Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
31-01-2024 06:40
Static task
static1
Behavioral task
behavioral1
Sample
0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe
Resource
win10-20231215-en
General
-
Target
0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe
-
Size
2.0MB
-
MD5
ebbdf54edef4a90dcfc6ec11e8eeddbb
-
SHA1
06a846b87c073e398876e12ad4c28648395d3fc2
-
SHA256
0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543
-
SHA512
dc05aeba04e62afc26fb84416c12da64b7e4d95b7b8e8f33f46feaf386d54269f4e75594b17520527d9ea925c3d25ee23264c720b15bd22ee3f6b042d09a0b59
-
SSDEEP
49152:pqAodhXjnxf2hd7c7mvrq0gOPoaF5P0R:pqAo2hd7Ymu0gO5uR
Malware Config
Extracted
remcos
Crypted
172.206.61.17:55642
172.206.61.17:55746
172.206.61.17:55867
172.206.61.17:55733
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
cocs.dat
-
keylog_flag
false
-
keylog_path
%UserProfile%
-
mouse_option
false
-
mutex
yumaos-LF3MUZ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
- startup_value
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4824-2-0x00000000043B0000-0x00000000053B0000-memory.dmp modiloader_stage2 -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
easinvoker.exeeasinvoker.exepid process 4956 easinvoker.exe 1656 easinvoker.exe -
Loads dropped DLL 2 IoCs
Processes:
easinvoker.exeeasinvoker.exepid process 4956 easinvoker.exe 1656 easinvoker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-33539905-3698238643-2080195461-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pcxgcicw = "C:\\Users\\Public\\Pcxgcicw.url" 0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 648 sc.exe 5060 sc.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
xcopy.exexcopy.exexcopy.exexcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 5 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
easinvoker.exepid process 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe 4956 easinvoker.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
SndVol.exepid process 3032 SndVol.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 620 -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4600 powershell.exe Token: SeIncreaseQuotaPrivilege 4600 powershell.exe Token: SeSecurityPrivilege 4600 powershell.exe Token: SeTakeOwnershipPrivilege 4600 powershell.exe Token: SeLoadDriverPrivilege 4600 powershell.exe Token: SeSystemProfilePrivilege 4600 powershell.exe Token: SeSystemtimePrivilege 4600 powershell.exe Token: SeProfSingleProcessPrivilege 4600 powershell.exe Token: SeIncBasePriorityPrivilege 4600 powershell.exe Token: SeCreatePagefilePrivilege 4600 powershell.exe Token: SeBackupPrivilege 4600 powershell.exe Token: SeRestorePrivilege 4600 powershell.exe Token: SeShutdownPrivilege 4600 powershell.exe Token: SeDebugPrivilege 4600 powershell.exe Token: SeSystemEnvironmentPrivilege 4600 powershell.exe Token: SeRemoteShutdownPrivilege 4600 powershell.exe Token: SeUndockPrivilege 4600 powershell.exe Token: SeManageVolumePrivilege 4600 powershell.exe Token: 33 4600 powershell.exe Token: 34 4600 powershell.exe Token: 35 4600 powershell.exe Token: 36 4600 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SndVol.exepid process 3032 SndVol.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SndVol.exepid process 3032 SndVol.exe 3032 SndVol.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.execmd.exeeasinvoker.execmd.execmd.execmd.exedescription pid process target process PID 4824 wrote to memory of 3524 4824 0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe cmd.exe PID 4824 wrote to memory of 3524 4824 0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe cmd.exe PID 4824 wrote to memory of 3524 4824 0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe cmd.exe PID 3524 wrote to memory of 4928 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 4928 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 4928 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 3700 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 3700 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 3700 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 5012 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 5012 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 5012 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 3976 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 3976 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 3976 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 3076 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 3076 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 3076 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 4560 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 4560 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 4560 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 1292 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 1292 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 1292 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 4492 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 4492 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 4492 3524 cmd.exe cmd.exe PID 3524 wrote to memory of 4376 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 4376 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 