Overview

overview

10

Static

static

3

MACHINE SP...NS.exe

windows7-x64

10

MACHINE SP...NS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-03-2024 02:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MACHINE SPECIFICATIONS.exe

  • Size

    1.4MB

  • MD5

    9a57df005b00ca4c9f0cd5f7a3d7e7e9

  • SHA1

    63547644d4b7fe80f696bc8aae6f09830df81b64

  • SHA256

    0168646bfeec864982cff43a4969ad4d0ab5e0df69cd27f7334fcf339f752e4c

  • SHA512

    451b64d9798fdec6140b4ee919145d3b449aa88551d1ebfd4af3c4639191ce9075f2bc873cc4e6478d310b4e141c3a51d800f4a521d1bb37e45f752caafb3bc9

  • SSDEEP

    24576:916ftUKJqekypS2EBJYewl7+6izHE+lsx4sAXsd1AqVjxW7RXtLgiED+enxbIl:9AfgQvslHE+l4wgmNdtECebIl

Score
10/10
modiloaderremcosremotehostcollectionpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.245.208.13:4445

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WKS19H

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 9 IoCs
  • Detects executables built or packed with MPress PE compressor 14 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • ModiLoader Second Stage 1 IoCs
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MACHINE SPECIFICATIONS.exe
    "C:\Users\Admin\AppData\Local\Temp\MACHINE SPECIFICATIONS.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir "\\?\C:\Windows "
      2⤵
        PID:4824
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c mkdir "\\?\C:\Windows \System32"
        2⤵
          PID:3584
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "C:\Windows \System32\2853771.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:664
          • C:\Windows \System32\2853771.exe
            "C:\Windows \System32\2853771.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2912
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3444
              • C:\Windows\system32\cmd.exe
                cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1792
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                  6⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4252
        • C:\Windows\SysWOW64\extrac32.exe
          C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\MACHINE SPECIFICATIONS.exe C:\\Users\\Public\\Libraries\\Krcxlbxv.PIF
          2⤵
            PID:4216
          • C:\Windows\SysWOW64\colorcpl.exe
            C:\Windows\System32\colorcpl.exe
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4828
            • C:\Windows\SysWOW64\colorcpl.exe
              C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\kaptsqvcremqsqssbx"
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1604
            • C:\Windows\SysWOW64\colorcpl.exe
              C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\uuvetigdfnevcwowkidbk"
              3⤵
              • Accesses Microsoft Outlook accounts
              PID:3112
            • C:\Windows\SysWOW64\colorcpl.exe
              C:\Windows\SysWOW64\colorcpl.exe /stext "C:\Users\Admin\AppData\Local\Temp\xoiwubrxtvwzfccibtqdvhapi"
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3872
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 788
              3⤵
              • Program crash
              PID:4708
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4388 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:4676
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4828 -ip 4828
            1⤵
              PID:4956

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z04hullz.rb0.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\kaptsqvcremqsqssbx
              Filesize

              4KB

              MD5

              10fa8ec140c204486092fb161e567ec7

              SHA1

              4d63e1f8df3afefedb19df73d7ee5f3b1e7b6473

              SHA256

              7176ca3d0196ec46f178107fdb587adaef3f6ea65daa80eccd2371a515880e04

              SHA512

              9db4eeb3f07d8d0579f75f3426c91156809152d8c1a37c9a27bf159888f6dd97f1212ac80f5bbb17e4d86f3087c512ccba2ca50a2db07d071370bd36364e1f76

              Download Submit

            • C:\Windows \System32\2853771.exe
              Filesize

              128KB

              MD5

              231ce1e1d7d98b44371ffff407d68b59

              SHA1

              25510d0f6353dbf0c9f72fc880de7585e34b28ff

              SHA256

              30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

              SHA512

              520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

              Download Submit

            • C:\Windows \System32\netutils.dll
              Filesize

              112KB

              MD5

              fa7aa88417d0c48807144a1a48fe3fbc

              SHA1

              6f5ec990b12d4a6075050a94e0d68d03781fa46d

              SHA256

              2019dcd18ba7d5554a4a9da882740aa883941670af3de9396960081a0f8aa098

              SHA512

              99b2eb6f8e7d00a3803cba229149e5e0cb67a3deb607782c55fbacd25d9c074cce83759de15490eff939d5ad98f26cdbd44395cc79ffe22753e16c3d9e3b5fff

              Download Submit

            • C:\windows \system32\KDECO.bat
              Filesize

              11KB

              MD5

              c545650595b479c81ad6b9d8882aae39

              SHA1

              7a98aa2e6eee23b3c1bba876955d525bc618b3f0

              SHA256

              a3a80983cb33159f0455fa0135789402558baa1460db94d0071318512b8cb5f9

              SHA512

              85ac596a7da9072a28c4178e4fdedc98f1b49c8e3fe5612cfe464833297b13f65d2dc59b52d7fc9970cff8f98d954111229aec0ed9dded454e03b0cf4ebb6ff3

              Download Submit

            • memory/1604-59-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/1604-79-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/1604-52-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/1604-55-0x0000000000400000-0x0000000000478000-memory.dmp

              Filesize

              480KB

              Download

            • memory/2628-7-0x0000000000A20000-0x0000000000A21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2628-3-0x0000000004050000-0x0000000005050000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/2628-1-0x0000000000400000-0x000000000056E000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2628-2-0x0000000004050000-0x0000000005050000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/2628-5-0x0000000000400000-0x000000000056E000-memory.dmp

              Filesize

              1.4MB

              Download

            • memory/2628-0-0x0000000000A20000-0x0000000000A21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2912-18-0x00000000613C0000-0x00000000613E3000-memory.dmp

              Filesize

              140KB

              Download

            • memory/3112-70-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/3112-66-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/3112-61-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/3112-54-0x0000000000400000-0x0000000000462000-memory.dmp

              Filesize

              392KB

              Download

            • memory/3872-67-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/3872-69-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/3872-57-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/3872-71-0x0000000000400000-0x0000000000424000-memory.dmp

              Filesize

              144KB

              Download

            • memory/4252-20-0x0000019813980000-0x00000198139A2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4252-36-0x00007FFAE67E0000-0x00007FFAE72A1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4252-30-0x00007FFAE67E0000-0x00007FFAE72A1000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4252-31-0x000001982C0E0000-0x000001982C0F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4252-33-0x000001982C0E0000-0x000001982C0F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4252-32-0x000001982C0E0000-0x000001982C0F0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4828-45-0x0000000000A00000-0x0000000001A00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4828-43-0x0000000000A00000-0x0000000001A00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4828-41-0x0000000000A00000-0x0000000001A00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4828-44-0x0000000000A00000-0x0000000001A00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4828-51-0x0000000000A00000-0x0000000001A00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4828-46-0x0000000000A00000-0x0000000001A00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4828-48-0x0000000000A00000-0x0000000001A00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4828-84-0x0000000020420000-0x0000000020439000-memory.dmp

              Filesize

              100KB

              Download

            • memory/4828-81-0x0000000020420000-0x0000000020439000-memory.dmp

              Filesize

              100KB

              Download

            • memory/4828-49-0x0000000000A00000-0x0000000001A00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4828-87-0x0000000000A00000-0x0000000001A00000-memory.dmp

              Filesize

              16.0MB

              Download