Overview

overview

10

Static

static

3

Quotation .exe

windows7-x64

10

Quotation .exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-03-2024 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation .exe

  • Size

    888KB

  • MD5

    cf659feea0c1c9e0a1705e076b831f48

  • SHA1

    4e79ae9003d92a10d09fdb231512ca914c60a7c7

  • SHA256

    b9c144592964694742c93d09a6db9194a58cfed85c9a81f00b5ae2d14ac5c87d

  • SHA512

    6ebf5d751d94772def751a6085e233e8cadb0c4c29193be247d0b11c977370ae82a2d5190bae463b0de60cbe8bf0c2c7a4b0dd84f9c2fd142e7ededc42afdfc4

  • SSDEEP

    12288:oXxu5oy0XhL9ljnp9zIO6S33Ys1fCjPfeCMVAgfMCf3e9:ohAcXhL9lV9cHSY2ZCMVAgfM

Score
10/10
modiloaderremcosremotehostpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:47212

officerem.duckdns.org:47212
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-I8N3XG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation .exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation .exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir "\\?\C:\Windows "
      2⤵
        PID:2692
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c mkdir "\\?\C:\Windows \System32"
        2⤵
          PID:2368
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "C:\Windows \System32\7678010.exe"
          2⤵
            PID:2348
            • C:\Windows \System32\7678010.exe
              "C:\Windows \System32\7678010.exe"
              3⤵
              • Executes dropped EXE
              PID:2404
            • C:\Windows \System32\7678010.exe
              "C:\Windows \System32\7678010.exe"
              3⤵
              • Executes dropped EXE
              PID:668
          • C:\Windows\SysWOW64\extrac32.exe
            C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Quotation .exe C:\\Users\\Public\\Libraries\\Hmbaewme.PIF
            2⤵
              PID:1432
            • C:\Windows\SysWOW64\colorcpl.exe
              C:\Windows\System32\colorcpl.exe
              2⤵
              • Suspicious use of SetWindowsHookEx
              PID:1412

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\remcos\logs.dat
            Filesize

            144B

            MD5

            17abbeee86beb3c0cdc589831114f089

            SHA1

            0888370e6ee764fa80ccfbded2d3f3f4cd755ebe

            SHA256

            9f03aa06534b30415d2ff5acea4eb8f6d98dfc563d323c7366095232e6cc82b9

            SHA512

            fd8fe29454ce7978c55338457ac172f89c969a11417849149296742219dc208d56acbc9b1fd3613aa836b7c31b0d1b45a323e6ad080625c83190151fdfc1a8d2

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            Filesize

            67KB

            MD5

            753df6889fd7410a2e9fe333da83a429

            SHA1

            3c425f16e8267186061dd48ac1c77c122962456e

            SHA256

            b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

            SHA512

            9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TarA6F0.tmp
            Filesize

            175KB

            MD5

            dd73cead4b93366cf3465c8cd32e2796

            SHA1

            74546226dfe9ceb8184651e920d1dbfb432b314e

            SHA256

            a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

            SHA512

            ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

            Download Submit

          • C:\Windows \System32\7678010.exe
            Filesize

            128KB

            MD5

            231ce1e1d7d98b44371ffff407d68b59

            SHA1

            25510d0f6353dbf0c9f72fc880de7585e34b28ff

            SHA256

            30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

            SHA512

            520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

            Download Submit

          • memory/1412-86-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-89-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-121-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-114-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-113-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-81-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-84-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-85-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-105-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-87-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-88-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-98-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-90-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-93-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1412-97-0x0000000000260000-0x0000000001260000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/2348-67-0x00000000021B0000-0x00000000021B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2756-5-0x0000000000400000-0x00000000004E8000-memory.dmp

            Filesize

            928KB

            Download

          • memory/2756-1-0x0000000002D30000-0x0000000003D30000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/2756-0-0x0000000000220000-0x0000000000221000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2756-2-0x0000000002D30000-0x0000000003D30000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/2756-4-0x0000000000220000-0x0000000000221000-memory.dmp

            Filesize

            4KB

            Download