Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Stmt 2024-01.exe

windows7-x64

10

Stmt 2024-01.exe

windows10-1703-x64

10

Stmt 2024-01.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    305s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/01/2024, 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stmt 2024-01.exe

  • Size

    1.5MB

  • MD5

    fe658ad9c31ff2b67f90178b00c48ecc

  • SHA1

    1a066197e1e243409ef8cb70b9d71bf5a5a80f05

  • SHA256

    6778fea0bea7bd311fbda7b2f6257a7826733a664199d8073c878e401ba20a33

  • SHA512

    468fba52d876a39e1e72ea82f8a70dd758dd2c1e99e31dfe226749f3fbc49e64f635b8282e987e71f3b0b872842e61be016bfc24c9fc4592d3dbb8b5d8822f69

  • SSDEEP

    24576:pA9PI47mMe3qTK/MYnyXXQ9cgAwFrDsRMzOFlB6WXg/jz8sleGu2bh:c2MYy6cqdDQSOFJg/jiwbh

Score
10/10
modiloaderremcosremotehostpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

meetre1ms.freeddns.org:2404

mysmeetr.ddns.net:2404

myumysmeetr.ddns.net:2404

bbhmeetre1ms.freeddns.org:2404
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    hsgddj

  • mouse_option

    false

  • mutex

    WIN2024-GUC4V0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ModiLoader Second Stage 1 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Stmt 2024-01.exe
    "C:\Users\Admin\AppData\Local\Temp\Stmt 2024-01.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\QsgbkgqgO.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c mkdir "\\?\C:\Windows "
        3⤵
          PID:4392
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
          3⤵
            PID:3356
          • C:\Windows\SysWOW64\xcopy.exe
            xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
            3⤵
            • Enumerates system info in registry
            PID:2104
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
            3⤵
              PID:4596
            • C:\Windows\SysWOW64\xcopy.exe
              xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
              3⤵
              • Enumerates system info in registry
              PID:1340
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
              3⤵
                PID:4852
              • C:\Windows\SysWOW64\xcopy.exe
                xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
                3⤵
                • Enumerates system info in registry
                PID:3024
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
                3⤵
                  PID:2280
                • C:\Windows\SysWOW64\xcopy.exe
                  xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y
                  3⤵
                  • Enumerates system info in registry
                  PID:716
                • C:\Windows \System32\easinvoker.exe
                  "C:\\Windows \\System32\\easinvoker.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4128
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4180
                    • C:\Windows\system32\cmd.exe
                      cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:356
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                        6⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2756
                    • C:\Windows\system32\sc.exe
                      sc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel
                      5⤵
                      • Launches sc.exe
                      PID:3176
                    • C:\Windows\system32\sc.exe
                      sc.exe start truesight
                      5⤵
                      • Launches sc.exe
                      PID:2020
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c "C:\\Windows \\System32\\easinvoker.exe"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1640
                • C:\Windows \System32\easinvoker.exe
                  "C:\\Windows \\System32\\easinvoker.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:208
              • C:\Windows\SysWOW64\SndVol.exe
                C:\Windows\System32\SndVol.exe
                2⤵
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                PID:3672

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\hsgddj\logs.dat
              Filesize

              144B

              MD5

              3685e5606e34664fd7cc7c6683d694a0

              SHA1

              64e537367953c720a1b3c51c61f772c858a77ffe

              SHA256

              b05de151b5a351fd2421aa20741fc896e5e5bda5636193f4ced917713cb62591

              SHA512

              99c4c70984380acf393661d5258ca9c29aa4525dbad1a9cefbae9543bda47860835c8912db322345bfbc972a780063abbc6fe1f8e7030db174ca9d28b7066ac9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vfw54k3o.atm.ps1
              Filesize

              1B

              MD5

              c4ca4238a0b923820dcc509a6f75849b

              SHA1

              356a192b7913b04c54574d18c28d46e6395428ab

              SHA256

              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

              SHA512

              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

              Download Submit

            • C:\Users\Public\Libraries\KDECO.bat
              Filesize

              271B

              MD5

              d62b11dc4dc821ef23260e5b0e74a835

              SHA1

              cdff2004cb9ef149f75fae296f50f4fbfefb2e84

              SHA256

              d1b19b878a3ae98f650843314cc3ef8d681013f6e18e0201cb47a0afa45fc349

              SHA512

              27b8292eb318413b965e1c7552165e65f9003d03b15ddc0c5c142420a1a174303f983c268942d7b60c74ac4e8e79e01f83510807fc0c492cabdf4948bc69c625

              Download Submit

            • C:\Users\Public\Libraries\QsgbkgqgO.bat
              Filesize

              404B

              MD5

              6880148d6cd8fabdce94b7e91dbd8d17

              SHA1

              870e9ad13355a8452746e0904d004ee8c8ec66e5

              SHA256

              0bfe311ffb1de96cbb2616c2a59c2a1a4942ec03073cc2ddfdfc43f79c74d18a

              SHA512

              810ee2896597cbcf813b9285bb2d7f9127360a4d8a872c47460d32710fe114c27ed58f840dc8bcfdaf7b826e7e46c78c0e814e4fa3d380d10737673a1febf38e

              Download Submit

            • C:\Users\Public\Libraries\easinvoker.exe
              Filesize

              128KB

              MD5

              231ce1e1d7d98b44371ffff407d68b59

              SHA1

              25510d0f6353dbf0c9f72fc880de7585e34b28ff

              SHA256

              30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

              SHA512

              520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

              Download Submit

            • C:\Users\Public\Libraries\netutils.dll
              Filesize

              114KB

              MD5

              1a2d83c73343d26f40a50fe2fe2f3e99

              SHA1

              cce1c460b809c39f3be25d3e9b57bb5a1584923b

              SHA256

              e2a595076d88ab6a210c395a75a78409e0e4f51cd13f0e10ad1b8c153b4e90d7

              SHA512

              26fffe2a5543f92f2a04996436343b82f99f1cec6e7e6b7b6c40f888d65951c61cb31318bcb3e5af6bd624960069bfb732e31c9ab70da462e1548daaa1ac1734

              Download Submit

            • memory/208-87-0x00000000613C0000-0x00000000613E2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/1260-1-0x0000000002E00000-0x0000000003E00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/1260-4-0x0000000000400000-0x000000000059D000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/1260-2-0x0000000002E00000-0x0000000003E00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/1260-0-0x0000000002310000-0x0000000002311000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2756-37-0x00007FFC84EB0000-0x00007FFC8589C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2756-39-0x0000017676230000-0x0000017676240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2756-42-0x0000017676AD0000-0x0000017676B46000-memory.dmp

              Filesize

              472KB

              Download

            • memory/2756-38-0x0000017676230000-0x0000017676240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2756-55-0x0000017676230000-0x0000017676240000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2756-81-0x00007FFC84EB0000-0x00007FFC8589C000-memory.dmp

              Filesize

              9.9MB

              Download

            • memory/2756-36-0x0000017676920000-0x0000017676942000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3672-92-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-114-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-88-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-93-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-94-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-95-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-96-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-169-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-105-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-106-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-113-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-91-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-121-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-122-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-128-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-136-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-137-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-144-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-145-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-152-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-153-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-160-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/3672-168-0x00000000030C0000-0x00000000040C0000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4128-31-0x00000000613C0000-0x00000000613E2000-memory.dmp

              Filesize

              136KB

              Download