bc7cedbf17f2a3b0cceaf8fbeab3a8a38953d1b64b17d89de74bec0c380516f2

Analysis

max time kernel
59s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30/05/2023, 13:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Remittance Copy.exe
Size

679KB
MD5

affce132a27adf2d4a2ee5c468cb32c5
SHA1

b74fc8146da6a80b7c3f717900825783d419c31a
SHA256

bc7cedbf17f2a3b0cceaf8fbeab3a8a38953d1b64b17d89de74bec0c380516f2
SHA512

680c71309cd6b1b4261b74fb0486731b9ce227371bddd62b5ee05dfd5f9b02a8a491d2004dbc96eca867d85902515a8b13153a8df66c6051da8eb15024d4ca88
SSDEEP

12288:okKvYhp1x0cO7t9qmvm0evA7ucbGh7sNqkH5y9CSte3u:okKvi1x0cOj9v5ih7Z79

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
912	Remittance Copy.exe
912	Remittance Copy.exe
912	Remittance Copy.exe
912	Remittance Copy.exe
912	Remittance Copy.exe
912	Remittance Copy.exe
912	Remittance Copy.exe
1884	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	Remittance Copy.exe
Token: SeDebugPrivilege	1884	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1884	912	Remittance Copy.exe	27
PID 912 wrote to memory of 1884	912	Remittance Copy.exe	27
PID 912 wrote to memory of 1884	912	Remittance Copy.exe	27
PID 912 wrote to memory of 1884	912	Remittance Copy.exe	27
PID 912 wrote to memory of 360	912	Remittance Copy.exe	29
PID 912 wrote to memory of 360	912	Remittance Copy.exe	29
PID 912 wrote to memory of 360	912	Remittance Copy.exe	29
PID 912 wrote to memory of 360	912	Remittance Copy.exe	29
PID 912 wrote to memory of 1752	912	Remittance Copy.exe	31
PID 912 wrote to memory of 1752	912	Remittance Copy.exe	31
PID 912 wrote to memory of 1752	912	Remittance Copy.exe	31
PID 912 wrote to memory of 1752	912	Remittance Copy.exe	31
PID 912 wrote to memory of 1180	912	Remittance Copy.exe	32
PID 912 wrote to memory of 1180	912	Remittance Copy.exe	32
PID 912 wrote to memory of 1180	912	Remittance Copy.exe	32
PID 912 wrote to memory of 1180	912	Remittance Copy.exe	32
PID 912 wrote to memory of 240	912	Remittance Copy.exe	33
PID 912 wrote to memory of 240	912	Remittance Copy.exe	33
PID 912 wrote to memory of 240	912	Remittance Copy.exe	33
PID 912 wrote to memory of 240	912	Remittance Copy.exe	33
PID 912 wrote to memory of 1208	912	Remittance Copy.exe	34
PID 912 wrote to memory of 1208	912	Remittance Copy.exe	34
PID 912 wrote to memory of 1208	912	Remittance Copy.exe	34
PID 912 wrote to memory of 1208	912	Remittance Copy.exe	34
PID 912 wrote to memory of 1580	912	Remittance Copy.exe	35
PID 912 wrote to memory of 1580	912	Remittance Copy.exe	35
PID 912 wrote to memory of 1580	912	Remittance Copy.exe	35
PID 912 wrote to memory of 1580	912	Remittance Copy.exe	35

C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\OUoZEBShSDxmY.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OUoZEBShSDxmY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp252E.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:360
- C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe"
  2⤵
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe"
  2⤵
  PID:1180
- C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe"
  2⤵
  PID:240
- C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe"
  2⤵
  PID:1208
- C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe
  "C:\Users\Admin\AppData\Local\Temp\Remittance Copy.exe"
  2⤵
  PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp252E.tmp

Filesize
1KB

MD5
7b6f6135e946541ffed03caf7a7a7ebd

SHA1
411fb5e9655bfd9a26da4c29d8313a9bc85bd960

SHA256
a6858b85df9732a56c403bbbb676565a969a37c13c501d9c64925e933dfd92af

SHA512
84bf748a5f74c48e5a7ceae52aca5d05c490c6d844aa8bf712d7d3959e22f8ca10461229ebf505d1caf9a3828626410aedfb889a7c63ca693e93e2fad031b18a

Download Submit
memory/912-54-0x0000000000240000-0x00000000002F0000-memory.dmp

Filesize
704KB

Download
memory/912-55-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/912-56-0x0000000000800000-0x000000000080E000-memory.dmp

Filesize
56KB

Download
memory/912-57-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download
memory/912-58-0x0000000004B50000-0x0000000004BBA000-memory.dmp

Filesize
424KB

Download
memory/912-66-0x0000000004810000-0x0000000004842000-memory.dmp

Filesize
200KB

Download
memory/1884-67-0x0000000002660000-0x00000000026A0000-memory.dmp

Filesize
256KB

Download