Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-04-2021 19:49
Static task
static1
Behavioral task
behavioral1
Sample
Scan_Documents-001HD4847DHD346G.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Scan_Documents-001HD4847DHD346G.exe
Resource
win10v20210410
General
-
Target
Scan_Documents-001HD4847DHD346G.exe
-
Size
838KB
-
MD5
303c5d6aa71eede673d90225146fba07
-
SHA1
61e24b0ec1a6933259565c21788e0ccbacd4c630
-
SHA256
6018d6795b86aef8d39205698ca166c8c5d413d06a8a1fa346741bd56ff0e307
-
SHA512
bc584d8b598bf59e4ec1a3b494556df46730fdf31175ac6fdfd4fe8c72781e539d9d082998d7df0b292a3c4212ab16a46a4e734a28b2d0291a016e3bdebd728a
Malware Config
Extracted
remcos
www.swqrn.com:16108
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Scan_Documents-001HD4847DHD346G.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wfwilj = "C:\\Users\\Public\\Libraries\\jliwfW.url" Scan_Documents-001HD4847DHD346G.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Scan_Documents-001HD4847DHD346G.exedescription ioc process File opened (read-only) \??\A: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\B: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\E: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\G: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\L: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\Q: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\S: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\F: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\I: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\K: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\M: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\P: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\T: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\V: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\J: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\N: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\O: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\R: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\U: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\W: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\Y: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\Z: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\H: Scan_Documents-001HD4847DHD346G.exe File opened (read-only) \??\X: Scan_Documents-001HD4847DHD346G.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scan_Documents-001HD4847DHD346G.exedescription pid process target process PID 1848 set thread context of 952 1848 Scan_Documents-001HD4847DHD346G.exe Scan_Documents-001HD4847DHD346G.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Scan_Documents-001HD4847DHD346G.exepid process 952 Scan_Documents-001HD4847DHD346G.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Scan_Documents-001HD4847DHD346G.exedescription pid process target process PID 1848 wrote to memory of 952 1848 Scan_Documents-001HD4847DHD346G.exe Scan_Documents-001HD4847DHD346G.exe PID 1848 wrote to memory of 952 1848 Scan_Documents-001HD4847DHD346G.exe Scan_Documents-001HD4847DHD346G.exe PID 1848 wrote to memory of 952 1848 Scan_Documents-001HD4847DHD346G.exe Scan_Documents-001HD4847DHD346G.exe PID 1848 wrote to memory of 952 1848 Scan_Documents-001HD4847DHD346G.exe Scan_Documents-001HD4847DHD346G.exe PID 1848 wrote to memory of 952 1848 Scan_Documents-001HD4847DHD346G.exe Scan_Documents-001HD4847DHD346G.exe PID 1848 wrote to memory of 952 1848 Scan_Documents-001HD4847DHD346G.exe Scan_Documents-001HD4847DHD346G.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan_Documents-001HD4847DHD346G.exe"C:\Users\Admin\AppData\Local\Temp\Scan_Documents-001HD4847DHD346G.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scan_Documents-001HD4847DHD346G.exeC:\Users\Admin\AppData\Local\Temp\Scan_Documents-001HD4847DHD346G.exe2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/952-65-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/952-66-0x000000000042F08F-mapping.dmp
-
memory/952-68-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1848-59-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1848-61-0x00000000003E0000-0x00000000003FA000-memory.dmpFilesize
104KB
-
memory/1848-64-0x00000000757C1000-0x00000000757C3000-memory.dmpFilesize
8KB