Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-04-2021 11:04
Static task
static1
Behavioral task
behavioral1
Sample
CONTRACT FB20172837,pdf.exe
Resource
win7v20210410
General
-
Target
CONTRACT FB20172837,pdf.exe
-
Size
212KB
-
MD5
3144fd0af0fcde5fa43d9b4afb5a1fc1
-
SHA1
347149e4cf1d740a41f2d739f95bb46097f72803
-
SHA256
03b97c8344d63354e9d3802da05d8124eca355514b3d26dae4d596b925ffe824
-
SHA512
21182f46eeff57779114127032a8322022eb67218593957dea4b44b255865c504be9c12b1a2b4a38077fb4ab83189f82cf23be04f03b33f89834ed17c4b0f9d9
Malware Config
Extracted
remcos
blessmegod.ddns.net:3866
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
CONTRACT FB20172837,pdf.exepid process 3920 CONTRACT FB20172837,pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CONTRACT FB20172837,pdf.exedescription pid process target process PID 3920 set thread context of 3008 3920 CONTRACT FB20172837,pdf.exe CONTRACT FB20172837,pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
CONTRACT FB20172837,pdf.exepid process 3920 CONTRACT FB20172837,pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
CONTRACT FB20172837,pdf.exedescription pid process target process PID 3920 wrote to memory of 3008 3920 CONTRACT FB20172837,pdf.exe CONTRACT FB20172837,pdf.exe PID 3920 wrote to memory of 3008 3920 CONTRACT FB20172837,pdf.exe CONTRACT FB20172837,pdf.exe PID 3920 wrote to memory of 3008 3920 CONTRACT FB20172837,pdf.exe CONTRACT FB20172837,pdf.exe PID 3920 wrote to memory of 3008 3920 CONTRACT FB20172837,pdf.exe CONTRACT FB20172837,pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CONTRACT FB20172837,pdf.exe"C:\Users\Admin\AppData\Local\Temp\CONTRACT FB20172837,pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CONTRACT FB20172837,pdf.exe"C:\Users\Admin\AppData\Local\Temp\CONTRACT FB20172837,pdf.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsq3B3C.tmp\ccx0w1.dllMD5
02f57fa409bc0e90f681bb6c1efff03e
SHA1b35fda756ae422c1c52f7e4c89de22f763e74167
SHA256dffd555b29e6719fe45c788e09be1edf73ce1af415e23869ab0915b0159dac09
SHA512e2a45f199aa7e57e264b91388b0a6f04a65ec943b5ea2680c57053c891c6844c47384710b134006f57942e3ea2a17ee70ca860ab81471f7b4bca6950a5df691a
-
memory/3008-117-0x0000000000413FA4-mapping.dmp
-
memory/3008-118-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/3920-115-0x0000000002DD0000-0x0000000002DD1000-memory.dmpFilesize
4KB
-
memory/3920-116-0x0000000002DD1000-0x0000000002DD6000-memory.dmpFilesize
20KB