Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 19:06
Static task
static1
Behavioral task
behavioral1
Sample
GVK Price Request,pdf.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
GVK Price Request,pdf.exe
Resource
win10v20210410
General
-
Target
GVK Price Request,pdf.exe
-
Size
805KB
-
MD5
32bfc580410f46ca74f9b599bbf68d98
-
SHA1
51c281312fdcb3b5ac040e93045f0c176ceb90ff
-
SHA256
a494c1e303160d0fb163cdd38cd218288239e93376b7e5e9ee85274430f6f1fb
-
SHA512
b99928537fc19ad34db40fb03b09973a358e5b2c6d5babe0d24fde0e264a0ecefd11de0cb36987fdec6400c2a2582a7d992efc6b67e482fab6afed04fbc399ea
Malware Config
Extracted
remcos
macho.hopto.org:2477
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
image.exepid process 384 image.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1476 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
RegSvcs.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ RegSvcs.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\image = "\"C:\\Users\\Admin\\AppData\\Roaming\\Internet Explorer\\image.exe\"" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
GVK Price Request,pdf.exedescription pid process target process PID 1096 set thread context of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
GVK Price Request,pdf.exepid process 1096 GVK Price Request,pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
GVK Price Request,pdf.exedescription pid process Token: SeDebugPrivilege 1096 GVK Price Request,pdf.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
GVK Price Request,pdf.exeRegSvcs.execmd.exedescription pid process target process PID 1096 wrote to memory of 480 1096 GVK Price Request,pdf.exe schtasks.exe PID 1096 wrote to memory of 480 1096 GVK Price Request,pdf.exe schtasks.exe PID 1096 wrote to memory of 480 1096 GVK Price Request,pdf.exe schtasks.exe PID 1096 wrote to memory of 480 1096 GVK Price Request,pdf.exe schtasks.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1096 wrote to memory of 1108 1096 GVK Price Request,pdf.exe RegSvcs.exe PID 1108 wrote to memory of 1476 1108 RegSvcs.exe cmd.exe PID 1108 wrote to memory of 1476 1108 RegSvcs.exe cmd.exe PID 1108 wrote to memory of 1476 1108 RegSvcs.exe cmd.exe PID 1108 wrote to memory of 1476 1108 RegSvcs.exe cmd.exe PID 1108 wrote to memory of 1476 1108 RegSvcs.exe cmd.exe PID 1108 wrote to memory of 1476 1108 RegSvcs.exe cmd.exe PID 1108 wrote to memory of 1476 1108 RegSvcs.exe cmd.exe PID 1476 wrote to memory of 844 1476 cmd.exe PING.EXE PID 1476 wrote to memory of 844 1476 cmd.exe PING.EXE PID 1476 wrote to memory of 844 1476 cmd.exe PING.EXE PID 1476 wrote to memory of 844 1476 cmd.exe PING.EXE PID 1476 wrote to memory of 384 1476 cmd.exe image.exe PID 1476 wrote to memory of 384 1476 cmd.exe image.exe PID 1476 wrote to memory of 384 1476 cmd.exe image.exe PID 1476 wrote to memory of 384 1476 cmd.exe image.exe PID 1476 wrote to memory of 384 1476 cmd.exe image.exe PID 1476 wrote to memory of 384 1476 cmd.exe image.exe PID 1476 wrote to memory of 384 1476 cmd.exe image.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GVK Price Request,pdf.exe"C:\Users\Admin\AppData\Local\Temp\GVK Price Request,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GepToze" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD5D5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 24⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe"C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batMD5
8b960bfd398f1a71ec9a180dde824d1f
SHA1d7ad085d060cfa62f91fe41ed83da42c3f7e4948
SHA256bc10b3ecbcdd03a0a82c4b94673075746ab64a7290029cc6d7768b15515430d5
SHA5120743465397d5610710575c07e3b3bdc74ffeeaff44db91fd2430cec6fc95b6dfd2cde1b07a9dabc2202390e0689c8e305dccdd61a987520f2e8d0d27ba30a94a
-
C:\Users\Admin\AppData\Local\Temp\tmpD5D5.tmpMD5
403b4864e0f8c63cf7038157034e7230
SHA1d303aeae38f26b14e5101b458df0941b77565539
SHA25651ae133d44fe3db67cb0be3886395184bcd16db35e4ee1c0509b5e3ce59d3dfb
SHA51218df2adcc20e75eb07346609a06e3667198050772ed1bc8dfd62e9f2d5ded23b31f0e36b84e8158593b8cae9b4b33de6fdf24f72c32850809f6132011e45c965
-
C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Users\Admin\AppData\Roaming\Internet Explorer\image.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
\Users\Admin\AppData\Roaming\Internet Explorer\image.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/384-80-0x0000000000470000-0x0000000000471000-memory.dmpFilesize
4KB
-
memory/384-79-0x0000000000A10000-0x0000000000A11000-memory.dmpFilesize
4KB
-
memory/384-77-0x0000000000000000-mapping.dmp
-
memory/480-66-0x0000000000000000-mapping.dmp
-
memory/844-74-0x0000000000000000-mapping.dmp
-
memory/1096-60-0x00000000008D0000-0x00000000008D1000-memory.dmpFilesize
4KB
-
memory/1096-65-0x0000000002100000-0x0000000002155000-memory.dmpFilesize
340KB
-
memory/1096-64-0x0000000005070000-0x0000000005106000-memory.dmpFilesize
600KB
-
memory/1096-63-0x0000000000320000-0x000000000032E000-memory.dmpFilesize
56KB
-
memory/1096-62-0x0000000002160000-0x0000000002161000-memory.dmpFilesize
4KB
-
memory/1108-70-0x0000000075281000-0x0000000075283000-memory.dmpFilesize
8KB
-
memory/1108-71-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1108-69-0x000000000040FD88-mapping.dmp
-
memory/1108-68-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1476-72-0x0000000000000000-mapping.dmp