Overview

overview

10

Static

static

1

TT Air Exp...CO.exe

windows7-x64

10

TT Air Exp...CO.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-02-2023 13:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TT Air Export COSCO.exe

  • Size

    1.1MB

  • MD5

    23ce4c2eb85eea9a1871bf922978ade9

  • SHA1

    8cfa86cdbcda76c59cea93839115f84b9b47ced0

  • SHA256

    5ca676b334d8a3f4542877a696a7092b29dbdeddabcd70af2a80e5c8384a75b6

  • SHA512

    de2475abf3ed3101f9b3d6c7fa37da02ee99f7a37fd239f2a6e87b7d67837d1a5f3c09d05750150e08a18a881322c8b719e8d03efd43885c991774707817172c

  • SSDEEP

    12288:oX8lOqFSsZ40z3QjB2lr5fPx7Zh70WoQzV9hBoSFhAf1nAhglR:Q8ltFSQ3AB2zp7pcf1nAhglR

Score
10/10
modiloaderremcos13-feb-2023persistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

13-Feb-2023

C2

193.23.3.34:43672

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    goog.dat

  • keylog_flag

    false

  • keylog_folder

    Google

  • mouse_option

    false

  • mutex

    -201DO7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ModiLoader Second Stage 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TT Air Export COSCO.exe
    "C:\Users\Admin\AppData\Local\Temp\TT Air Export COSCO.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4384
    • C:\Users\Admin\AppData\Local\Temp\TT Air Export COSCO.exe
      C:\Users\Admin\AppData\Local\Temp\TT Air Export COSCO.exe
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1328-134-0x0000000000000000-mapping.dmp

    Download

  • memory/1328-135-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1328-136-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1328-137-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1328-138-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1328-139-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/4384-132-0x0000000002440000-0x000000000246C000-memory.dmp

    Filesize

    176KB

    Download