Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-04-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
NEW PURCHASE ORDER LISTED ITEMS.exe
Resource
win7v20210410
General
-
Target
NEW PURCHASE ORDER LISTED ITEMS.exe
-
Size
645KB
-
MD5
5e8ff1a9ec1192bae73ec97729e46d63
-
SHA1
2efd06ad72483238327a9570043159d0ab9ece34
-
SHA256
15acacbd5c928108c9db5e319f23e493f45c3a0c8e8b979f7e760675f916ae2b
-
SHA512
a083c78f12bb5d40c9141d12781d3bf013347d0345307df1d6533753b40dac5f26e8e75610bc5b84821525670af42cc4a2736ba868359548290985593453e146
Malware Config
Extracted
remcos
79.134.225.49:1953
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEW PURCHASE ORDER LISTED ITEMS.exedescription pid process target process PID 3876 set thread context of 3484 3876 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
NEW PURCHASE ORDER LISTED ITEMS.exepid process 3876 NEW PURCHASE ORDER LISTED ITEMS.exe 3876 NEW PURCHASE ORDER LISTED ITEMS.exe 3876 NEW PURCHASE ORDER LISTED ITEMS.exe 3876 NEW PURCHASE ORDER LISTED ITEMS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEW PURCHASE ORDER LISTED ITEMS.exedescription pid process Token: SeDebugPrivilege 3876 NEW PURCHASE ORDER LISTED ITEMS.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 3484 vbc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
NEW PURCHASE ORDER LISTED ITEMS.exedescription pid process target process PID 3876 wrote to memory of 3476 3876 NEW PURCHASE ORDER LISTED ITEMS.exe schtasks.exe PID 3876 wrote to memory of 3476 3876 NEW PURCHASE ORDER LISTED ITEMS.exe schtasks.exe PID 3876 wrote to memory of 3476 3876 NEW PURCHASE ORDER LISTED ITEMS.exe schtasks.exe PID 3876 wrote to memory of 3484 3876 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe PID 3876 wrote to memory of 3484 3876 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe PID 3876 wrote to memory of 3484 3876 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe PID 3876 wrote to memory of 3484 3876 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe PID 3876 wrote to memory of 3484 3876 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe PID 3876 wrote to memory of 3484 3876 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe PID 3876 wrote to memory of 3484 3876 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe PID 3876 wrote to memory of 3484 3876 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe PID 3876 wrote to memory of 3484 3876 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe PID 3876 wrote to memory of 3484 3876 NEW PURCHASE ORDER LISTED ITEMS.exe vbc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW PURCHASE ORDER LISTED ITEMS.exe"C:\Users\Admin\AppData\Local\Temp\NEW PURCHASE ORDER LISTED ITEMS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GiaNEJvKkikVXu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB3FF.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB3FF.tmpMD5
9d14f3a2a9bb4a39c9c1a24a869555bd
SHA1deb3ab33d2ba85a12920486c49430e93bb527e03
SHA2564581034769ff4de9112b0a108b18f8436bcc9f2158b2c2e3439c0d3da66fcfa1
SHA5120f34db798c8b28796ae5d9fc039ac4f772d94c88b7d34327673374d743bc77af26f3766112f42db6a5d33f879adf7b399bc07fe6f7fe5c9d6444e71e0b614593
-
memory/3476-116-0x0000000000000000-mapping.dmp
-
memory/3484-118-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3484-119-0x0000000000413FA4-mapping.dmp
-
memory/3484-120-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3876-114-0x0000000002660000-0x0000000002661000-memory.dmpFilesize
4KB
-
memory/3876-115-0x0000000002661000-0x0000000002662000-memory.dmpFilesize
4KB