Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
13-08-2024 08:36
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe
Resource
win10v2004-20240802-en
General
-
Target
Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe
-
Size
1.2MB
-
MD5
d70fa5471771d18888f0861ac060a914
-
SHA1
83ef28ef9e4850629433f497fd0360120449e297
-
SHA256
31a7e70deb8af07d7b76b5dea8cbf90ec63bea24bffdd5ebac6f223c02f55753
-
SHA512
af89922e5a24a12522603e4a034b2e1aef911d5cf6399de426aa95b971dcf70513a99f45033895939f0475d7b001054717c9b0d38278ff45ee2b41376f3da31b
-
SSDEEP
24576:UMa3J1TbjIuI1OHXTXYYPajiFGoI3ajHucOWVQy/vrAFGSi29kQXY1Max2AnE:UMk27eayHaAnE
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:59089
legacyrem.duckdns.org:59089
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-BF03RK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1620-3-0x00000000030B0000-0x00000000040B0000-memory.dmp modiloader_stage2 -
Executes dropped EXE 9 IoCs
Processes:
alpha.pifalpha.pifalpha.pifxpha.pifper.exeper.exealpha.pifalpha.pifalpha.pifpid Process 1704 alpha.pif 3020 alpha.pif 1136 alpha.pif 1272 xpha.pif 2328 per.exe 2952 per.exe 912 alpha.pif 1756 alpha.pif 1372 alpha.pif -
Loads dropped DLL 4 IoCs
Processes:
cmd.exealpha.pifpid Process 2184 cmd.exe 2184 cmd.exe 2184 cmd.exe 1136 alpha.pif -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wclbjzkj = "C:\\Users\\Public\\Wclbjzkj.url" Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exealpha.pifalpha.pifalpha.pifcolorcpl.exePayment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exealpha.pifalpha.pifxpha.pifalpha.pifdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language colorcpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpha.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language alpha.pif -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Processes:
Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exedescription ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exepid Process 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.execmd.exealpha.pifdescription pid Process procid_target PID 1620 wrote to memory of 2184 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 30 PID 1620 wrote to memory of 2184 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 30 PID 1620 wrote to memory of 2184 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 30 PID 1620 wrote to memory of 2184 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 30 PID 2184 wrote to memory of 2568 2184 cmd.exe 32 PID 2184 wrote to memory of 2568 2184 cmd.exe 32 PID 2184 wrote to memory of 2568 2184 cmd.exe 32 PID 2184 wrote to memory of 2568 2184 cmd.exe 32 PID 2184 wrote to memory of 2484 2184 cmd.exe 33 PID 2184 wrote to memory of 2484 2184 cmd.exe 33 PID 2184 wrote to memory of 2484 2184 cmd.exe 33 PID 2184 wrote to memory of 2484 2184 cmd.exe 33 PID 2184 wrote to memory of 1704 2184 cmd.exe 34 PID 2184 wrote to memory of 1704 2184 cmd.exe 34 PID 2184 wrote to memory of 1704 2184 cmd.exe 34 PID 2184 wrote to memory of 1704 2184 cmd.exe 34 PID 2184 wrote to memory of 3020 2184 cmd.exe 35 PID 2184 wrote to memory of 3020 2184 cmd.exe 35 PID 2184 wrote to memory of 3020 2184 cmd.exe 35 PID 2184 wrote to memory of 3020 2184 cmd.exe 35 PID 2184 wrote to memory of 1136 2184 cmd.exe 36 PID 2184 wrote to memory of 1136 2184 cmd.exe 36 PID 2184 wrote to memory of 1136 2184 cmd.exe 36 PID 2184 wrote to memory of 1136 2184 cmd.exe 36 PID 1136 wrote to memory of 1272 1136 alpha.pif 37 PID 1136 wrote to memory of 1272 1136 alpha.pif 37 PID 1136 wrote to memory of 1272 1136 alpha.pif 37 PID 1136 wrote to memory of 1272 1136 alpha.pif 37 PID 2184 wrote to memory of 912 2184 cmd.exe 41 PID 2184 wrote to memory of 912 2184 cmd.exe 41 PID 2184 wrote to memory of 912 2184 cmd.exe 41 PID 2184 wrote to memory of 912 2184 cmd.exe 41 PID 2184 wrote to memory of 1756 2184 cmd.exe 42 PID 2184 wrote to memory of 1756 2184 cmd.exe 42 PID 2184 wrote to memory of 1756 2184 cmd.exe 42 PID 2184 wrote to memory of 1756 2184 cmd.exe 42 PID 2184 wrote to memory of 1372 2184 cmd.exe 43 PID 2184 wrote to memory of 1372 2184 cmd.exe 43 PID 2184 wrote to memory of 1372 2184 cmd.exe 43 PID 2184 wrote to memory of 1372 2184 cmd.exe 43 PID 1620 wrote to memory of 928 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 44 PID 1620 wrote to memory of 928 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 44 PID 1620 wrote to memory of 928 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 44 PID 1620 wrote to memory of 928 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 44 PID 1620 wrote to memory of 2320 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 46 PID 1620 wrote to memory of 2320 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 46 PID 1620 wrote to memory of 2320 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 46 PID 1620 wrote to memory of 2320 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 46 PID 1620 wrote to memory of 2320 1620 Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Libraries\jkzjblcW.cmd" "2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o3⤵PID:2568
-
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o3⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2484
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 103⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Users\Public\xpha.pifC:\\Users\\Public\\xpha.pif 127.0.0.1 -n 104⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1272
-
-
-
C:\Windows \SysWOW64\per.exe"C:\\Windows \\SysWOW64\\per.exe3⤵
- Executes dropped EXE
PID:2328
-
-
C:\Windows \SysWOW64\per.exe"C:\Windows \SysWOW64\per.exe"3⤵
- Executes dropped EXE
PID:2952
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:912
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW643⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1372
-
-
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl.exe /y C:\Users\Admin\AppData\Local\Temp\Payment Advice-BCS_ECROWNS9522024072510026_AUG_13_2024_PDF.exe /d C:\\Users\\Public\\Libraries\\Wclbjzkj.PIF /o2⤵PID:928
-
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵
- System Location Discovery: System Language Discovery
PID:2320
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
146B
MD59cc2a7d06260c188803f47496e088d28
SHA15e3baf281714f22042a97e6813e253156bfda03d
SHA25669bffd1fd048752908851533539bdbc6b62d230eb4d35fe3e51062d1728fb5b6
SHA512e4a08fbec556afb14c0c48a63c6ba9a3e062a375ae21223e5a3af2a48342bab20f8e232969a9e6c462762b6e34ab1d6032c4c64513df538b29594dafabc2484c
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
60KB
MD5b87f096cbc25570329e2bb59fee57580
SHA1d281d1bf37b4fb46f90973afc65eece3908532b2
SHA256d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
SHA51272901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7
-
Filesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
Filesize
295KB
MD5ad7b9c14083b52bc532fba5948342b98
SHA1ee8cbf12d87c4d388f09b4f69bed2e91682920b5
SHA25617f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae
SHA512e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1
-
Filesize
15KB
MD56242e3d67787ccbf4e06ad2982853144
SHA16ac7947207d999a65890ab25fe344955da35028e
SHA2564ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d
SHA5127d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf