Analysis
-
max time kernel
54s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
19-04-2021 19:21
Static task
static1
Behavioral task
behavioral1
Sample
New_Payment_Advice-04-08-2021.exe
Resource
win7v20210408
General
-
Target
New_Payment_Advice-04-08-2021.exe
-
Size
1.1MB
-
MD5
b406cc9e628e1622fdeb6c19bc119869
-
SHA1
8154bf8ee1d7c43ce0743dee7c5d102e91dbea78
-
SHA256
a16800dbbc35690f64fb554acd3bbd0d9e4f54e8404a99dac0aacc9e41916f20
-
SHA512
d3354be9347ce446e1a4b108d309429862c48b49f99e2248c29f8224b2c7650cd70167e46560d0b96b1898a60780381f5686e1e28b060be66091a8d7a758eb75
Malware Config
Extracted
remcos
79.134.225.78:2404
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Java Update = "\"C:\\Windows\\SysWOW64\\taskmgr\\taskmgr.exe\"" svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exetaskmgr.exepid process 1552 svchost.exe 1172 taskmgr.exe -
Loads dropped DLL 2 IoCs
Processes:
New_Payment_Advice-04-08-2021.execmd.exepid process 1028 New_Payment_Advice-04-08-2021.exe 920 cmd.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1028-64-0x00000000007F0000-0x0000000000811000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Update = "\"C:\\Windows\\SysWOW64\\taskmgr\\taskmgr.exe\"" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ svchost.exe -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\taskmgr\taskmgr.exe svchost.exe File opened for modification C:\Windows\SysWOW64\taskmgr svchost.exe File created C:\Windows\SysWOW64\taskmgr\taskmgr.exe svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New_Payment_Advice-04-08-2021.exedescription pid process target process PID 1028 set thread context of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
New_Payment_Advice-04-08-2021.exepid process 1028 New_Payment_Advice-04-08-2021.exe 1028 New_Payment_Advice-04-08-2021.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New_Payment_Advice-04-08-2021.exedescription pid process Token: SeDebugPrivilege 1028 New_Payment_Advice-04-08-2021.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
New_Payment_Advice-04-08-2021.exesvchost.execmd.exeWScript.execmd.exedescription pid process target process PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1028 wrote to memory of 1552 1028 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1552 wrote to memory of 1316 1552 svchost.exe cmd.exe PID 1552 wrote to memory of 1316 1552 svchost.exe cmd.exe PID 1552 wrote to memory of 1316 1552 svchost.exe cmd.exe PID 1552 wrote to memory of 1316 1552 svchost.exe cmd.exe PID 1316 wrote to memory of 1548 1316 cmd.exe reg.exe PID 1316 wrote to memory of 1548 1316 cmd.exe reg.exe PID 1316 wrote to memory of 1548 1316 cmd.exe reg.exe PID 1316 wrote to memory of 1548 1316 cmd.exe reg.exe PID 1552 wrote to memory of 864 1552 svchost.exe WScript.exe PID 1552 wrote to memory of 864 1552 svchost.exe WScript.exe PID 1552 wrote to memory of 864 1552 svchost.exe WScript.exe PID 1552 wrote to memory of 864 1552 svchost.exe WScript.exe PID 864 wrote to memory of 920 864 WScript.exe cmd.exe PID 864 wrote to memory of 920 864 WScript.exe cmd.exe PID 864 wrote to memory of 920 864 WScript.exe cmd.exe PID 864 wrote to memory of 920 864 WScript.exe cmd.exe PID 920 wrote to memory of 1172 920 cmd.exe taskmgr.exe PID 920 wrote to memory of 1172 920 cmd.exe taskmgr.exe PID 920 wrote to memory of 1172 920 cmd.exe taskmgr.exe PID 920 wrote to memory of 1172 920 cmd.exe taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New_Payment_Advice-04-08-2021.exe"C:\Users\Admin\AppData\Local\Temp\New_Payment_Advice-04-08-2021.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\taskmgr\taskmgr.exe"4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskmgr\taskmgr.exeC:\Windows\SysWOW64\taskmgr\taskmgr.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
d541f4a8502d1116bea2c70cb7f56705
SHA1eea882f194859a8fe88485a64a95e9000e799a1d
SHA256a396bb9df0f318789858a5db9f1fce7d70da880ccdf9f3cc4bef4a826a5a9f83
SHA51258c57bed7ca8778d9a8834e3546e306200325b11fe4c6864a8bd114a3943113cd5a87f447b88af4ad9d2aaab764a547e57ef14f96bccefd407cbddbd6f87b06b
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
54a47f6b5e09a77e61649109c6a08866
SHA14af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
SHA51288ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
54a47f6b5e09a77e61649109c6a08866
SHA14af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
SHA51288ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
-
C:\Windows\SysWOW64\taskmgr\taskmgr.exeMD5
54a47f6b5e09a77e61649109c6a08866
SHA14af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
SHA51288ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
-
C:\Windows\SysWOW64\taskmgr\taskmgr.exeMD5
54a47f6b5e09a77e61649109c6a08866
SHA14af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
SHA51288ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
-
\Users\Admin\AppData\Local\Temp\svchost.exeMD5
54a47f6b5e09a77e61649109c6a08866
SHA14af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
SHA51288ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
-
\Windows\SysWOW64\taskmgr\taskmgr.exeMD5
54a47f6b5e09a77e61649109c6a08866
SHA14af001b3c3816b860660cf2de2c0fd3c1dfb4878
SHA256121118a0f5e0e8c933efd28c9901e54e42792619a8a3a6d11e1f0025a7324bc2
SHA51288ee0ef5af1b0b38c19ab4c307636352fc403ea74f3bfb17e246f7fd815ac042183086133cd9fe805bd47e15854776871bb7d384e419862c91503eeb82bfb419
-
memory/864-76-0x0000000000000000-mapping.dmp
-
memory/920-80-0x0000000000000000-mapping.dmp
-
memory/1028-67-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/1028-60-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/1028-66-0x0000000000820000-0x000000000082B000-memory.dmpFilesize
44KB
-
memory/1028-65-0x0000000004C51000-0x0000000004C52000-memory.dmpFilesize
4KB
-
memory/1028-64-0x00000000007F0000-0x0000000000811000-memory.dmpFilesize
132KB
-
memory/1028-62-0x0000000004C50000-0x0000000004C51000-memory.dmpFilesize
4KB
-
memory/1172-83-0x0000000000000000-mapping.dmp
-
memory/1316-73-0x0000000000000000-mapping.dmp
-
memory/1548-75-0x0000000000000000-mapping.dmp
-
memory/1552-72-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1552-70-0x000000000042EEEF-mapping.dmp
-
memory/1552-69-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1552-79-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB