Analysis Overview
SHA256
f7f1798e3d66880f2cb35f6764a1c32902abb3ce7ceafe0bc049496ca9161e63
Threat Level: Known bad
The file 0028BGL880-2024.PDF.exe was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
Remcos
ModiLoader Second Stage
NirSoft MailPassView
Nirsoft
NirSoft WebBrowserPassView
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Script User-Agent
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-03 15:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-03 15:56
Reported
2024-04-03 15:59
Platform
win7-20231129-en
Max time kernel
140s
Max time network
122s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1724 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1724 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1724 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1724 wrote to memory of 2132 | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 788
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 1016.filemail.com | udp |
| US | 192.240.97.18:443 | 1016.filemail.com | tcp |
| US | 192.240.97.18:443 | 1016.filemail.com | tcp |
Files
memory/1724-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1724-1-0x0000000003200000-0x0000000004200000-memory.dmp
memory/1724-2-0x0000000003200000-0x0000000004200000-memory.dmp
memory/1724-4-0x0000000000400000-0x00000000005AF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-03 15:56
Reported
2024-04-03 15:59
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
ModiLoader, DBatLoader
Remcos
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\1341595.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\1341595.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dkesuvii = "C:\\Users\\Public\\Dkesuvii.url" | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2748 set thread context of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe |
| PID 2748 set thread context of 3944 | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe |
| PID 2748 set thread context of 2816 | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows "
C:\Windows\SysWOW64\cmd.exe
cmd /c mkdir "\\?\C:\Windows \System32"
C:\Windows\SysWOW64\cmd.exe
cmd /c "C:\Windows \System32\1341595.exe"
C:\Windows \System32\1341595.exe
"C:\Windows \System32\1341595.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
C:\Windows\system32\cmd.exe
cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe C:\\Users\\Public\\Libraries\\Dkesuvii.PIF
C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe
C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe /stext "C:\Users\Admin\AppData\Local\Temp\ywcspivefzyuqzfzrjgashtnurlsdaqzr"
C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe
C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe /stext "C:\Users\Admin\AppData\Local\Temp\aqhkq"
C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe
C:\Users\Admin\AppData\Local\Temp\0028BGL880-2024.PDF.exe /stext "C:\Users\Admin\AppData\Local\Temp\lsmvilyz"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1016.filemail.com | udp |
| US | 192.240.97.18:443 | 1016.filemail.com | tcp |
| US | 192.240.97.18:443 | 1016.filemail.com | tcp |
| US | 8.8.8.8:53 | 18.97.240.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:45671 | tcp | |
| N/A | 127.0.0.1:55677 | tcp | |
| US | 192.3.101.8:55677 | tcp | |
| US | 8.8.8.8:53 | 8.101.3.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| US | 192.3.101.8:55677 | tcp | |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |
Files
memory/2748-0-0x0000000000760000-0x0000000000761000-memory.dmp
memory/2748-1-0x0000000002B10000-0x0000000003B10000-memory.dmp
memory/2748-2-0x0000000002B10000-0x0000000003B10000-memory.dmp
memory/2748-4-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Windows \System32\1341595.exe
| MD5 | 231ce1e1d7d98b44371ffff407d68b59 |
| SHA1 | 25510d0f6353dbf0c9f72fc880de7585e34b28ff |
| SHA256 | 30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96 |
| SHA512 | 520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612 |
C:\Windows \System32\netutils.dll
| MD5 | 8541304aadba4ae8620bb2699f6e0437 |
| SHA1 | e0b28a6ecd32d3789433217364c1006de9892df8 |
| SHA256 | 50573c81e5773c13a5411e8446d7fb17956865675782239818f7affd40a2fecb |
| SHA512 | c18b1233c138229705242e1cdc00970e45e414d8da9c643b1196ec9de261ae18076e22bed6fcc48c07d1f0e851469db9147f083f3c3c76a26b75994419392455 |
memory/1736-15-0x00000000613C0000-0x00000000613E3000-memory.dmp
C:\windows \system32\KDECO.bat
| MD5 | c545650595b479c81ad6b9d8882aae39 |
| SHA1 | 7a98aa2e6eee23b3c1bba876955d525bc618b3f0 |
| SHA256 | a3a80983cb33159f0455fa0135789402558baa1460db94d0071318512b8cb5f9 |
| SHA512 | 85ac596a7da9072a28c4178e4fdedc98f1b49c8e3fe5612cfe464833297b13f65d2dc59b52d7fc9970cff8f98d954111229aec0ed9dded454e03b0cf4ebb6ff3 |
memory/812-17-0x0000020854550000-0x0000020854572000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cqfbho2t.1za.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/812-27-0x00007FFC1D190000-0x00007FFC1DC51000-memory.dmp
memory/812-28-0x0000020839DA0000-0x0000020839DB0000-memory.dmp
memory/812-29-0x0000020839DA0000-0x0000020839DB0000-memory.dmp
memory/812-32-0x00007FFC1D190000-0x00007FFC1DC51000-memory.dmp
memory/2748-39-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-41-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-42-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-43-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-44-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-46-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-49-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-50-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-51-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-52-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2460-53-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3944-54-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2460-60-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2460-63-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3944-62-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3944-67-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2460-72-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2816-75-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2816-77-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3944-73-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2816-71-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2816-66-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2816-59-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2460-81-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ywcspivefzyuqzfzrjgashtnurlsdaqzr
| MD5 | 63a3d218b0d233efc9806729feba705a |
| SHA1 | 3cda6c59e0b8115d8538c8ff0d94a49294d516ac |
| SHA256 | 66ceb453b5931baa8d942d514cc1dcc41a24ab59313c0621daa9920bd0566bfd |
| SHA512 | d0cfb106b57a4e90523c194d073a131bc65461d8e792b0be51aef89aa413dded53c2aba723fc677f68b1211411a0e105b5771cafa045d3e11d54db578577b683 |
memory/2748-84-0x000000002E090000-0x000000002E0A9000-memory.dmp
memory/2748-88-0x000000002E090000-0x000000002E0A9000-memory.dmp
memory/2748-89-0x000000002E090000-0x000000002E0A9000-memory.dmp
memory/2748-87-0x000000002E090000-0x000000002E0A9000-memory.dmp
memory/2748-90-0x000000002E090000-0x000000002E0A9000-memory.dmp
memory/2748-91-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-93-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-97-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-98-0x00000000153F0000-0x00000000163F0000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | c70b1c00ce50f34fb9b6e5a0c3052e37 |
| SHA1 | d802e3e5653d008e2b642dd731aacb4a0e8b2b9d |
| SHA256 | 2a74ebc0b86d6aa3d0741c63925ab01fea482ab4585882a964c61782d8da5c44 |
| SHA512 | 3ade97169e2239ec9fd23dd137a9eded86f9f69d3170cfa7dd78e26785bf0eb433cd5fe34e41585ef11b9bb3557007133970f67292db205254d6d0cc9a7d2d3e |
memory/2748-102-0x000000002E090000-0x000000002E0A9000-memory.dmp
memory/2748-109-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-110-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-120-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-121-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-131-0x00000000153F0000-0x00000000163F0000-memory.dmp
memory/2748-132-0x00000000153F0000-0x00000000163F0000-memory.dmp