Analysis
-
max time kernel
72s -
max time network
136s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 11:31
Static task
static1
Behavioral task
behavioral1
Sample
Jc7rIzvMGq2Y04X5z29E.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Jc7rIzvMGq2Y04X5z29E.exe
Resource
win10v20210410
General
-
Target
Jc7rIzvMGq2Y04X5z29E.exe
-
Size
1.1MB
-
MD5
b2ca9a4f140ad9b0c7d4ee5270f80457
-
SHA1
20a0bc87b558a4c1266f33b12f659f0e298d74cd
-
SHA256
8ddbf9769d71a2b946894307864aa35aee8afb86a469a6c032b7eaa1225bc720
-
SHA512
45d9f9c4aa3949cbebf2ccbb34bfc45843c81864cd9c3a510dd12d235b6d841537fcc1fd7749dbaf232bdd42513b4dd1ff9fcb79697f5cb0728f671718bd9996
Malware Config
Extracted
remcos
style.ptbagasps.co.id:42024
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Jc7rIzvMGq2Y04X5z29E.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xbrcnt = "C:\\Users\\Public\\Libraries\\tncrbX.url" Jc7rIzvMGq2Y04X5z29E.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Jc7rIzvMGq2Y04X5z29E.exedescription ioc process File opened (read-only) \??\O: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\T: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\V: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\W: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\X: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\Y: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\N: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\F: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\H: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\J: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\L: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\P: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\Q: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\S: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\A: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\U: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\M: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\G: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\E: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\I: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\K: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\R: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\Z: Jc7rIzvMGq2Y04X5z29E.exe File opened (read-only) \??\B: Jc7rIzvMGq2Y04X5z29E.exe -
Drops file in System32 directory 1 IoCs
Processes:
DpiScaling.exedescription ioc process File opened for modification C:\Windows\SysWOW64\DpiScaling.exe DpiScaling.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Jc7rIzvMGq2Y04X5z29E.exedescription pid process target process PID 1084 set thread context of 1368 1084 Jc7rIzvMGq2Y04X5z29E.exe DpiScaling.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DpiScaling.exepid process 1368 DpiScaling.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Jc7rIzvMGq2Y04X5z29E.exeDpiScaling.exedescription pid process target process PID 1084 wrote to memory of 1368 1084 Jc7rIzvMGq2Y04X5z29E.exe DpiScaling.exe PID 1084 wrote to memory of 1368 1084 Jc7rIzvMGq2Y04X5z29E.exe DpiScaling.exe PID 1084 wrote to memory of 1368 1084 Jc7rIzvMGq2Y04X5z29E.exe DpiScaling.exe PID 1084 wrote to memory of 1368 1084 Jc7rIzvMGq2Y04X5z29E.exe DpiScaling.exe PID 1084 wrote to memory of 1368 1084 Jc7rIzvMGq2Y04X5z29E.exe DpiScaling.exe PID 1084 wrote to memory of 1368 1084 Jc7rIzvMGq2Y04X5z29E.exe DpiScaling.exe PID 1368 wrote to memory of 1484 1368 DpiScaling.exe WScript.exe PID 1368 wrote to memory of 1484 1368 DpiScaling.exe WScript.exe PID 1368 wrote to memory of 1484 1368 DpiScaling.exe WScript.exe PID 1368 wrote to memory of 1484 1368 DpiScaling.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Jc7rIzvMGq2Y04X5z29E.exe"C:\Users\Admin\AppData\Local\Temp\Jc7rIzvMGq2Y04X5z29E.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\DpiScaling.exeC:\Windows\System32\DpiScaling.exe2⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cjlfjpxxoceegtcipclaxisyysmlcrtt.vbs"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\cjlfjpxxoceegtcipclaxisyysmlcrtt.vbsMD5
be074866409269e44265375472268ac8
SHA13ce9dd4ec73e549090df35e584489ca2b152baf8
SHA2560611b95ccccd8a80ffff8e37791ef1f18338880c139ccd91795f0343a8cba78e
SHA51210112d322c59501126b9c3a256fbce35f52be00578fc52d004b139fdd0a5555e3e07dfa8a6113e407c7668a9aa795869ed896e1cc30f3f06685825d9fe518d58
-
memory/1084-60-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1084-61-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1368-62-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1368-63-0x000000000042EEEF-mapping.dmp
-
memory/1368-65-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1484-66-0x0000000000000000-mapping.dmp