Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Swift 19022024.bat

windows7-x64

10

Swift 19022024.bat

windows10-2004-x64

10

Resubmissions

01/03/2024, 15:31

240301-syf2vahd64 10

20/02/2024, 16:00

240220-tfmmcaba5s 10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/02/2024, 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Swift 19022024.bat

  • Size

    2.2MB

  • MD5

    6dc5aa35800875f5e06a20da26286f13

  • SHA1

    b9fbf17b8a2aeae452050b2f660ef8cff024a433

  • SHA256

    db5c362b0b4ec0a9bbc7b2c5a186a22019c82c2a96a7c326fad2e1f095de22db

  • SHA512

    a51120e0800a2694ae14267faf667dc5f37be76bf17bcc042931ef8a1f7f8b38237bf12f441ce3eec7eb4aba15428e3ddcbaa2f23a2944b7f8adbe9c9a5649ab

  • SSDEEP

    24576:RLM2LFX2P6Qv1hhxfAswo1eoKHMX+mIi8g1CLbGBi3oucj+9OtOT+a0sloBJCpDo:RYQSv1fxfAsJ1eoVuSDW0YXEx

Score
10/10
hawkeyemodiloaderremcosremotehostcollectionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

swjurf.work.gd:9231

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    hgjbhk

  • mouse_option

    false

  • mutex

    Rmc-BM92FA

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ModiLoader Second Stage 1 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 7 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 36 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Windows\system32\cmd.exe
      cmd /c certutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 3
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:208
      • C:\Windows\system32\certutil.exe
        certutil -decodehex "C:\Users\Admin\AppData\Local\Temp\Swift 19022024.bat" "C:\Users\Public\pointer.com" 3
        3⤵
          PID:1648
      • C:\Windows\system32\PING.EXE
        PING -n 3 127.0.0.1
        2⤵
        • Runs ping.exe
        PID:3856
      • C:\Users\Public\pointer.com
        C:\Users\Public\pointer.com
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\SoxqluztO.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c mkdir "\\?\C:\Windows "
            4⤵
              PID:540
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
              4⤵
                PID:4252
              • C:\Windows\SysWOW64\xcopy.exe
                xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
                4⤵
                • Enumerates system info in registry
                PID:828
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
                4⤵
                  PID:4496
                • C:\Windows\SysWOW64\xcopy.exe
                  xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
                  4⤵
                  • Enumerates system info in registry
                  PID:624
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
                  4⤵
                    PID:1128
                  • C:\Windows\SysWOW64\xcopy.exe
                    xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
                    4⤵
                    • Enumerates system info in registry
                    PID:1436
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
                    4⤵
                      PID:5092
                    • C:\Windows\SysWOW64\xcopy.exe
                      xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y
                      4⤵
                      • Enumerates system info in registry
                      PID:4508
                    • C:\Windows \System32\easinvoker.exe
                      "C:\\Windows \\System32\\easinvoker.exe"
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:1476
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4060
                        • C:\Windows\system32\cmd.exe
                          cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                          6⤵
                          • Suspicious use of WriteProcessMemory
                          PID:412
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                            7⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3172
                        • C:\Windows\system32\sc.exe
                          sc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel
                          6⤵
                          • Launches sc.exe
                          PID:2964
                        • C:\Windows\system32\sc.exe
                          sc.exe start truesight
                          6⤵
                          • Launches sc.exe
                          PID:3540
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c "C:\\Windows \\System32\\easinvoker.exe"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4044
                    • C:\Windows \System32\easinvoker.exe
                      "C:\\Windows \\System32\\easinvoker.exe"
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:3364
                  • C:\Windows\SysWOW64\SndVol.exe
                    C:\Windows\System32\SndVol.exe
                    3⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:2184
                    • C:\Windows\SysWOW64\dxdiag.exe
                      "C:\Windows\System32\dxdiag.exe" /t C:\Users\Admin\AppData\Local\Temp\sysinfo.txt
                      4⤵
                      • Drops file in System32 directory
                      • Checks SCSI registry key(s)
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:4372
                    • C:\Windows\SysWOW64\SndVol.exe
                      C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\szzfmowqxmk"
                      4⤵
                        PID:2560
                      • C:\Windows\SysWOW64\SndVol.exe
                        C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ubexmhhjlvcuid"
                        4⤵
                        • Accesses Microsoft Outlook accounts
                        PID:4424
                      • C:\Windows\SysWOW64\SndVol.exe
                        C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\fvsinzrlhduhsrbrps"
                        4⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3080
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 1488
                        4⤵
                        • Program crash
                        PID:1216
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2184 -ip 2184
                  1⤵
                    PID:2340

