Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2023, 07:14
Static task
static1
Behavioral task
behavioral1
Sample
PO-880182.PDF..exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
PO-880182.PDF..exe
Resource
win10v2004-20231127-en
General
-
Target
PO-880182.PDF..exe
-
Size
1.8MB
-
MD5
138dbab797d6d49d67f7aa2d0d5c54e9
-
SHA1
0b799db2170957ee5fffff4eb728c11b9ab37149
-
SHA256
f8b4f90e536a1cdd95cc100f8db1cbc90970f125110fbe883523e84b0beae62a
-
SHA512
743914489fc36ad16146b7d24c320b1b743accdd788a9f2951ddfa7ec80312f17e4d3737fc1b06650cee3a9fb788b91f6ba74d516e4631515443563f4a0afcf4
-
SSDEEP
49152:iytH9q1rUWS1qXtfRGHKpk3H8eiTwHFimH9jIrMKSIa+GGXHIfd2Ddk6L+O/:i+HqJS1qXtfRGHKpk3H8eiTwHFimH9jm
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:45070
127.0.0.1:52707
172.245.208.30:52707
172.245.208.30:45070
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-2NCCY9
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/1592-2-0x0000000002D30000-0x0000000003D30000-memory.dmp modiloader_stage2 -
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/4124-92-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/4124-91-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4724-83-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4724-99-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/memory/4724-83-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/2240-94-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4124-92-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/4124-91-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2240-96-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4724-99-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Executes dropped EXE 5 IoCs
pid Process 4804 easinvoker.exe 5008 kipyayhY.pif 4724 kipyayhY.pif 4124 kipyayhY.pif 2240 kipyayhY.pif -
Loads dropped DLL 1 IoCs
pid Process 4804 easinvoker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts kipyayhY.pif -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yhyaypik = "C:\\Users\\Public\\Yhyaypik.url" PO-880182.PDF..exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1592 set thread context of 5008 1592 PO-880182.PDF..exe 120 PID 5008 set thread context of 4724 5008 kipyayhY.pif 122 PID 5008 set thread context of 4124 5008 kipyayhY.pif 123 PID 5008 set thread context of 2240 5008 kipyayhY.pif 124 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3080 PING.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 47 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 51 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 8 powershell.exe 8 powershell.exe 8 powershell.exe 4724 kipyayhY.pif 4724 kipyayhY.pif 2240 kipyayhY.pif 2240 kipyayhY.pif 4724 kipyayhY.pif 4724 kipyayhY.pif -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 5008 kipyayhY.pif 5008 kipyayhY.pif 5008 kipyayhY.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 8 powershell.exe Token: SeDebugPrivilege 2240 kipyayhY.pif -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5008 kipyayhY.pif -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 1592 wrote to memory of 2592 1592 PO-880182.PDF..exe 103 PID 1592 wrote to memory of 2592 1592 PO-880182.PDF..exe 103 PID 1592 wrote to memory of 2592 1592 PO-880182.PDF..exe 103 PID 2592 wrote to memory of 4588 2592 cmd.exe 105 PID 2592 wrote to memory of 4588 2592 cmd.exe 105 PID 2592 wrote to memory of 4588 2592 cmd.exe 