Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 08:10
Static task
static1
Behavioral task
behavioral1
Sample
c4cd874423d9026b16b370d5fa812471.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
c4cd874423d9026b16b370d5fa812471.exe
Resource
win10v20201028
General
-
Target
c4cd874423d9026b16b370d5fa812471.exe
-
Size
637KB
-
MD5
c4cd874423d9026b16b370d5fa812471
-
SHA1
b1c514708b9611056cce378a8c7d8f2b12e4e8df
-
SHA256
0a049a6f200348e229ebaa13728cd0d19de4839c741d4faec3dd64207860153d
-
SHA512
ba5a92674f30bbcb2c4f4552bebb6f226da9ceb5a67d8692d3615353c85a241d9c501732e83b0825f59c6bf272df5cdb66f67136d89fe7f9898b20c018d3f501
Malware Config
Extracted
remcos
alukoren.duckdns.org:9144
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c4cd874423d9026b16b370d5fa812471.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fcizmp = "C:\\Users\\Public\\Libraries\\pmzicF.url" c4cd874423d9026b16b370d5fa812471.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
c4cd874423d9026b16b370d5fa812471.exedescription pid process target process PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe PID 2036 wrote to memory of 372 2036 c4cd874423d9026b16b370d5fa812471.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4cd874423d9026b16b370d5fa812471.exe"C:\Users\Admin\AppData\Local\Temp\c4cd874423d9026b16b370d5fa812471.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/372-65-0x0000000000000000-mapping.dmp
-
memory/372-68-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/372-67-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/372-71-0x0000000010590000-0x000000001060C000-memory.dmpFilesize
496KB
-
memory/372-70-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/372-72-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/2036-59-0x0000000075251000-0x0000000075253000-memory.dmpFilesize
8KB
-
memory/2036-60-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2036-62-0x0000000000290000-0x00000000002AA000-memory.dmpFilesize
104KB