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\hgjbhk\logs.dat
                    Filesize

                    144B

                    MD5

                    0621ad6776991df31093616bf84a3513

                    SHA1

                    6c95c5d56d7f683dae921223b2816441be61aed0

                    SHA256

                    2789b42f1d95d6d2da3b14c59d7a9de9e5bd76a057ff0921c47f618a04ae1001

                    SHA512

                    4a0e583c3fa8c048bff9228b8e584dc5eeef55b3d8916fe2dc5a0f43ec9318c42f32a353ea47b5b9021d57cab0668d941429a17f45362924c7225e427ea069bd

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apjqf0s0.3rq.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\szzfmowqxmk
                    Filesize

                    4KB

                    MD5

                    b805d06f8bede1285ec01cb150f9c5c4

                    SHA1

                    fd4b8b35239cd368ee3c1ee0fd1b5ca4513c5438

                    SHA256

                    a6382180e89f890e6dcdd14a80e5a21fcd4c10d54b76309482b2e579d0d067a2

                    SHA512

                    dcfc370d9cd5933340c68874499dc34e5d77e959be3eba5826446ab3bf7bb576add68a9ae68838cf304bdf5c7fdce55113f28bd436a6b0ed6e43247e73234625

                    Download Submit

                  • C:\Users\Public\Libraries\KDECO.bat
                    Filesize

                    4KB

                    MD5

                    785e8193007bcd7858b9df41c9d45f89

                    SHA1

                    29b206de05ab075138ca9e0b9fccdddf3c30cdfe

                    SHA256

                    c8e1912a3328802e98563e32eb053ae3e28249b701054af227e9f1ba6bfe24d9

                    SHA512

                    a4d6fd586800f27939d8c152e89d2a231dc9fd8466e715dfeba22e2aa0428509095e12e6e66f2cb5e40ff5c998b439dc3f6792e20c179f41ac9cae31ada9d45f

                    Download Submit

                  • C:\Users\Public\Libraries\SoxqluztO.bat
                    Filesize

                    7KB

                    MD5

                    0d0d24b46d4bb0e4962595d455020d48

                    SHA1

                    48b247c1cb2577b28aabd7dfa999e0642b5dc6de

                    SHA256

                    f46e0cc2c119a32dd87edf97bfc73d985ee97d2c9dc00274b6b20d641e29deea

                    SHA512

                    d5a8779e1cfd2a284173ce8a205cacb41fc7c744fa84e55682ac50b327c676ff50f668ecd176e0ab84420d143a8023d8b4590362b223704c55f5b0d7e116ba2c

                    Download Submit

                  • C:\Users\Public\Libraries\easinvoker.exe
                    Filesize

                    128KB

                    MD5

                    231ce1e1d7d98b44371ffff407d68b59

                    SHA1

                    25510d0f6353dbf0c9f72fc880de7585e34b28ff

                    SHA256

                    30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

                    SHA512

                    520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

                    Download Submit

                  • C:\Users\Public\Libraries\netutils.dll
                    Filesize

                    115KB

                    MD5

                    ecb0b0d16112f27c57e4048a02802fd5

                    SHA1

                    f7d1c76802d3948c55114fc0ea82c928936de944

                    SHA256

                    ae33f291a6f2011ca147c2b48035743aba3c507dcef86e1fa6acb4dee47cbf43

                    SHA512

                    a18a6cde621274f42e20b4b897df2df984a8e6d420d65198fd6d4193a3a91b8c3ca6905120ac299acd8758da72654e7a650e872425677763894b11c98f03c421

                    Download Submit

                  • C:\Users\Public\pointer.com
                    Filesize

                    1.3MB

                    MD5

                    5e14df714a090c430526a6a3f5ae14a9

                    SHA1

                    9d30febbb7666626c8c3a917aeccdda79d39f18a

                    SHA256

                    699a27d39fd0baa6dee651adf1995ca6eb168657b41235fd0d2cd74c738a8cac

                    SHA512

                    d20540378cf8e76b39beff338de024d9e061a1c84ab5ac2a0033b2b76f5d845234016b35fcdcabb03c049d65f279101a9993a145b369591b4821c880efb70e34

