Overview

overview

10

Static

static

Attached pdf.exe

windows7_x64

10

Attached pdf.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    30-03-2021 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Attached pdf.exe

  • Size

    617KB

  • MD5

    83c9cee1f209ec02934e3895d5c51dfa

  • SHA1

    2ba1dac5e2fef7a948b21efcc267b3096656cf68

  • SHA256

    93e8c5b7f7c4b18efb1f1c09c5ad9c5d8782611b9417f19063cdd17f3cdd92ee

  • SHA512

    2df5a3c0f01f3aed5dd1d1cee3ef30e99b0b7e5e1692c6818f720d6d00bcb2b23a56b2334422ae618a57ffe87ceab0c5b54d6d43bfd463e77956eaa3feb656a2

Score
10/10
modiloaderremcospersistencerattrojan

Malware Config

Extracted

Family

remcos

C2

rem1.camdvr.org:2404

rem16.hopto.org:2404

rem1666.hopto.org:2404

rem16.camdvr.org:2404

remmusic.freeddns.org:2404

sunwap1.ddns.net:2404

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Attached pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Attached pdf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Program Files (x86)\internet explorer\ieinstal.exe
        "C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\szqwxykuvcrxpugqkyjlv"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1912
      • C:\Program Files (x86)\internet explorer\ieinstal.exe
        "C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\utdpyruvrkkkaauutjefyrhx"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1540
      • C:\Program Files (x86)\internet explorer\ieinstal.exe
        "C:\Program Files (x86)\internet explorer\ieinstal.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fwjazjfpfscpcoqgktqgjwcgeow"
        3⤵
          PID:1020

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\szqwxykuvcrxpugqkyjlv
      MD5

      814b5ce4cad79d36055d2d4b5958cc31

      SHA1

      2a06a869615f0858479371b0415899681fb0c7d8

      SHA256

      6d1fa1a75faec2b39e8a2a1df8dd0f15e5256de7da7c527225ecf22fdacaf559

      SHA512

      a82fa1594ccbe1df93a973a01c787a6baa0ce8a97c0b0b0a844c90cb6be092b1094636b4d88c568fece95cd9bdfe4412875011abe318373a4fcfc218f93d1278

      Download Submit
    • memory/1020-24-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1020-19-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/1020-20-0x0000000000455238-mapping.dmp
      Download
    • memory/1540-17-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1540-22-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/1540-18-0x0000000000422206-mapping.dmp
      Download
    • memory/1912-21-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1912-15-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/1912-16-0x0000000000476274-mapping.dmp
      Download
    • memory/2496-13-0x0000000010540000-0x0000000010564000-memory.dmp
      Filesize

      144KB

      Download
    • memory/2496-14-0x0000000000480000-0x00000000004A2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/2496-8-0x0000000000410000-0x0000000000411000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2496-6-0x0000000000470000-0x0000000000471000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2496-5-0x0000000000000000-mapping.dmp
      Download
    • memory/2496-4-0x00000000001B0000-0x00000000001B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3996-2-0x00000000021E0000-0x00000000021E1000-memory.dmp
      Filesize

      4KB

      Download