Overview

overview

10

Static

static

IMG_7100.scr

windows7_x64

10

IMG_7100.scr

windows10_x64

10

IMG_7100.scr

windows10-2004_x64

10

IMG_7100.scr

windows11_x64

Analysis

  • max time kernel
    270s
  • max time network
    263s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    26-01-2022 15:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_7100.scr

  • Size

    869KB

  • MD5

    327916646174b24f42a533053e976e41

  • SHA1

    60884023e12058000563bdb2f302f8fc00d4c83d

  • SHA256

    a800578827b7e3667884f92ab26a58dc3197e3be7730678d84aa3d9bb5d15db3

  • SHA512

    78a980271645839e0e859077c913cef16da4dd4611f5c1e5ce0e5db25b866ff417c22f639b931839e98ccb9cd4914e46c4876b1756c7fc03b7f6f39bca4c9237

Score
10/10
modiloaderremcosremotehostpersistencerattrojan

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

RemoteHost

C2

proprapra90.ddns.net:8810

storeyman7109.duckdns.org:8810
Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    morethan-CJ2X2C

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ModiLoader First Stage 7 IoCs
  • ModiLoader Second Stage 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IMG_7100.scr
    "C:\Users\Admin\AppData\Local\Temp\IMG_7100.scr" /S
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\SysWOW64\DpiScaling.exe
      C:\Windows\System32\DpiScaling.exe
      2⤵
        PID:3644
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe f0e91e6da8bc0587d19a36a6454a5940 7s8fIIQQMEmz3ID6MaZggQ.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:1396
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:524
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
        1⤵
          PID:2992

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Registry Run Keys / Startup Folder

        2
        T1060

        Privilege Escalation

        Defense Evasion

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2716-133-0x0000000002370000-0x0000000002371000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2716-135-0x0000000002F00000-0x0000000002F1B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/2716-181-0x0000000002F00000-0x0000000002F1B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/2716-182-0x0000000002F00000-0x0000000002F1B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/2716-183-0x0000000002F00000-0x0000000002F1B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/2716-184-0x0000000002F00000-0x0000000002F1B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/2716-180-0x0000000002F00000-0x0000000002F1B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/2716-185-0x0000000002F00000-0x0000000002F1B000-memory.dmp
          Filesize

          108KB

          Download
        • memory/2716-194-0x0000000003910000-0x00000000039D3000-memory.dmp
          Filesize

          780KB

          Download
        • memory/3644-235-0x0000000002F80000-0x0000000002F81000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3644-234-0x0000000002EC0000-0x0000000002EC1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3644-236-0x0000000002EE0000-0x0000000002EE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3644-237-0x0000000072600000-0x000000007267E000-memory.dmp
          Filesize

          504KB

          Download
        • memory/3644-238-0x0000000000400000-0x000000000047B000-memory.dmp
          Filesize

          492KB

          Download