Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 16:04
Static task
static1
Behavioral task
behavioral1
Sample
NOTE.exe
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
NOTE.exe
Resource
win10v2004-20220721-en
General
-
Target
NOTE.exe
-
Size
859KB
-
MD5
e1bcdf7c174005548e6cb8309e679ae0
-
SHA1
a76ed4349c9fece837737c9db5814ab11da53ffa
-
SHA256
a46b958c56cc28fb4e63f2080e68d95a3dedc2abe3f40ea9fd787af1980566d7
-
SHA512
ed9a6e3c93706211916619803def63bb00ff14c08f9988fe91d8b93f59d4f68ca63c97df6a1479f832844ac7a71da31bb30b1d95495174e407f618b76359757d
Malware Config
Extracted
remcos
RemoteHost
hendersonk1.hopto.org:2404
henderson1.camdvr.org:2404
centplus1.serveftp.com:2404
harrywlike.ddns.net:2404
genekol.nsupdate.info:2404
harrywlike1.ddns.net:2404
hendersonk2022.hopto.org:2404
genekol1.nsupdate.info:2404
generem.camdvr.org:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
gsgjdwg-DIO8L7
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Blocklisted process makes network request 7 IoCs
Processes:
cmd.exeflow pid process 70 740 cmd.exe 87 740 cmd.exe 96 740 cmd.exe 99 740 cmd.exe 101 740 cmd.exe 105 740 cmd.exe 109 740 cmd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NOTE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation NOTE.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NOTE.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfjeeqedq = "C:\\Users\\Public\\Libraries\\qdeqeejfV.url" NOTE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeNOTE.exepid process 2712 powershell.exe 2712 powershell.exe 4184 NOTE.exe 4184 NOTE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2712 powershell.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
NOTE.execmd.execmd.exenet.exedescription pid process target process PID 4184 wrote to memory of 1912 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 1912 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 1912 4184 NOTE.exe cmd.exe PID 1912 wrote to memory of 3280 1912 cmd.exe cmd.exe PID 1912 wrote to memory of 3280 1912 cmd.exe cmd.exe PID 1912 wrote to memory of 3280 1912 cmd.exe cmd.exe PID 3280 wrote to memory of 4364 3280 cmd.exe net.exe PID 3280 wrote to memory of 4364 3280 cmd.exe net.exe PID 3280 wrote to memory of 4364 3280 cmd.exe net.exe PID 4364 wrote to memory of 1512 4364 net.exe net1.exe PID 4364 wrote to memory of 1512 4364 net.exe net1.exe PID 4364 wrote to memory of 1512 4364 net.exe net1.exe PID 3280 wrote to memory of 2712 3280 cmd.exe powershell.exe PID 3280 wrote to memory of 2712 3280 cmd.exe powershell.exe PID 3280 wrote to memory of 2712 3280 cmd.exe powershell.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe PID 4184 wrote to memory of 740 4184 NOTE.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NOTE.exe"C:\Users\Admin\AppData\Local\Temp\NOTE.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Vfjeeqedqt.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\VfjeeqedqO.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet session4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 session5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k2⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\Cdex.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
C:\Users\Public\Libraries\VfjeeqedqO.batFilesize
1KB
MD5df48c09f243ebcc8a165f77a1c2bf889
SHA1455f7db0adcc2a58d006f1630fb0bd55cd868c07
SHA2564ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca
SHA512735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc
-
C:\Users\Public\Libraries\Vfjeeqedqt.batFilesize
58B
MD53178f18d44440e060a5ddc9d776f91be
SHA1af8fe33c2703be22df946f1bcf4f03fa9372deb2
SHA256b4e94a60e6233eeb1861831fa72daa04bbc0e0ef6b0b46b0115dc2d58f14f981
SHA5121ff961c24c7df94402d5909a65742e7181b842cedeeff6de2c41ddc396e3c4774eabb4d12fac4e740b9a04b9130f1c36f1155c131bfa9b1c0626efaa46723929
-
memory/740-210-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/740-209-0x0000000000400000-0x000000000047A000-memory.dmpFilesize
488KB
-
memory/740-208-0x0000000050590000-0x000000005060D000-memory.dmpFilesize
500KB
-
memory/740-169-0x0000000000000000-mapping.dmp
-
memory/1512-144-0x0000000000000000-mapping.dmp
-
memory/1912-139-0x0000000000000000-mapping.dmp
-
memory/2712-153-0x0000000006720000-0x0000000006752000-memory.dmpFilesize
200KB
-
memory/2712-157-0x00000000073A0000-0x00000000073BA000-memory.dmpFilesize
104KB
-
memory/2712-150-0x0000000005AB0000-0x0000000005B16000-memory.dmpFilesize
408KB
-
memory/2712-151-0x0000000005B20000-0x0000000005B86000-memory.dmpFilesize
408KB
-
memory/2712-152-0x0000000006170000-0x000000000618E000-memory.dmpFilesize
120KB
-
memory/2712-148-0x0000000005350000-0x0000000005978000-memory.dmpFilesize
6.2MB
-
memory/2712-154-0x000000006F000000-0x000000006F04C000-memory.dmpFilesize
304KB
-
memory/2712-155-0x0000000006700000-0x000000000671E000-memory.dmpFilesize
120KB
-
memory/2712-156-0x0000000007B20000-0x000000000819A000-memory.dmpFilesize
6.5MB
-
memory/2712-149-0x00000000052C0000-0x00000000052E2000-memory.dmpFilesize
136KB
-
memory/2712-158-0x00000000074E0000-0x00000000074EA000-memory.dmpFilesize
40KB
-
memory/2712-159-0x00000000076D0000-0x0000000007766000-memory.dmpFilesize
600KB
-
memory/2712-160-0x00000000076A0000-0x00000000076AE000-memory.dmpFilesize
56KB
-
memory/2712-161-0x0000000007790000-0x00000000077AA000-memory.dmpFilesize
104KB
-
memory/2712-162-0x0000000007780000-0x0000000007788000-memory.dmpFilesize
32KB
-
memory/2712-147-0x0000000004CE0000-0x0000000004D16000-memory.dmpFilesize
216KB
-
memory/2712-146-0x0000000000000000-mapping.dmp
-
memory/3280-141-0x0000000000000000-mapping.dmp
-
memory/4364-143-0x0000000000000000-mapping.dmp