Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
05-05-2021 18:22
Static task
static1
Behavioral task
behavioral1
Sample
GVK Price Request,pdf.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
GVK Price Request,pdf.exe
Resource
win10v20210410
General
-
Target
GVK Price Request,pdf.exe
-
Size
805KB
-
MD5
32bfc580410f46ca74f9b599bbf68d98
-
SHA1
51c281312fdcb3b5ac040e93045f0c176ceb90ff
-
SHA256
a494c1e303160d0fb163cdd38cd218288239e93376b7e5e9ee85274430f6f1fb
-
SHA512
b99928537fc19ad34db40fb03b09973a358e5b2c6d5babe0d24fde0e264a0ecefd11de0cb36987fdec6400c2a2582a7d992efc6b67e482fab6afed04fbc399ea
Malware Config
Extracted
remcos
macho.hopto.org:2477
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
image.exepid process 532 image.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1660 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
RegSvcs.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ RegSvcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\image = "\"C:\\Users\\Admin\\AppData\\Roaming\\Internet Explorer\\image.exe\"" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
GVK Price Request,pdf.exedescription pid process target process PID 1996 set thread context of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
GVK Price Request,pdf.exepid process 1996 GVK Price Request,pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
GVK Price Request,pdf.exedescription pid process Token: SeDebugPrivilege 1996 GVK Price Request,pdf.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
GVK Price Request,pdf.exeRegSvcs.execmd.exedescription pid process target process PID 1996 wrote to memory of 1732 1996 GVK Price Request,pdf.exe schtasks.exe PID 1996 wrote to memory of 1732 1996 GVK Price Request,pdf.exe schtasks.exe PID 1996 wrote to memory of 1732 1996 GVK Price Request,pdf.exe schtasks.exe PID 1996 wrote to memory of 1732 1996 GVK Price Request,pdf.exe schtasks.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1996 wrote to memory of 1116 1996 GVK Price Request,pdf.exe RegSvcs.exe PID 1116 wrote to memory of 1660 1116 RegSvcs.exe cmd.exe PID 1116 wrote to memory of 1660 1116 RegSvcs.exe cmd.exe PID 1116 wrote to memory of 1660 1116 RegSvcs.exe cmd.exe PID 1116 wrote to memory of 1660 1116 RegSvcs.exe cmd.exe PID 1116 wrote to memory of 1660 1116 RegSvcs.exe cmd.exe PID 1116 wrote to memory of 1660 1116 RegSvcs.exe cmd.exe PID 1116 wrote to memory of 1660 1116 RegSvcs.exe cmd.exe PID 1660 wrote to memory of 1068 1660 cmd.exe PING.EXE PID 1660 wrote to memory of 1068 1660 cmd.exe PING.EXE PID 1660 wrote to memory of 1068 1660 cmd.exe PING.EXE PID 1660 wrote to memory of 1068 1660 cmd.exe PING.EXE PID 1660 wrote to memory of 532 1660 cmd.exe image.exe PID 1660 wrote to memory of 532 1660 cmd.exe image.exe PID 1660 wrote to memory of 532 1660 cmd.exe image.exe PID 1660 wrote to memory of 532 1660 cmd.exe image.exe PID 1660 wrote to memory of 532 1660 cmd.exe image.exe PID 1660 wrote to memory of 532 1660 cmd.exe image.exe PID 1660 wrote to memory of 532 1660 cmd.exe image.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GVK Price Request,pdf.exe"C:\Users\Admin\AppData\Local\Temp\GVK Price Request,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GepToze" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 24⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe"C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batMD5
8b960bfd398f1a71ec9a180dde824d1f
SHA1d7ad085d060cfa62f91fe41ed83da42c3f7e4948
SHA256bc10b3ecbcdd03a0a82c4b94673075746ab64a7290029cc6d7768b15515430d5
SHA5120743465397d5610710575c07e3b3bdc74ffeeaff44db91fd2430cec6fc95b6dfd2cde1b07a9dabc2202390e0689c8e305dccdd61a987520f2e8d0d27ba30a94a
-
C:\Users\Admin\AppData\Local\Temp\tmp4D94.tmpMD5
905edc160cd2cae702bedc25a30b348a
SHA17db929825fb20fee57ff14ff1b5f946ce43477c6
SHA2567f9e00005d876f10d89d2d2fd7637c7c21434a568a411effd4c889f80755c4cf
SHA512fe6c24bb22d4b931f147f2b9dd29f5151561e858cc93395506a533480fcce77d0e502a7c9064feb69f40d60b742f62bc4024d6a2f944d788948c17bb7ea7293f
-
C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Roaming\Internet Explorer\image.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/532-80-0x0000000000420000-0x0000000000421000-memory.dmpFilesize
4KB
-
memory/532-79-0x0000000001090000-0x0000000001091000-memory.dmpFilesize
4KB
-
memory/532-77-0x0000000000000000-mapping.dmp
-
memory/1068-74-0x0000000000000000-mapping.dmp
-
memory/1116-71-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1116-70-0x00000000767B1000-0x00000000767B3000-memory.dmpFilesize
8KB
-
memory/1116-69-0x000000000040FD88-mapping.dmp
-
memory/1116-68-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1660-72-0x0000000000000000-mapping.dmp
-
memory/1732-66-0x0000000000000000-mapping.dmp
-
memory/1996-60-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/1996-65-0x0000000000BD0000-0x0000000000C25000-memory.dmpFilesize
340KB
-
memory/1996-64-0x0000000005110000-0x00000000051A6000-memory.dmpFilesize
600KB
-
memory/1996-63-0x0000000000490000-0x000000000049E000-memory.dmpFilesize
56KB
-
memory/1996-62-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB