Analysis
-
max time kernel
146s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-04-2021 18:23
Static task
static1
Behavioral task
behavioral1
Sample
ShippingDoc.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
ShippingDoc.exe
Resource
win10v20210410
General
-
Target
ShippingDoc.exe
-
Size
831KB
-
MD5
ff5098c6521717d54914919b3ccfa844
-
SHA1
24a79eaf402211e3fa16588b14d8ee10482e13e0
-
SHA256
2fde996ea514f77000c3c0b10b5587866e644346030c4535e122d93b5cf940da
-
SHA512
1e31e107fe588507392e5e79263ff5d922429dcc38ab571aef33eadcc2500ea44a03ac5bb35eaaceb6ec0847c82e89f5f1a84ff61df0f108bdb2bd048a487300
Malware Config
Extracted
remcos
79.134.225.19:2555
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ShippingDoc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Biwmcd = "C:\\Users\\Public\\Libraries\\dcmwiB.url" ShippingDoc.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ShippingDoc.exedescription ioc process File opened (read-only) \??\O: ShippingDoc.exe File opened (read-only) \??\Q: ShippingDoc.exe File opened (read-only) \??\S: ShippingDoc.exe File opened (read-only) \??\T: ShippingDoc.exe File opened (read-only) \??\B: ShippingDoc.exe File opened (read-only) \??\F: ShippingDoc.exe File opened (read-only) \??\I: ShippingDoc.exe File opened (read-only) \??\M: ShippingDoc.exe File opened (read-only) \??\U: ShippingDoc.exe File opened (read-only) \??\V: ShippingDoc.exe File opened (read-only) \??\Z: ShippingDoc.exe File opened (read-only) \??\E: ShippingDoc.exe File opened (read-only) \??\H: ShippingDoc.exe File opened (read-only) \??\L: ShippingDoc.exe File opened (read-only) \??\P: ShippingDoc.exe File opened (read-only) \??\R: ShippingDoc.exe File opened (read-only) \??\A: ShippingDoc.exe File opened (read-only) \??\G: ShippingDoc.exe File opened (read-only) \??\J: ShippingDoc.exe File opened (read-only) \??\K: ShippingDoc.exe File opened (read-only) \??\N: ShippingDoc.exe File opened (read-only) \??\W: ShippingDoc.exe File opened (read-only) \??\X: ShippingDoc.exe File opened (read-only) \??\Y: ShippingDoc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
ShippingDoc.exedescription pid process target process PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe PID 308 wrote to memory of 692 308 ShippingDoc.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ShippingDoc.exe"C:\Users\Admin\AppData\Local\Temp\ShippingDoc.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/308-60-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/308-62-0x0000000002190000-0x00000000021AA000-memory.dmpFilesize
104KB
-
memory/308-65-0x0000000075A31000-0x0000000075A33000-memory.dmpFilesize
8KB
-
memory/692-66-0x0000000000000000-mapping.dmp
-
memory/692-68-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/692-71-0x0000000010590000-0x000000001060C000-memory.dmpFilesize
496KB
-
memory/692-70-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/692-72-0x0000000000520000-0x0000000000599000-memory.dmpFilesize
484KB
-
memory/692-73-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB