Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-04-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe
Resource
win7v20210408
General
-
Target
OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe
-
Size
319KB
-
MD5
b400ac4dcee9fd535224fcd33224f6b1
-
SHA1
129db06c1a8281584e1c5440389841a4ea49ec62
-
SHA256
6cc2dd1c821a1d47200a054998657e3ddec7bc0cd81e4e4a7edffa3f0f3ca724
-
SHA512
e8fc66b31e231eed6b8a2d0e75351a719ff8d0d5b9b065cdb66fdcefe62bfa44702585523c6be0049ea601513b812efd5536e3e188a40223d9a186aaa061df35
Malware Config
Extracted
remcos
blessmegod.ddns.net:3866
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exepid process 2256 OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exedescription pid process target process PID 2256 set thread context of 1952 2256 OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exepid process 2256 OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exedescription pid process target process PID 2256 wrote to memory of 1952 2256 OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe PID 2256 wrote to memory of 1952 2256 OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe PID 2256 wrote to memory of 1952 2256 OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe PID 2256 wrote to memory of 1952 2256 OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe"C:\Users\Admin\AppData\Local\Temp\OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe"C:\Users\Admin\AppData\Local\Temp\OC CVE6535 _TVOP-MIO 21(C) 2021,pdf.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsp1351.tmp\kdzh1wlq.dllMD5
8c66ccb054b0aef6712493b4e8a778f0
SHA18641231119dd7474e4fc3ebefb7ba61e619d3077
SHA256bf79d9461d99892f78c5d7466681e39a0b97af3884853d37af69a041d7183991
SHA5122c55ed748d4dc554f6576cd6a8332ed616a2743690b548006fb1d5858e146adad07ce383ac2010472214a8e9c0c1028e38325b2d971d7a2157b332c9dbd78547
-
memory/1952-117-0x0000000000413FA4-mapping.dmp
-
memory/1952-118-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/2256-115-0x0000000002D50000-0x0000000002D51000-memory.dmpFilesize
4KB
-
memory/2256-116-0x0000000002D51000-0x0000000002D56000-memory.dmpFilesize
20KB