4376 3524 cmd.exe xcopy.exe PID 3524 wrote to memory of 4956 3524 cmd.exe easinvoker.exe PID 3524 wrote to memory of 4956 3524 cmd.exe easinvoker.exe PID 4956 wrote to memory of 356 4956 easinvoker.exe cmd.exe PID 4956 wrote to memory of 356 4956 easinvoker.exe cmd.exe PID 356 wrote to memory of 4980 356 cmd.exe cmd.exe PID 356 wrote to memory of 4980 356 cmd.exe cmd.exe PID 356 wrote to memory of 648 356 cmd.exe sc.exe PID 356 wrote to memory of 648 356 cmd.exe sc.exe PID 356 wrote to memory of 5060 356 cmd.exe sc.exe PID 356 wrote to memory of 5060 356 cmd.exe sc.exe PID 4980 wrote to memory of 4600 4980 cmd.exe powershell.exe PID 4980 wrote to memory of 4600 4980 cmd.exe powershell.exe PID 4824 wrote to memory of 192 4824 0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe cmd.exe PID 4824 wrote to memory of 192 4824 0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe cmd.exe PID 4824 wrote to memory of 192 4824 0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe cmd.exe PID 4824 wrote to memory of 3032 4824 0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe SndVol.exe PID 4824 wrote to memory of 3032 4824 0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe SndVol.exe PID 4824 wrote to memory of 3032 4824 0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe SndVol.exe PID 192 wrote to memory of 1656 192 cmd.exe easinvoker.exe PID 192 wrote to memory of 1656 192 cmd.exe easinvoker.exe PID 4824 wrote to memory of 3032 4824 0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe SndVol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe"C:\Users\Admin\AppData\Local\Temp\0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\PcxgcicwO.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"3⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y3⤵
- Enumerates system info in registry
-
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc.exe start truesight5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\easinvoker.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows \System32\easinvoker.exe"C:\\Windows \\System32\\easinvoker.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5j3erqm.3ih.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Public\Libraries\KDECO.batFilesize
4KB
MD5785e8193007bcd7858b9df41c9d45f89
SHA129b206de05ab075138ca9e0b9fccdddf3c30cdfe
SHA256c8e1912a3328802e98563e32eb053ae3e28249b701054af227e9f1ba6bfe24d9
SHA512a4d6fd586800f27939d8c152e89d2a231dc9fd8466e715dfeba22e2aa0428509095e12e6e66f2cb5e40ff5c998b439dc3f6792e20c179f41ac9cae31ada9d45f
-
C:\Users\Public\Libraries\PcxgcicwO.batFilesize
7KB
MD50d0d24b46d4bb0e4962595d455020d48
SHA148b247c1cb2577b28aabd7dfa999e0642b5dc6de
SHA256f46e0cc2c119a32dd87edf97bfc73d985ee97d2c9dc00274b6b20d641e29deea
SHA512d5a8779e1cfd2a284173ce8a205cacb41fc7c744fa84e55682ac50b327c676ff50f668ecd176e0ab84420d143a8023d8b4590362b223704c55f5b0d7e116ba2c
-
C:\Users\Public\Libraries\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Users\Public\Libraries\netutils.dllFilesize
116KB
MD518f2fcec0ea10ef689b557fb0315ba3b
SHA1cef14b1ebe402b6685734bc7efb16e27831c5b9e
SHA256e443c8e9201f17ef4180d97a8505c24b4645e3ab25eacdeb8807d036229e2c1a
SHA51229513bd06224e1e1b40aedde09ba0f14b7b0bce7533fb215809b25d972d889d8e72c91dc8e00966369e31721c526322b9a6a7573c9f58f335ef94ca782ff844a
-
memory/1656-86-0x00000000613C0000-0x00000000613E3000-memory.dmpFilesize
140KB
-
memory/3032-93-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-97-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-112-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-106-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-105-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-104-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-103-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-100-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-98-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-96-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-94-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-91-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-88-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/3032-87-0x0000000004B50000-0x0000000005B50000-memory.dmpFilesize
16.0MB
-
memory/3032-89-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/4600-40-0x000001AB197E0000-0x000001AB197F0000-memory.dmpFilesize
64KB
-
memory/4600-81-0x00007FFFC2E50000-0x00007FFFC383C000-memory.dmpFilesize
9.9MB
-
memory/4600-55-0x000001AB197E0000-0x000001AB197F0000-memory.dmpFilesize
64KB
-
memory/4600-42-0x000001AB19A70000-0x000001AB19AE6000-memory.dmpFilesize
472KB
-
memory/4600-39-0x00007FFFC2E50000-0x00007FFFC383C000-memory.dmpFilesize
9.9MB
-
memory/4600-41-0x000001AB197E0000-0x000001AB197F0000-memory.dmpFilesize
64KB
-
memory/4600-36-0x000001AB19740000-0x000001AB19762000-memory.dmpFilesize
136KB
-
memory/4824-0-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/4824-5-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB
-
memory/4824-2-0x00000000043B0000-0x00000000053B0000-memory.dmpFilesize
16.0MB
-
memory/4824-1-0x00000000043B0000-0x00000000053B0000-memory.dmpFilesize
16.0MB
-
memory/4824-4-0x0000000000400000-0x0000000000608000-memory.dmpFilesize
2.0MB
-
memory/4956-31-0x00000000613C0000-0x00000000613E3000-memory.dmpFilesize
140KB