Analysis
-
max time kernel
141s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
19/03/2024, 15:06
General
-
Target
8bf1fc90c21adb2347d38ce1f6d9889ae42ac88a5a0c0b96f1baea8013a305c0.exe
-
Size
888KB
-
MD5
b9ab69a9cadc7a0e054cbc3f91b3d76e
-
SHA1
feee2f1932b35fe1b1fd358bdc824c482e4a1d51
-
SHA256
8bf1fc90c21adb2347d38ce1f6d9889ae42ac88a5a0c0b96f1baea8013a305c0
-
SHA512
3d607577a4320651898b1135decba0cf391d8f935c94cf5e087356c8e08ad4da4c6cdcc71cf3663c2086b38165dcc73a070d50e78909bae6ed6054d231fbf411
-
SSDEEP
12288:oXxu5oy0XhL9ljnp9zIO6S33Ys1fCjPfeCMVAgfMCfLe9:ohAcXhL9lV9cHSY2ZCMVAgfM
Malware Config
Extracted
remcos
RemoteHost
newpage44.mywire.org:5010
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
adode.exe
-
copy_folder
Skype
-
delete_file
true
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%Temp%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-3N0E9G
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
ModiLoader Second Stage 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bf1fc90c21adb2347d38ce1f6d9889ae42ac88a5a0c0b96f1baea8013a305c0.exe"C:\Users\Admin\AppData\Local\Temp\8bf1fc90c21adb2347d38ce1f6d9889ae42ac88a5a0c0b96f1baea8013a305c0.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\8bf1fc90c21adb2347d38ce1f6d9889ae42ac88a5a0c0b96f1baea8013a305c0.exe C:\\Users\\Public\\Libraries\\Aggtoxhy.PIF2⤵
-
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Skype\adode.exe"C:\Users\Admin\AppData\Local\Temp\Skype\adode.exe"3⤵
- Executes dropped EXE
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD55ac83d3d18f9b6e1c5b78bd712661524
SHA19ee22c8038e47a4935aeac113d3f2ee6f03a22c4
SHA256d68ddc4be84705357288ba972939aa9aa5f95537ebc059c3ff3ccaae11638fca
SHA5122fc37b27836a4f0a4c61a5cd976e7452120585b86a615cce25108737337a9a02b73cc68c92b26fbb89a5cadbf3033ad0b6355cc5b7094f18318e3dbea1b84082
-
Filesize
16.0MB
-
Filesize
520KB
-
Filesize
16.0MB
-
Filesize
520KB
-
Filesize
928KB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
928KB
-
Filesize
4KB