Analysis Overview
SHA256
aeee6a9e26b4d62ec9258b1b2d30aea108deefc6001c54fbb6704c1d72010eed
Threat Level: Known bad
The file Quotation.exe was found to be: Known bad.
Malicious Activity Summary
Remcos
ModiLoader, DBatLoader
ModiLoader Second Stage
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Program crash
Unsigned PE
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 09:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 09:10
Reported
2024-04-09 09:13
Platform
win7-20240220-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Quotation.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2916 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2916 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2916 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2916 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 704
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
Files
memory/2916-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2916-1-0x0000000003180000-0x0000000004180000-memory.dmp
memory/2916-2-0x0000000003180000-0x0000000004180000-memory.dmp
memory/2916-4-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2916-5-0x0000000000400000-0x0000000000573000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 09:10
Reported
2024-04-09 09:13
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
ModiLoader, DBatLoader
Remcos
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\easinvoker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows \System32\easinvoker.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fkmbyyso = "C:\\Users\\Public\\Fkmbyyso.url" | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\FkmbyysoO.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
C:\Windows\SysWOW64\xcopy.exe
xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
C:\Windows\SysWOW64\xcopy.exe
xcopy "Aaa.bat" "C:\Windows \System32\" /K /D /H /Y
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
C:\Windows\SysWOW64\xcopy.exe
xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
C:\Windows \System32\easinvoker.exe
"C:\Windows \System32\easinvoker.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\windows \system32\aaa.bat""
C:\Windows\system32\cmd.exe
cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Quotation.exe C:\\Users\\Public\\Libraries\\Fkmbyyso.PIF
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | onedrive.live.com | udp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 13.107.137.11:443 | onedrive.live.com | tcp |
| US | 8.8.8.8:53 | g17tua.am.files.1drv.com | udp |
| US | 13.107.43.12:443 | g17tua.am.files.1drv.com | tcp |
| US | 8.8.8.8:53 | 11.137.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.43.107.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:47212 | tcp | |
| US | 8.8.8.8:53 | officerem.duckdns.org | udp |
| US | 23.95.235.29:47212 | officerem.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| US | 8.8.8.8:53 | 29.235.95.23.in-addr.arpa | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.17.178.52.in-addr.arpa | udp |
Files
memory/1040-0-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
memory/1040-1-0x0000000003E80000-0x0000000004E80000-memory.dmp
memory/1040-2-0x0000000003E80000-0x0000000004E80000-memory.dmp
C:\Users\Public\Libraries\FkmbyysoO.bat
| MD5 | 828ffbf60677999579dafe4bf3919c63 |
| SHA1 | a0d159a1b9a49e9eaccc53fe0c3266c0526a1bdc |
| SHA256 | abac4a967800f5da708572ec42441ec373cd52459a83a8a382d6b8579482789d |
| SHA512 | bf00909e24c5a6fb2346e8457a9adacd5f1b35988d90abbde9ff26896bbb59edafea60d9db4d10182a7b5e129bb69585d3e20bc5c63af3517b3a7ef1e45ffb7e |
C:\Users\Public\Libraries\easinvoker.exe
| MD5 | 231ce1e1d7d98b44371ffff407d68b59 |
| SHA1 | 25510d0f6353dbf0c9f72fc880de7585e34b28ff |
| SHA256 | 30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96 |
| SHA512 | 520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612 |
C:\Users\Public\Libraries\aaa.bat
| MD5 | f4e8f0ec6cfc5c6039402322685cb6ce |
| SHA1 | 1037835573c2886dda05d256f15306da89dc645e |
| SHA256 | cd05094e213643d624996b98e14aa5f7a2363f63530fe0c99523f6948effe756 |
| SHA512 | c5f9dfbbdb437c8ef9e2dd53fcbafcb256ab4626b4637a21332b3112c20f0d5353674031aae21b57604ba80d3b3f51f11b0ed412ed5fa6641b32fc4793746e02 |
C:\Users\Public\Libraries\netutils.dll
| MD5 | 30468939b69d5b1f29494fff5b161e6b |
| SHA1 | 3f900a76e5a00efd97c618c8cdaa55e66384618f |
| SHA256 | 7c6b2128913876dcb70603f2c00618d2e9057f381766565baf2a37100b85f1fd |
| SHA512 | f59fc26b77b28bc0dce41f2542c95a0fcb32204cc2d840d7cf8e74e10fbfc238f0c360e3bb5d787f32c83668ad10bbe522e098ede52f178dd8555c7af530f27f |
memory/1040-17-0x0000000000400000-0x0000000000573000-memory.dmp
memory/3552-24-0x00000000613C0000-0x00000000613E3000-memory.dmp
memory/4888-30-0x00007FFBCAB30000-0x00007FFBCB5F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rqp0aqyl.yl1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4888-29-0x000001AE10800000-0x000001AE10822000-memory.dmp
memory/4888-37-0x000001AE107C0000-0x000001AE107D0000-memory.dmp
memory/4888-38-0x000001AE107C0000-0x000001AE107D0000-memory.dmp
memory/4888-41-0x00007FFBCAB30000-0x00007FFBCB5F1000-memory.dmp
memory/1040-47-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-49-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-50-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-51-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-53-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-54-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-55-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-56-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-57-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-60-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 412a6e082400af86ae2ceda60a52759a |
| SHA1 | 59473f5d9849aacae33c537e5b1297b8891ed9ee |
| SHA256 | 68d6767a971b2ff0381925329ef9cff91faae94ff80e811592a3b3ba56d20383 |
| SHA512 | 1b1a960935573721b4395d5a3b3e971ef11e28fb694b379c4a2b5e2545f682b4e9ab04a1c58ebabdd0b3f825a11249f2828b19421460ba01af3568b72cd17ed6 |
memory/1040-69-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-70-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-81-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-82-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-91-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-92-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-103-0x00000000169E0000-0x00000000179E0000-memory.dmp
memory/1040-104-0x00000000169E0000-0x00000000179E0000-memory.dmp