Analysis
-
max time kernel
54s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-04-2021 19:21
Static task
static1
Behavioral task
behavioral1
Sample
New_Payment_Advice-04-08-2021.exe
Resource
win7v20210408
General
-
Target
New_Payment_Advice-04-08-2021.exe
-
Size
1.1MB
-
MD5
b406cc9e628e1622fdeb6c19bc119869
-
SHA1
8154bf8ee1d7c43ce0743dee7c5d102e91dbea78
-
SHA256
a16800dbbc35690f64fb554acd3bbd0d9e4f54e8404a99dac0aacc9e41916f20
-
SHA512
d3354be9347ce446e1a4b108d309429862c48b49f99e2248c29f8224b2c7650cd70167e46560d0b96b1898a60780381f5686e1e28b060be66091a8d7a758eb75
Malware Config
Extracted
remcos
79.134.225.78:2404
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Java Update = "\"C:\\Windows\\SysWOW64\\taskmgr\\taskmgr.exe\"" svchost.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exetaskmgr.exepid process 1340 svchost.exe 2204 taskmgr.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/640-121-0x00000000060F0000-0x0000000006111000-memory.dmp agile_net behavioral2/memory/640-124-0x0000000004BF0000-0x00000000050EE000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Update = "\"C:\\Windows\\SysWOW64\\taskmgr\\taskmgr.exe\"" svchost.exe -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\taskmgr svchost.exe File created C:\Windows\SysWOW64\taskmgr\taskmgr.exe svchost.exe File opened for modification C:\Windows\SysWOW64\taskmgr\taskmgr.exe svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New_Payment_Advice-04-08-2021.exedescription pid process target process PID 640 set thread context of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings svchost.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
New_Payment_Advice-04-08-2021.exepid process 640 New_Payment_Advice-04-08-2021.exe 640 New_Payment_Advice-04-08-2021.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
New_Payment_Advice-04-08-2021.exedescription pid process Token: SeDebugPrivilege 640 New_Payment_Advice-04-08-2021.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
New_Payment_Advice-04-08-2021.exesvchost.execmd.exeWScript.execmd.exedescription pid process target process PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 640 wrote to memory of 1340 640 New_Payment_Advice-04-08-2021.exe svchost.exe PID 1340 wrote to memory of 2120 1340 svchost.exe cmd.exe PID 1340 wrote to memory of 2120 1340 svchost.exe cmd.exe PID 1340 wrote to memory of 2120 1340 svchost.exe cmd.exe PID 2120 wrote to memory of 3896 2120 cmd.exe reg.exe PID 2120 wrote to memory of 3896 2120 cmd.exe reg.exe PID 2120 wrote to memory of 3896 2120 cmd.exe reg.exe PID 1340 wrote to memory of 3984 1340 svchost.exe WScript.exe PID 1340 wrote to memory of 3984 1340 svchost.exe WScript.exe PID 1340 wrote to memory of 3984 1340 svchost.exe WScript.exe PID 3984 wrote to memory of 3760 3984 WScript.exe cmd.exe PID 3984 wrote to memory of 3760 3984 WScript.exe cmd.exe PID 3984 wrote to memory of 3760 3984 WScript.exe cmd.exe PID 3760 wrote to memory of 2204 3760 cmd.exe taskmgr.exe PID 3760 wrote to memory of 2204 3760 cmd.exe taskmgr.exe PID 3760 wrote to memory of 2204 3760 cmd.exe taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New_Payment_Advice-04-08-2021.exe"C:\Users\Admin\AppData\Local\Temp\New_Payment_Advice-04-08-2021.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows\SysWOW64\taskmgr\taskmgr.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskmgr\taskmgr.exeC:\Windows\SysWOW64\taskmgr\taskmgr.exe5⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
d541f4a8502d1116bea2c70cb7f56705
SHA1eea882f194859a8fe88485a64a95e9000e799a1d
SHA256a396bb9df0f318789858a5db9f1fce7d70da880ccdf9f3cc4bef4a826a5a9f83
SHA51258c57bed7ca8778d9a8834e3546e306200325b11fe4c6864a8bd114a3943113cd5a87f447b88af4ad9d2aaab764a547e57ef14f96bccefd407cbddbd6f87b06b
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
6bdb3091562e7dd2c877472286b6cc46
SHA1122ecbb7a23dc98c61f319cfb060f3cbd407db89
SHA25687e4144b3f50e9a0635ea6a887a20ef0d7b1321a79793f9fa965b8defbdef698
SHA512219d646d5d514c705f801cacc736ca1027613d6612c1d30a8d4156143f5344b125a297080926912e7abf94a09b80cae157ac44773e84dd95946a9feb44b10e94
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeMD5
6bdb3091562e7dd2c877472286b6cc46
SHA1122ecbb7a23dc98c61f319cfb060f3cbd407db89
SHA25687e4144b3f50e9a0635ea6a887a20ef0d7b1321a79793f9fa965b8defbdef698
SHA512219d646d5d514c705f801cacc736ca1027613d6612c1d30a8d4156143f5344b125a297080926912e7abf94a09b80cae157ac44773e84dd95946a9feb44b10e94
-
C:\Windows\SysWOW64\taskmgr\taskmgr.exeMD5
6bdb3091562e7dd2c877472286b6cc46
SHA1122ecbb7a23dc98c61f319cfb060f3cbd407db89
SHA25687e4144b3f50e9a0635ea6a887a20ef0d7b1321a79793f9fa965b8defbdef698
SHA512219d646d5d514c705f801cacc736ca1027613d6612c1d30a8d4156143f5344b125a297080926912e7abf94a09b80cae157ac44773e84dd95946a9feb44b10e94
-
memory/640-121-0x00000000060F0000-0x0000000006111000-memory.dmpFilesize
132KB
-
memory/640-118-0x0000000004E10000-0x0000000004E11000-memory.dmpFilesize
4KB
-
memory/640-122-0x00000000061B0000-0x00000000061B1000-memory.dmpFilesize
4KB
-
memory/640-123-0x00000000060C0000-0x00000000060C1000-memory.dmpFilesize
4KB
-
memory/640-124-0x0000000004BF0000-0x00000000050EE000-memory.dmpFilesize
5.0MB
-
memory/640-125-0x00000000064D0000-0x00000000064DB000-memory.dmpFilesize
44KB
-
memory/640-126-0x0000000009260000-0x0000000009261000-memory.dmpFilesize
4KB
-
memory/640-116-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/640-119-0x0000000004BF0000-0x00000000050EE000-memory.dmpFilesize
5.0MB
-
memory/640-114-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB
-
memory/640-117-0x0000000004CD0000-0x0000000004CD1000-memory.dmpFilesize
4KB
-
memory/1340-128-0x000000000042EEEF-mapping.dmp
-
memory/1340-135-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1340-127-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/2120-132-0x0000000000000000-mapping.dmp
-
memory/2204-139-0x0000000000000000-mapping.dmp
-
memory/3760-138-0x0000000000000000-mapping.dmp
-
memory/3896-134-0x0000000000000000-mapping.dmp
-
memory/3984-136-0x0000000000000000-mapping.dmp