Overview

overview

10

Static

static

3

0bb26d35c2...43.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-01-2024 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe

  • Size

    2.0MB

  • MD5

    ebbdf54edef4a90dcfc6ec11e8eeddbb

  • SHA1

    06a846b87c073e398876e12ad4c28648395d3fc2

  • SHA256

    0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543

  • SHA512

    dc05aeba04e62afc26fb84416c12da64b7e4d95b7b8e8f33f46feaf386d54269f4e75594b17520527d9ea925c3d25ee23264c720b15bd22ee3f6b042d09a0b59

  • SSDEEP

    49152:pqAodhXjnxf2hd7c7mvrq0gOPoaF5P0R:pqAo2hd7Ymu0gO5uR

Score
10/10
modiloaderremcoscryptedpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

Crypted

C2

172.206.61.17:55642

172.206.61.17:55746

172.206.61.17:55867

172.206.61.17:55733
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    cocs.dat

  • keylog_flag

    false

  • keylog_path

    %UserProfile%

  • mouse_option

    false

  • mutex

    yumaos-LF3MUZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ModiLoader Second Stage 1 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe
    "C:\Users\Admin\AppData\Local\Temp\0bb26d35c23eefc1d1274cc6a329cb80b6b2a1c34544be449d543ab54c7e5543.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\PcxgcicwO.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3524
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c mkdir "\\?\C:\Windows "
        3⤵
          PID:4928
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
          3⤵
            PID:3700
          • C:\Windows\SysWOW64\xcopy.exe
            xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
            3⤵
            • Enumerates system info in registry
            PID:5012
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
            3⤵
              PID:3976
            • C:\Windows\SysWOW64\xcopy.exe
              xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
              3⤵
              • Enumerates system info in registry
              PID:3076
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
              3⤵
                PID:4560
              • C:\Windows\SysWOW64\xcopy.exe
                xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
                3⤵
                • Enumerates system info in registry
                PID:1292
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
                3⤵
                  PID:4492
                • C:\Windows\SysWOW64\xcopy.exe
                  xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y
                  3⤵
                  • Enumerates system info in registry
                  PID:4376
                • C:\Windows \System32\easinvoker.exe
                  "C:\\Windows \\System32\\easinvoker.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4956
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:356
                    • C:\Windows\system32\cmd.exe
                      cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4980
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                        6⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4600
                    • C:\Windows\system32\sc.exe
                      sc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel
                      5⤵
                      • Launches sc.exe
                      PID:648
                    • C:\Windows\system32\sc.exe
                      sc.exe start truesight
                      5⤵
                      • Launches sc.exe
                      PID:5060
              • C:\Windows\SysWOW64\SndVol.exe
                C:\Windows\System32\SndVol.exe
                2⤵
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:3032
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c "C:\\Windows \\System32\\easinvoker.exe"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:192
            • C:\Windows \System32\easinvoker.exe
              "C:\\Windows \\System32\\easinvoker.exe"
              1⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1656

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Privilege Escalation

            Create or Modify System Process

            1
            T1543

            Windows Service

            1
            T1543.003

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5j3erqm.3ih.ps1
              Filesize

              1B

              MD5

              c4ca4238a0b923820dcc509a6f75849b

              SHA1

              356a192b7913b04c54574d18c28d46e6395428ab

              SHA256

              6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

              SHA512

              4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

              Download Submit
            • C:\Users\Public\Libraries\KDECO.bat
              Filesize

              4KB

              MD5

              785e8193007bcd7858b9df41c9d45f89

              SHA1

              29b206de05ab075138ca9e0b9fccdddf3c30cdfe

              SHA256

              c8e1912a3328802e98563e32eb053ae3e28249b701054af227e9f1ba6bfe24d9

              SHA512

              a4d6fd586800f27939d8c152e89d2a231dc9fd8466e715dfeba22e2aa0428509095e12e6e66f2cb5e40ff5c998b439dc3f6792e20c179f41ac9cae31ada9d45f

              Download Submit
            • C:\Users\Public\Libraries\PcxgcicwO.bat
              Filesize

              7KB

              MD5

              0d0d24b46d4bb0e4962595d455020d48

              SHA1

              48b247c1cb2577b28aabd7dfa999e0642b5dc6de

              SHA256

              f46e0cc2c119a32dd87edf97bfc73d985ee97d2c9dc00274b6b20d641e29deea

              SHA512

              d5a8779e1cfd2a284173ce8a205cacb41fc7c744fa84e55682ac50b327c676ff50f668ecd176e0ab84420d143a8023d8b4590362b223704c55f5b0d7e116ba2c

              Download Submit
            • C:\Users\Public\Libraries\easinvoker.exe
              Filesize

              128KB

              MD5

              231ce1e1d7d98b44371ffff407d68b59

              SHA1

              25510d0f6353dbf0c9f72fc880de7585e34b28ff

              SHA256

              30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

              SHA512

              520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

              Download Submit
            • C:\Users\Public\Libraries\netutils.dll
              Filesize

              116KB

              MD5

              18f2fcec0ea10ef689b557fb0315ba3b

              SHA1

              cef14b1ebe402b6685734bc7efb16e27831c5b9e

              SHA256

              e443c8e9201f17ef4180d97a8505c24b4645e3ab25eacdeb8807d036229e2c1a

              SHA512

              29513bd06224e1e1b40aedde09ba0f14b7b0bce7533fb215809b25d972d889d8e72c91dc8e00966369e31721c526322b9a6a7573c9f58f335ef94ca782ff844a

              Download Submit
            • memory/1656-86-0x00000000613C0000-0x00000000613E3000-memory.dmp
              Filesize

              140KB

              Download
            • memory/3032-93-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-97-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-112-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-106-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-105-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-104-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-103-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-100-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-98-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-96-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-94-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-91-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-88-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/3032-87-0x0000000004B50000-0x0000000005B50000-memory.dmp
              Filesize

              16.0MB

              Download
            • memory/3032-89-0x0000000000400000-0x0000000000482000-memory.dmp
              Filesize

              520KB

              Download
            • memory/4600-40-0x000001AB197E0000-0x000001AB197F0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4600-81-0x00007FFFC2E50000-0x00007FFFC383C000-memory.dmp
              Filesize

              9.9MB

              Download
            • memory/4600-55-0x000001AB197E0000-0x000001AB197F0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4600-42-0x000001AB19A70000-0x000001AB19AE6000-memory.dmp
              Filesize

              472KB

              Download
            • memory/4600-39-0x00007FFFC2E50000-0x00007FFFC383C000-memory.dmp
              Filesize

              9.9MB

              Download
            • memory/4600-41-0x000001AB197E0000-0x000001AB197F0000-memory.dmp
              Filesize

              64KB

              Download
            • memory/4600-36-0x000001AB19740000-0x000001AB19762000-memory.dmp
              Filesize

              136KB

              Download
            • memory/4824-0-0x00000000007B0000-0x00000000007B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4824-5-0x00000000007B0000-0x00000000007B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/4824-2-0x00000000043B0000-0x00000000053B0000-memory.dmp
              Filesize

              16.0MB

              Download
            • memory/4824-1-0x00000000043B0000-0x00000000053B0000-memory.dmp
              Filesize

              16.0MB

              Download
            • memory/4824-4-0x0000000000400000-0x0000000000608000-memory.dmp
              Filesize

              2.0MB

              Download
            • memory/4956-31-0x00000000613C0000-0x00000000613E3000-memory.dmp
              Filesize

              140KB

              Download