Analysis
-
max time kernel
153s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
02-08-2022 19:28
General
-
Target
6036b574d93e0f406160cb2fd5ae636d.exe
-
Size
943KB
-
MD5
6036b574d93e0f406160cb2fd5ae636d
-
SHA1
bf7a1f488e36139f75e93458fd71f660cf7996e0
-
SHA256
0094a21cdba5b0d2622b2686f64dbcccf090675ae7ae86f21d4063ac1e17ccf9
-
SHA512
323fc3b7dc66c3557d4176605702bafd8a38b6a264b2969b2fbabcd9e99cccb5bc8461f67e45362addc13c4efc9f78015314988ac1a94241ed61f87d7dffef52
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
RemoteHost
C2
onigegegege.duckdns.org:45354
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-N5M2AU
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
ModiLoader Second Stage 63 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6036b574d93e0f406160cb2fd5ae636d.exe"C:\Users\Admin\AppData\Local\Temp\6036b574d93e0f406160cb2fd5ae636d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cleanmgr.exe"C:\Windows\System32\cleanmgr.exe"2⤵
- Enumerates connected drives
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/548-148-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-161-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-162-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-163-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-164-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-165-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-166-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-167-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-168-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-170-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-169-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-171-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-172-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-173-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-174-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-175-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-176-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-177-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-178-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-179-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-180-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-181-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-183-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-182-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-184-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-185-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-186-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-187-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-190-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-189-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-192-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-191-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-196-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-200-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-201-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-204-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-203-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-202-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-199-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-198-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-197-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-195-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-194-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-193-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-188-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-210-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-214-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-218-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-223-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-224-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-225-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-226-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-222-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-220-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-219-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-217-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-215-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-216-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-213-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-212-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-211-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-209-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-208-0x0000000003D60000-0x0000000003E54000-memory.dmpFilesize
976KB
-
memory/548-207-0x0000000050590000-0x0000000050617000-memory.dmpFilesize
540KB
-
memory/3844-205-0x0000000000000000-mapping.dmp
-
memory/3844-221-0x0000000050590000-0x0000000050617000-memory.dmpFilesize
540KB
-
memory/3844-237-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/3844-238-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB