Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2022 19:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan7000000f1.31576.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan7000000f1.31576.exe
Resource
win10v2004-20220721-en
General
-
Target
SecuriteInfo.com.Trojan7000000f1.31576.exe
-
Size
859KB
-
MD5
b25559abb9260a598d98bf66b7725784
-
SHA1
8dade95ddbd3c29d8d6e5e47ee4c8eb0bbac0e65
-
SHA256
21d5d5d31a4a17556ceb223272f3e908a352485dcd90dc203c99826638e7cbd9
-
SHA512
216f94b2232d13d211f07d4bbf7a3c1cb7093e1a45d176374c567d690fd467705b2caa4e5763f62d2b07afc0189a46e45e882c490d29c05aff8eb713e0d1ca91
Malware Config
Extracted
remcos
RemoteHost
hendersonk1.hopto.org:2404
henderson1.camdvr.org:2404
centplus1.serveftp.com:2404
harrywlike.ddns.net:2404
genekol.nsupdate.info:2404
harrywlike1.ddns.net:2404
hendersonk2022.hopto.org:2404
genekol1.nsupdate.info:2404
generem.camdvr.org:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
gsgjdwg-DIO8L7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 53 3220 cmd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Trojan7000000f1.31576.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Trojan7000000f1.31576.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Trojan7000000f1.31576.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfjeeqedq = "C:\\Users\\Public\\Libraries\\qdeqeejfV.url" SecuriteInfo.com.Trojan7000000f1.31576.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeSecuriteInfo.com.Trojan7000000f1.31576.exepid process 3988 powershell.exe 3988 powershell.exe 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3988 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
SecuriteInfo.com.Trojan7000000f1.31576.execmd.execmd.exenet.exedescription pid process target process PID 4220 wrote to memory of 856 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 856 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 856 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 856 wrote to memory of 4768 856 cmd.exe cmd.exe PID 856 wrote to memory of 4768 856 cmd.exe cmd.exe PID 856 wrote to memory of 4768 856 cmd.exe cmd.exe PID 4768 wrote to memory of 4680 4768 cmd.exe net.exe PID 4768 wrote to memory of 4680 4768 cmd.exe net.exe PID 4768 wrote to memory of 4680 4768 cmd.exe net.exe PID 4680 wrote to memory of 1060 4680 net.exe net1.exe PID 4680 wrote to memory of 1060 4680 net.exe net1.exe PID 4680 wrote to memory of 1060 4680 net.exe net1.exe PID 4768 wrote to memory of 3988 4768 cmd.exe powershell.exe PID 4768 wrote to memory of 3988 4768 cmd.exe powershell.exe PID 4768 wrote to memory of 3988 4768 cmd.exe powershell.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe PID 4220 wrote to memory of 3220 4220 SecuriteInfo.com.Trojan7000000f1.31576.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan7000000f1.31576.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan7000000f1.31576.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Vfjeeqedqt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\VfjeeqedqO.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet session4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 session5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\Cdex.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
C:\Users\Public\Libraries\VfjeeqedqO.batFilesize
1KB
MD5df48c09f243ebcc8a165f77a1c2bf889
SHA1455f7db0adcc2a58d006f1630fb0bd55cd868c07
SHA2564ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca
SHA512735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc
-
C:\Users\Public\Libraries\Vfjeeqedqt.batFilesize
58B
MD53178f18d44440e060a5ddc9d776f91be
SHA1af8fe33c2703be22df946f1bcf4f03fa9372deb2
SHA256b4e94a60e6233eeb1861831fa72daa04bbc0e0ef6b0b46b0115dc2d58f14f981
SHA5121ff961c24c7df94402d5909a65742e7181b842cedeeff6de2c41ddc396e3c4774eabb4d12fac4e740b9a04b9130f1c36f1155c131bfa9b1c0626efaa46723929
-
memory/856-139-0x0000000000000000-mapping.dmp
-
memory/1060-144-0x0000000000000000-mapping.dmp
-
memory/3220-212-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/3220-211-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/3220-210-0x0000000050590000-0x000000005060D000-memory.dmpFilesize
500KB
-
memory/3220-169-0x0000000000000000-mapping.dmp
-
memory/3988-153-0x0000000006A50000-0x0000000006A82000-memory.dmpFilesize
200KB
-
memory/3988-157-0x00000000076E0000-0x00000000076FA000-memory.dmpFilesize
104KB
-
memory/3988-150-0x0000000005DE0000-0x0000000005E46000-memory.dmpFilesize
408KB
-
memory/3988-151-0x0000000005E50000-0x0000000005EB6000-memory.dmpFilesize
408KB
-
memory/3988-152-0x00000000064C0000-0x00000000064DE000-memory.dmpFilesize
120KB
-
memory/3988-148-0x0000000005680000-0x0000000005CA8000-memory.dmpFilesize
6.2MB
-
memory/3988-154-0x000000006F4F0000-0x000000006F53C000-memory.dmpFilesize
304KB
-
memory/3988-155-0x0000000006A30000-0x0000000006A4E000-memory.dmpFilesize
120KB
-
memory/3988-156-0x0000000007E60000-0x00000000084DA000-memory.dmpFilesize
6.5MB
-
memory/3988-149-0x0000000005600000-0x0000000005622000-memory.dmpFilesize
136KB
-
memory/3988-158-0x0000000007820000-0x000000000782A000-memory.dmpFilesize
40KB
-
memory/3988-159-0x0000000007A10000-0x0000000007AA6000-memory.dmpFilesize
600KB
-
memory/3988-160-0x00000000079D0000-0x00000000079DE000-memory.dmpFilesize
56KB
-
memory/3988-161-0x0000000007AE0000-0x0000000007AFA000-memory.dmpFilesize
104KB
-
memory/3988-162-0x0000000007AC0000-0x0000000007AC8000-memory.dmpFilesize
32KB
-
memory/3988-147-0x0000000005010000-0x0000000005046000-memory.dmpFilesize
216KB
-
memory/3988-146-0x0000000000000000-mapping.dmp
-
memory/4220-171-0x0000000050590000-0x000000005060D000-memory.dmpFilesize
500KB
-
memory/4680-143-0x0000000000000000-mapping.dmp
-
memory/4768-141-0x0000000000000000-mapping.dmp