Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 18:41
Static task
static1
Behavioral task
behavioral1
Sample
REMITTAN.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
REMITTAN.exe
Resource
win10v2004-20220414-en
General
-
Target
REMITTAN.exe
-
Size
104KB
-
MD5
a5227202babf335d14eec4a0a497f62c
-
SHA1
b1ccb23abcaf2271167b9e7534e40512d8a36723
-
SHA256
e761de2471fe1811d6a545231c1aa3d6b8065f0157af871808d2443c8c61dd09
-
SHA512
b46ed3cbc786d997153be17ed7e1df5f08ed5525a09d7b824ff94dd4cca20c98ce7d015fb09ff2bca18bfeff81c3502fb4d6ba18714e5cc76b34e05cc98a16c1
Malware Config
Extracted
guloader
https://twadatabase.com/uj/newsamcav_HgMSY69.bin
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Guloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4576-132-0x0000000002080000-0x000000000208D000-memory.dmp family_guloader behavioral2/memory/3052-134-0x0000000000000000-mapping.dmp family_guloader behavioral2/memory/3052-136-0x0000000001150000-0x0000000001250000-memory.dmp family_guloader -
Checks QEMU agent state file 2 TTPs 2 IoCs
Checks state file used by QEMU agent, possibly to detect virtualization.
Processes:
REMITTAN.exeRegAsm.exedescription ioc process File opened (read-only) C:\ProgramData\qemu-ga\qga.state REMITTAN.exe File opened (read-only) C:\ProgramData\qemu-ga\qga.state RegAsm.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce RegAsm.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\subfolder1\\filename1.exe" RegAsm.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
REMITTAN.exeRegAsm.exepid process 4576 REMITTAN.exe 3052 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
REMITTAN.exedescription pid process target process PID 4576 set thread context of 3052 4576 REMITTAN.exe RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
REMITTAN.exepid process 4576 REMITTAN.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
REMITTAN.exepid process 4576 REMITTAN.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
REMITTAN.exedescription pid process target process PID 4576 wrote to memory of 3052 4576 REMITTAN.exe RegAsm.exe PID 4576 wrote to memory of 3052 4576 REMITTAN.exe RegAsm.exe PID 4576 wrote to memory of 3052 4576 REMITTAN.exe RegAsm.exe PID 4576 wrote to memory of 3052 4576 REMITTAN.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\REMITTAN.exe"C:\Users\Admin\AppData\Local\Temp\REMITTAN.exe"1⤵
- Checks QEMU agent state file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\REMITTAN.exe"2⤵
- Checks QEMU agent state file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3052-134-0x0000000000000000-mapping.dmp
-
memory/3052-136-0x0000000001150000-0x0000000001250000-memory.dmpFilesize
1024KB
-
memory/3052-137-0x00007FF8D8530000-0x00007FF8D8725000-memory.dmpFilesize
2.0MB
-
memory/3052-138-0x0000000076F40000-0x00000000770E3000-memory.dmpFilesize
1.6MB
-
memory/3052-139-0x0000000076F40000-0x00000000770E3000-memory.dmpFilesize
1.6MB
-
memory/4576-132-0x0000000002080000-0x000000000208D000-memory.dmpFilesize
52KB
-
memory/4576-133-0x00007FF8D8530000-0x00007FF8D8725000-memory.dmpFilesize
2.0MB
-
memory/4576-135-0x0000000076F40000-0x00000000770E3000-memory.dmpFilesize
1.6MB