105 PID 2592 wrote to memory of 1704 2592 cmd.exe 106 PID 2592 wrote to memory of 1704 2592 cmd.exe 106 PID 2592 wrote to memory of 1704 2592 cmd.exe 106 PID 2592 wrote to memory of 4340 2592 cmd.exe 107 PID 2592 wrote to memory of 4340 2592 cmd.exe 107 PID 2592 wrote to memory of 4340 2592 cmd.exe 107 PID 2592 wrote to memory of 3528 2592 cmd.exe 108 PID 2592 wrote to memory of 3528 2592 cmd.exe 108 PID 2592 wrote to memory of 3528 2592 cmd.exe 108 PID 2592 wrote to memory of 4480 2592 cmd.exe 109 PID 2592 wrote to memory of 4480 2592 cmd.exe 109 PID 2592 wrote to memory of 4480 2592 cmd.exe 109 PID 2592 wrote to memory of 1528 2592 cmd.exe 110 PID 2592 wrote to memory of 1528 2592 cmd.exe 110 PID 2592 wrote to memory of 1528 2592 cmd.exe 110 PID 2592 wrote to memory of 4412 2592 cmd.exe 111 PID 2592 wrote to memory of 4412 2592 cmd.exe 111 PID 2592 wrote to memory of 4412 2592 cmd.exe 111 PID 2592 wrote to memory of 636 2592 cmd.exe 112 PID 2592 wrote to memory of 636 2592 cmd.exe 112 PID 2592 wrote to memory of 636 2592 cmd.exe 112 PID 2592 wrote to memory of 4804 2592 cmd.exe 113 PID 2592 wrote to memory of 4804 2592 cmd.exe 113 PID 4804 wrote to memory of 4592 4804 easinvoker.exe 115 PID 4804 wrote to memory of 4592 4804 easinvoker.exe 115 PID 2592 wrote to memory of 3080 2592 cmd.exe 116 PID 2592 wrote to memory of 3080 2592 cmd.exe 116 PID 2592 wrote to memory of 3080 2592 cmd.exe 116 PID 4592 wrote to memory of 4344 4592 cmd.exe 117 PID 4592 wrote to memory of 4344 4592 cmd.exe 117 PID 4344 wrote to memory of 8 4344 cmd.exe 118 PID 4344 wrote to memory of 8 4344 cmd.exe 118 PID 1592 wrote to memory of 5008 1592 PO-880182.PDF..exe 120 PID 1592 wrote to memory of 5008 1592 PO-880182.PDF..exe 120 PID 1592 wrote to memory of 5008 1592 PO-880182.PDF..exe 120 PID 1592 wrote to memory of 5008 1592 PO-880182.PDF..exe 120 PID 1592 wrote to memory of 5008 1592 PO-880182.PDF..exe 120 PID 5008 wrote to memory of 4724 5008 kipyayhY.pif 122 PID 5008 wrote to memory of 4724 5008 kipyayhY.pif 122 PID 5008 wrote to memory of 4724 5008 kipyayhY.pif 122 PID 5008 wrote to memory of 4124 5008 kipyayhY.pif 123 PID 5008 wrote to memory of 4124 5008 kipyayhY.pif 123 PID 5008 wrote to memory of 4124 5008 kipyayhY.pif 123 PID 5008 wrote to memory of 2240 5008 kipyayhY.pif 124 PID 5008 wrote to memory of 2240 5008 kipyayhY.pif 124 PID 5008 wrote to memory of 2240 5008 kipyayhY.pif 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-880182.PDF..exe"C:\Users\Admin\AppData\Local\Temp\PO-880182.PDF..exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\YhyaypikO.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\cmd.execmd.exe /c mkdir "\\?\C:\Windows "3⤵PID:4588
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c mkdir "\\?\C:\Windows \System32"3⤵PID:1704
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ECHO F3⤵PID:4340
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:3528
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ECHO F3⤵PID:4480
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:1528
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ECHO F3⤵PID:4412
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
PID:636
-
-
C:\Windows \System32\easinvoker.exe"C:\Windows \System32\easinvoker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""4⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\system32\cmd.execmd.exe /c start /min powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"5⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 63⤵
