004E0000-0x0000000000558000-memory.dmpFilesize
480KB
-
memory/1904-59-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1904-61-0x00000000003C0000-0x00000000003DA000-memory.dmpFilesize
104KB
-
memory/1904-64-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB