Overview

overview

10

Static

static

3

b9c1445929...7d.exe

windows7-x64

10

b9c1445929...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    20-03-2024 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9c144592964694742c93d09a6db9194a58cfed85c9a81f00b5ae2d14ac5c87d.exe

  • Size

    888KB

  • MD5

    cf659feea0c1c9e0a1705e076b831f48

  • SHA1

    4e79ae9003d92a10d09fdb231512ca914c60a7c7

  • SHA256

    b9c144592964694742c93d09a6db9194a58cfed85c9a81f00b5ae2d14ac5c87d

  • SHA512

    6ebf5d751d94772def751a6085e233e8cadb0c4c29193be247d0b11c977370ae82a2d5190bae463b0de60cbe8bf0c2c7a4b0dd84f9c2fd142e7ededc42afdfc4

  • SSDEEP

    12288:oXxu5oy0XhL9ljnp9zIO6S33Ys1fCjPfeCMVAgfMCf3e9:ohAcXhL9lV9cHSY2ZCMVAgfM

Score
10/10
modiloaderremcosremotehostpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:47212

officerem.duckdns.org:47212
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-I8N3XG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9c144592964694742c93d09a6db9194a58cfed85c9a81f00b5ae2d14ac5c87d.exe
    "C:\Users\Admin\AppData\Local\Temp\b9c144592964694742c93d09a6db9194a58cfed85c9a81f00b5ae2d14ac5c87d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir "\\?\C:\Windows "
      2⤵
        PID:2292
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c mkdir "\\?\C:\Windows \System32"
        2⤵
          PID:2964
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c "C:\Windows \System32\2820216.exe"
          2⤵
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1360
          • C:\Windows \System32\2820216.exe
            "C:\Windows \System32\2820216.exe"
            3⤵
            • Executes dropped EXE
            PID:2656
          • C:\Windows \System32\2820216.exe
            "C:\Windows \System32\2820216.exe"
            3⤵
            • Executes dropped EXE
            PID:1540
        • C:\Windows\SysWOW64\extrac32.exe
          C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\b9c144592964694742c93d09a6db9194a58cfed85c9a81f00b5ae2d14ac5c87d.exe C:\\Users\\Public\\Libraries\\Hmbaewme.PIF
          2⤵
            PID:1776
          • C:\Windows\SysWOW64\colorcpl.exe
            C:\Windows\System32\colorcpl.exe
            2⤵
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            PID:1712

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\remcos\logs.dat
          Filesize

          144B

          MD5

          ac70d6c8787a1c16f5a5e4e0f24bfd10

          SHA1

          9fba83cfd410813ed7ac14cd485990af37b2a242

          SHA256

          4889725292cd84943611394b678a22178b848bd98d07e0db63ac77ea6626f0fd

          SHA512

          5a9ad0ff2a3b005d2df34b715aafa135a0d0252b06cc3709f5af3067c8844b8d8999d21ae1762ee1730944355db8c84c8ef308be05b982c1764fe9ea603dda10

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          67KB

          MD5

          753df6889fd7410a2e9fe333da83a429

          SHA1

          3c425f16e8267186061dd48ac1c77c122962456e

          SHA256

          b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

          SHA512

          9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar6C03.tmp
          Filesize

          175KB

          MD5

          dd73cead4b93366cf3465c8cd32e2796

          SHA1

          74546226dfe9ceb8184651e920d1dbfb432b314e

          SHA256

          a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

          SHA512

          ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

          Download Submit

        • C:\Windows \System32\2820216.exe
          Filesize

          128KB

          MD5

          231ce1e1d7d98b44371ffff407d68b59

          SHA1

          25510d0f6353dbf0c9f72fc880de7585e34b28ff

          SHA256

          30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

          SHA512

          520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

          Download Submit

        • memory/1360-91-0x0000000002450000-0x0000000002451000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1360-69-0x0000000002450000-0x0000000002451000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1712-85-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-80-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-86-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-119-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-90-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-81-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-82-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-83-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-84-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-118-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-111-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-110-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-78-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-94-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-95-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/1712-102-0x0000000000A50000-0x0000000001A50000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/2000-0-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2000-2-0x00000000031F0000-0x00000000041F0000-memory.dmp

          Filesize

          16.0MB

          Download

        • memory/2000-4-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2000-5-0x0000000000400000-0x00000000004E8000-memory.dmp

          Filesize

          928KB

          Download

        • memory/2000-1-0x00000000031F0000-0x00000000041F0000-memory.dmp

          Filesize

          16.0MB

          Download