Analysis
-
max time kernel
153s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
29-10-2021 05:09
Static task
static1
Behavioral task
behavioral1
Sample
TNT Receipt_AWB no#87993766478,pdf.exe
Resource
win7-en-20210920
General
-
Target
TNT Receipt_AWB no#87993766478,pdf.exe
-
Size
715KB
-
MD5
27a9e4f59f0735c1cd5b6fec688fe6f4
-
SHA1
86de7e9b35afb3726a925b1a1b7bd00c81c2f6a9
-
SHA256
64e7a4dbad57f1c217a17ad6214d29230ac8ba813d001fdaa35f17fd83f62cf3
-
SHA512
1bfc5666172ce59267c58d70347060f5b696dc7414bd1b7efc20f8a544da7c671e9943c3e364ddebdbd734e0de14743f5c5244691d7306973486596376bf75e1
Malware Config
Signatures
-
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
-
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
TNT Receipt_AWB no#87993766478,pdf.exedescription pid process target process PID 3040 set thread context of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
TNT Receipt_AWB no#87993766478,pdf.exedescription pid process Token: SeDebugPrivilege 3040 TNT Receipt_AWB no#87993766478,pdf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 956 vbc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
TNT Receipt_AWB no#87993766478,pdf.execmd.exedescription pid process target process PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 956 3040 TNT Receipt_AWB no#87993766478,pdf.exe vbc.exe PID 3040 wrote to memory of 1528 3040 TNT Receipt_AWB no#87993766478,pdf.exe cmd.exe PID 3040 wrote to memory of 1528 3040 TNT Receipt_AWB no#87993766478,pdf.exe cmd.exe PID 3040 wrote to memory of 1528 3040 TNT Receipt_AWB no#87993766478,pdf.exe cmd.exe PID 3040 wrote to memory of 3228 3040 TNT Receipt_AWB no#87993766478,pdf.exe cmd.exe PID 3040 wrote to memory of 3228 3040 TNT Receipt_AWB no#87993766478,pdf.exe cmd.exe PID 3040 wrote to memory of 3228 3040 TNT Receipt_AWB no#87993766478,pdf.exe cmd.exe PID 1528 wrote to memory of 512 1528 cmd.exe schtasks.exe PID 1528 wrote to memory of 512 1528 cmd.exe schtasks.exe PID 1528 wrote to memory of 512 1528 cmd.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TNT Receipt_AWB no#87993766478,pdf.exe"C:\Users\Admin\AppData\Local\Temp\TNT Receipt_AWB no#87993766478,pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe'" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe'" /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\TNT Receipt_AWB no#87993766478,pdf.exe" "C:\Users\Admin\AppData\Roaming\fkvd\fkvd.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/512-129-0x0000000000000000-mapping.dmp
-
memory/956-125-0x0000000000040000-0x0000000000041000-memory.dmpFilesize
4KB
-
memory/956-123-0x000000000042FC39-mapping.dmp
-
memory/956-122-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/956-124-0x0000000000040000-0x0000000000041000-memory.dmpFilesize
4KB
-
memory/956-126-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1528-127-0x0000000000000000-mapping.dmp
-
memory/3040-118-0x0000000005700000-0x0000000005701000-memory.dmpFilesize
4KB
-
memory/3040-119-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/3040-120-0x0000000002910000-0x0000000002911000-memory.dmpFilesize
4KB
-
memory/3040-121-0x0000000005130000-0x0000000005131000-memory.dmpFilesize
4KB
-
memory/3040-115-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/3040-117-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/3228-128-0x0000000000000000-mapping.dmp