- Runs ping.exe
PID:3080
-
-
-
C:\Users\Public\Libraries\kipyayhY.pifC:\Users\Public\Libraries\kipyayhY.pif2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Users\Public\Libraries\kipyayhY.pifC:\Users\Public\Libraries\kipyayhY.pif /stext "C:\Users\Admin\AppData\Local\Temp\qrdsfpbvlw"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4724
-
-
C:\Users\Public\Libraries\kipyayhY.pifC:\Users\Public\Libraries\kipyayhY.pif /stext "C:\Users\Admin\AppData\Local\Temp\bmqkgimozerfx"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:4124
-
-
C:\Users\Public\Libraries\kipyayhY.pifC:\Users\Public\Libraries\kipyayhY.pif /stext "C:\Users\Admin\AppData\Local\Temp\lgwdhawqvmjkzsnbo"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5086f4438f428869bf89b241351cd5c89
SHA179999ad49717de1cfd7c902dff5353dfa312c29b
SHA256dd80e327252311c1184acfed7a71b61fc7a0abb5e4d086776ef7233e885a8f70
SHA512c0f93f32efaf36213f5a6622b26b7b60f058bad12c707e7c1b6f65703849c17e5b6d1ffc419aeee6e115dbdbe4faa3de5193af16766d70595b1ea824d228c067
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5f38f9e66e6018fe17658be974254cad4
SHA1597063c515fc90a5cef2d3f4a64d5c8f5e7ed47c
SHA256448eb8deec9960c9a2b6a27daeaea4cbab7d8469ed8b52b6d5916df458b07bb6
SHA512a6b2f498fbd5fe598430371d57182b73779e66af1f2a85b4f6bde919e17c0f8611b226d96ff8134098904c42edaf0c0ef78328f2ccbe9fb16a4f66dd1d5c57a5
-
Filesize
152B
MD57e5fbd29557a68383dfb34e696964e93
SHA1c1f748f89b47864301255d1fb2bfed04ed0d1300
SHA2564e55b1bbe2e0e099592ac57a747fa8d4ef67409901d6c64323a1b73d50e5de67
SHA5127dcb6582b03e7bf0cab2168dc775ca6d7a15ebb097fd2cdd3445b6d35ee128386fb9aa6a548b745c32540e358b2aa4d7c78a6f59f85c32065735fc54a6a2bb6a
-
Filesize
466B
MD59e80036aabe3227dbf98b3975051a53b
SHA19670aab8897770a93293d85426b7b13dda23a152
SHA256964aab3b72b3545fabc58a209714ebeade739a0fec40b33af675d7157b9cb252
SHA512107fb6b364cf92730aca1a044f7769a1f4aed39a72f031a5004ccf09b3bebabac5fc88b3d0f85eb64c665404136db13678718bad36bea4311f07726684ed0a03
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
109KB
MD5f3734dd95652252d02090c287c556522
SHA1a9b9479f66516922a119eec78d3610342f22a68b
SHA256be00f70763a053bf9c4b35e97319afbffa71dbb6e9c2c3c3f642a5e1fa7eb004
SHA51259df477a29d38b8d5b5c4567c241d4ffe1d58926fa6775e1ecb15ec8119cf040be97f83870704b422f044ae56f2a5169c50b92a3e1b75a8069e2a251f9dec41b
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
Filesize
109KB
MD5f3734dd95652252d02090c287c556522
SHA1a9b9479f66516922a119eec78d3610342f22a68b
SHA256be00f70763a053bf9c4b35e97319afbffa71dbb6e9c2c3c3f642a5e1fa7eb004
SHA51259df477a29d38b8d5b5c4567c241d4ffe1d58926fa6775e1ecb15ec8119cf040be97f83870704b422f044ae56f2a5169c50b92a3e1b75a8069e2a251f9dec41b
-
Filesize
109KB
MD5f3734dd95652252d02090c287c556522
SHA1a9b9479f66516922a119eec78d3610342f22a68b
SHA256be00f70763a053bf9c4b35e97319afbffa71dbb6e9c2c3c3f642a5e1fa7eb004
SHA51259df477a29d38b8d5b5c4567c241d4ffe1d58926fa6775e1ecb15ec8119cf040be97f83870704b422f044ae56f2a5169c50b92a3e1b75a8069e2a251f9dec41b
-
Filesize
152B
MD57e5fbd29557a68383dfb34e696964e93
SHA1c1f748f89b47864301255d1fb2bfed04ed0d1300
SHA2564e55b1bbe2e0e099592ac57a747fa8d4ef67409901d6c64323a1b73d50e5de67
SHA5127dcb6582b03e7bf0cab2168dc775ca6d7a15ebb097fd2cdd3445b6d35ee128386fb9aa6a548b745c32540e358b2aa4d7c78a6f59f85c32065735fc54a6a2bb6a