Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-04-2021 14:00
Static task
static1
Behavioral task
behavioral1
Sample
12.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
12.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
12.exe
-
Size
619KB
-
MD5
98f413548ec275b2b0ead9caf86119eb
-
SHA1
cd39fdbed9c2011ef1d33dec7f50704664c33e63
-
SHA256
ee6d59e7ff1910806b465f8ae5fd6b2dd918cbe56fb1e3144d1484ba7b266eec
-
SHA512
266370e9871a3e8c9c26835de8dec3be658d4bbb8709b3e26bfd986c60d312a065b587935e737e866907946f07cd25a6b7b2e416aabf8693bccc6fb694d6c6ef
Score
10/10
Malware Config
Extracted
Family
remcos
C2
abujafirms1.duckdns.org:12000
194.5.98.203:1988
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
12.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Weikql = "C:\\Users\\Public\\Libraries\\lqkieW.url" 12.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
12.exedescription pid process target process PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe PID 1640 wrote to memory of 968 1640 12.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\12.exe"C:\Users\Admin\AppData\Local\Temp\12.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/968-65-0x0000000000000000-mapping.dmp
-
memory/968-67-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/968-69-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/968-70-0x0000000010590000-0x000000001060B000-memory.dmpFilesize
492KB
-
memory/968-71-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/968-72-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1640-59-0x00000000769B1000-0x00000000769B3000-memory.dmpFilesize
8KB
-
memory/1640-60-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1640-62-0x0000000000250000-0x000000000026A000-memory.dmpFilesize
104KB