Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 02:37
Static task
static1
Behavioral task
behavioral1
Sample
88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe
Resource
win10v2004-20240226-en
General
-
Target
88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe
-
Size
1.2MB
-
MD5
e652224389478e9294591e8bf638f9a6
-
SHA1
33126d714dbcba65b9006472be89092cb54fa826
-
SHA256
88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83
-
SHA512
e7e835cfa4e8aba53a1271ef849b9f3c22fe2339089f4624e42cafae014853d41d690437af21aed42477cbd432aa8229d05a20468b68e5286661e6433802756c
-
SSDEEP
24576:LI7PgJ/Of9JIIB1jf2kH2E4NGGtPlq09Vb2aBPqK5WDpiCEKfF2V2CKKKKKKKKK5:LdJPK2kH2h3t0qVb2aBPqK5WDpifAlC4
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:47212
officerem.duckdns.org:47212
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-I8N3XG
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 17 IoCs
resource yara_rule behavioral1/memory/292-84-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-86-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-87-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-88-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-89-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-91-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-92-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-93-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-94-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-97-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-101-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-102-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-109-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-110-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-117-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-118-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM behavioral1/memory/292-125-0x0000000000430000-0x0000000001430000-memory.dmp INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM -
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2492-2-0x0000000002D20000-0x0000000003D20000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 2404 3975271.exe 2816 3975271.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ejuqejhd = "C:\\Users\\Public\\Ejuqejhd.url" 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 292 colorcpl.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2492 wrote to memory of 2452 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 28 PID 2492 wrote to memory of 2452 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 28 PID 2492 wrote to memory of 2452 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 28 PID 2492 wrote to memory of 2452 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 28 PID 2492 wrote to memory of 2520 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 29 PID 2492 wrote to memory of 2520 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 29 PID 2492 wrote to memory of 2520 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 29 PID 2492 wrote to memory of 2520 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 29 PID 2492 wrote to memory of 2940 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 32 PID 2492 wrote to memory of 2940 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 32 PID 2492 wrote to memory of 2940 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 32 PID 2492 wrote to memory of 2940 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 32 PID 2492 wrote to memory of 1612 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 36 PID 2492 wrote to memory of 1612 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 36 PID 2492 wrote to memory of 1612 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 36 PID 2492 wrote to memory of 1612 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 36 PID 2492 wrote to memory of 292 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 37 PID 2492 wrote to memory of 292 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 37 PID 2492 wrote to memory of 292 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 37 PID 2492 wrote to memory of 292 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 37 PID 2492 wrote to memory of 292 2492 88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe"C:\Users\Admin\AppData\Local\Temp\88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "2⤵PID:2452
-
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows \System32"2⤵PID:2520
-
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Windows \System32\3975271.exe"2⤵PID:2940
-
C:\Windows \System32\3975271.exe"C:\Windows \System32\3975271.exe"3⤵
- Executes dropped EXE
PID:2404
-
-
C:\Windows \System32\3975271.exe"C:\Windows \System32\3975271.exe"3⤵
- Executes dropped EXE
PID:2816
-
-
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\88c21447120abe15f0da3d0ce1dfa63e1c5e4ef52415ed177728cd229507eb83.exe C:\\Users\\Public\\Libraries\\Ejuqejhd.PIF2⤵PID:1612
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵
- Suspicious use of SetWindowsHookEx
PID:292
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5624a19d2de07d996c1f030f7893d9b70
SHA1ea526613a1812460d51854a3dd64cc8fdcf5cd09
SHA2564a0e023767f1d30fe57c7549b470e3a4a936a0e8eea47fa08a272dc847ac23ed
SHA512038faff3681928da83ff5a04150a6e2479ddf761915fb4eff4cf4674a0ea7c008a7b832000f79e2b7276ebd927fd517f989c9cc799d2151eb4f142b549cb40aa
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612