                    Download Submit

                  • memory/1476-31-0x00000000613C0000-0x00000000613E3000-memory.dmp

                    Filesize

                    140KB

                    Download

                  • memory/1960-9-0x0000000000400000-0x0000000000558000-memory.dmp

                    Filesize

                    1.3MB

                    Download

                  • memory/1960-7-0x00000000049D0000-0x00000000059D0000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/1960-6-0x00000000049D0000-0x00000000059D0000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/1960-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2184-100-0x0000000015F30000-0x0000000015F49000-memory.dmp

                    Filesize

                    100KB

                    Download

                  • memory/2184-58-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-103-0x0000000015F30000-0x0000000015F49000-memory.dmp

                    Filesize

                    100KB

                    Download

                  • memory/2184-76-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-105-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-54-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-57-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-73-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-61-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-62-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-64-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-67-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-69-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-70-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-71-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2184-72-0x0000000000A90000-0x0000000001A90000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/2560-98-0x0000000000400000-0x0000000000478000-memory.dmp

                    Filesize

                    480KB

                    Download

                  • memory/2560-81-0x0000000000400000-0x0000000000478000-memory.dmp

                    Filesize

                    480KB

                    Download

                  • memory/2560-85-0x0000000000400000-0x0000000000478000-memory.dmp

                    Filesize

                    480KB

                    Download

                  • memory/2560-77-0x0000000000400000-0x0000000000478000-memory.dmp

                    Filesize

                    480KB

                    Download

                  • memory/2560-84-0x0000000000400000-0x0000000000478000-memory.dmp

                    Filesize

                    480KB

                    Download

                  • memory/3080-83-0x0000000000400000-0x0000000000424000-memory.dmp

                    Filesize

                    144KB

                    Download

                  • memory/3080-89-0x0000000000400000-0x0000000000424000-memory.dmp

                    Filesize

                    144KB

                    Download

                  • memory/3080-94-0x0000000000400000-0x0000000000424000-memory.dmp

                    Filesize

                    144KB

                    Download

                  • memory/3080-96-0x0000000000400000-0x0000000000424000-memory.dmp

                    Filesize

                    144KB

                    Download

                  • memory/3080-90-0x0000000000400000-0x0000000000424000-memory.dmp

                    Filesize

                    144KB

                    Download

                  • memory/3172-44-0x000001BD6D230000-0x000001BD6D240000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3172-32-0x000001BD6F320000-0x000001BD6F342000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/3172-47-0x00007FFF24670000-0x00007FFF25131000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3172-42-0x00007FFF24670000-0x00007FFF25131000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/3172-43-0x000001BD6D230000-0x000001BD6D240000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3172-45-0x000001BD6D230000-0x000001BD6D240000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3364-52-0x00000000613C0000-0x00000000613E3000-memory.dmp

                    Filesize

                    140KB

                    Download

                  • memory/4372-122-0x0000000002F20000-0x0000000002F21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4372-123-0x0000000002F20000-0x0000000002F21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4372-127-0x0000000002F20000-0x0000000002F21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4372-126-0x0000000002F20000-0x0000000002F21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4372-115-0x0000000002F20000-0x0000000002F21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4372-116-0x0000000002F20000-0x0000000002F21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4372-117-0x0000000002F20000-0x0000000002F21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4372-125-0x0000000002F20000-0x0000000002F21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4372-121-0x0000000002F20000-0x0000000002F21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4372-124-0x0000000002F20000-0x0000000002F21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4424-95-0x0000000000400000-0x0000000000457000-memory.dmp

                    Filesize

                    348KB

                    Download

                  • memory/4424-78-0x0000000000400000-0x0000000000457000-memory.dmp

                    Filesize

                    348KB

                    Download

                  • memory/4424-82-0x0000000000400000-0x0000000000457000-memory.dmp

                    Filesize

                    348KB

                    Download

                  • memory/4424-88-0x0000000000400000-0x0000000000457000-memory.dmp

                    Filesize

                    348KB

                    Download