Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
03-08-2022 05:18
General
-
Target
order.scr
-
Size
943KB
-
MD5
d898ec314df386d53273beae1740c7f9
-
SHA1
48129f3aa13df929f1cb8ed23980eb350473d637
-
SHA256
e78e1baff2d7a3f921993ef1537adbed0b4cead4154cc42c2bd760ace1dce46f
-
SHA512
89acf578e9c40eb83e053d220c3793dacaa5bfb6fa5a7ea7b9ed8a33d5c0962dfe771c1e5f34605b86fa7a384decff22c42dd7cb8a48b98388aa0cd667917bc6
Score
10/10
Malware Config
Extracted
Family
remcos
Botnet
RemoteHost
C2
www.varshtrade.com:2404
Attributes
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
notepad
-
mouse_option
false
-
mutex
notepad-TFQMB3
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
ModiLoader Second Stage 63 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\order.scr"C:\Users\Admin\AppData\Local\Temp\order.scr" /S1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cleanmgr.exe"C:\Windows\System32\cleanmgr.exe"2⤵
- Enumerates connected drives
- Drops file in System32 directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4000-205-0x0000000000000000-mapping.dmp
-
memory/4000-208-0x0000000050590000-0x000000005061A000-memory.dmpFilesize
552KB
-
memory/4000-224-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/4000-236-0x0000000000400000-0x000000000047E000-memory.dmpFilesize
504KB
-
memory/4532-145-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-161-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-162-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-163-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-164-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-165-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-166-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-167-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-168-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-169-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-170-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-171-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-172-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-173-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-174-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-175-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-176-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-177-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-178-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-179-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-180-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-181-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-182-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-183-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-184-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-185-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-186-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-187-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-188-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-189-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-190-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-191-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-192-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-193-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-194-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-195-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-196-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-197-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-198-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-199-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-200-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-201-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-202-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-204-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-203-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-206-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-209-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-210-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-207-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-211-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-212-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-213-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-214-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-215-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-216-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-217-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-218-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-219-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-220-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-221-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-222-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-225-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB
-
memory/4532-223-0x00000000041F0000-0x00000000042E7000-memory.dmpFilesize
988KB