Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-11-2024 09:53
Static task
static1
Behavioral task
behavioral1
Sample
Slf.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Slf.msi
Resource
win10v2004-20241007-en
General
-
Target
Slf.msi
-
Size
3.0MB
-
MD5
da2c2debc2177026f359f4f06db67ea2
-
SHA1
c9b0cb497058b925ecb430d0e29d16fd0ca273a4
-
SHA256
e483ca3bc78e49f0ceef3406ea963101fe1d2b08b4bace6945ac9298222b8c37
-
SHA512
9885d2dbec4e3599862fc76c56773de56944adfa09322b7c401550dcfbaa49e95bdf27daf1515873fdc9a4c56ad6ab8195e6b9556afc8e3488401174a5203f5d
-
SSDEEP
49152:Ch4L8r6F5mCmR+XuhqZL+H9IyKficUAG595WpZsNAaudSIu:Fo6NZLSIX6cZGZWUNAaud
Malware Config
Extracted
remcos
v2
185.157.162.126:1995
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
qsdazeazd-EL00KX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023c91-44.dat family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Hijackloader family
-
Remcos family
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2168 set thread context of 1580 2168 EHttpSrv.exe 90 PID 1580 set thread context of 4380 1580 cmd.exe 105 -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{BB2F3E18-3F04-450F-B8B5-60A9665181A8} msiexec.exe File created C:\Windows\Installer\e57c39e.msi msiexec.exe File opened for modification C:\Windows\Installer\e57c39e.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIC759.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC42B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC69D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC799.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC8B3.tmp msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2168 EHttpSrv.exe -
Loads dropped DLL 7 IoCs
pid Process 3116 MsiExec.exe 3116 MsiExec.exe 3116 MsiExec.exe 3116 MsiExec.exe 2168 EHttpSrv.exe 2168 EHttpSrv.exe 4380 EHttpSrv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1428 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EHttpSrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EHttpSrv.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4552 msiexec.exe 4552 msiexec.exe 2168 EHttpSrv.exe 1580 cmd.exe 1580 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2168 EHttpSrv.exe 1580 cmd.exe 1580 cmd.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeShutdownPrivilege 1428 msiexec.exe Token: SeIncreaseQuotaPrivilege 1428 msiexec.exe Token: SeSecurityPrivilege 4552 msiexec.exe Token: SeCreateTokenPrivilege 1428 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1428 msiexec.exe Token: SeLockMemoryPrivilege 1428 msiexec.exe Token: SeIncreaseQuotaPrivilege 1428 msiexec.exe Token: SeMachineAccountPrivilege 1428 msiexec.exe Token: SeTcbPrivilege 1428 msiexec.exe Token: SeSecurityPrivilege 1428 msiexec.exe Token: SeTakeOwnershipPrivilege 1428 msiexec.exe Token: SeLoadDriverPrivilege 1428 msiexec.exe Token: SeSystemProfilePrivilege 1428 msiexec.exe Token: SeSystemtimePrivilege 1428 msiexec.exe Token: SeProfSingleProcessPrivilege 1428 msiexec.exe Token: SeIncBasePriorityPrivilege 1428 msiexec.exe Token: SeCreatePagefilePrivilege 1428 msiexec.exe Token: SeCreatePermanentPrivilege 1428 msiexec.exe Token: SeBackupPrivilege 1428 msiexec.exe Token: SeRestorePrivilege 1428 msiexec.exe Token: SeShutdownPrivilege 1428 msiexec.exe Token: SeDebugPrivilege 1428 msiexec.exe Token: SeAuditPrivilege 1428 msiexec.exe Token: SeSystemEnvironmentPrivilege 1428 msiexec.exe Token: SeChangeNotifyPrivilege 1428 msiexec.exe Token: SeRemoteShutdownPrivilege 1428 msiexec.exe Token: SeUndockPrivilege 1428 msiexec.exe Token: SeSyncAgentPrivilege 1428 msiexec.exe Token: SeEnableDelegationPrivilege 1428 msiexec.exe Token: SeManageVolumePrivilege 1428 msiexec.exe Token: SeImpersonatePrivilege 1428 msiexec.exe Token: SeCreateGlobalPrivilege 1428 msiexec.exe Token: SeRestorePrivilege 4552 msiexec.exe Token: SeTakeOwnershipPrivilege 4552 msiexec.exe Token: SeRestorePrivilege 4552 msiexec.exe Token: SeTakeOwnershipPrivilege 4552 msiexec.exe Token: SeRestorePrivilege 4552 msiexec.exe Token: SeTakeOwnershipPrivilege 4552 msiexec.exe Token: SeRestorePrivilege 4552 msiexec.exe Token: SeTakeOwnershipPrivilege 4552 msiexec.exe Token: SeRestorePrivilege 4552 msiexec.exe Token: SeTakeOwnershipPrivilege 4552 msiexec.exe Token: SeRestorePrivilege 4552 msiexec.exe Token: SeTakeOwnershipPrivilege 4552 msiexec.exe Token: SeRestorePrivilege 4552 msiexec.exe Token: SeTakeOwnershipPrivilege 4552 msiexec.exe Token: SeRestorePrivilege 4552 msiexec.exe Token: SeTakeOwnershipPrivilege 4552 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1428 msiexec.exe 1428 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4552 wrote to memory of 3116 4552 msiexec.exe 87 PID 4552 wrote to memory of 3116 4552 msiexec.exe 87 PID 4552 wrote to memory of 3116 4552 msiexec.exe 87 PID 4552 wrote to memory of 2168 4552 msiexec.exe 89 PID 4552 wrote to memory of 2168 4552 msiexec.exe 89 PID 4552 wrote to memory of 2168 4552 msiexec.exe 89 PID 2168 wrote to memory of 1580 2168 EHttpSrv.exe 90 PID 2168 wrote to memory of 1580 2168 EHttpSrv.exe 90 PID 2168 wrote to memory of 1580 2168 EHttpSrv.exe 90 PID 2168 wrote to memory of 1580 2168 EHttpSrv.exe 90 PID 1580 wrote to memory of 4380 1580 cmd.exe 105 PID 1580 wrote to memory of 4380 1580 cmd.exe 105 PID 1580 wrote to memory of 4380 1580 cmd.exe 105 PID 1580 wrote to memory of 4380 1580 cmd.exe 105 PID 1580 wrote to memory of 4380 1580 cmd.exe 105
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1428
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 64DD34E820C49CA949A7EB7582E1DAB32⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3116
-
-
C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exeC:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4380
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD566a986ce4ecbc2e2595cf18d3edf7bf4
SHA14d22c06d9d82f8f802b816b08f46fc890737928e
SHA2561c5f19213d9abc69165ac8ce9e58ee52c2075f6fe7f3f9945128ec4913b2bc58
SHA5129fc05a0a7fda8c44bd21e3b3e558f55fc9fc7430eedb6b4563bd1a83f4fb675e76d2fbcde52c06b54a70e4c98e3efc5afe4ca748619ac7bd6ce4f37c5780fd9b
-
Filesize
1.0MB
MD5dd6db4ca7ed5f81c1eb9e4d26c951124
SHA1f84cb464074497cdb0ec6fef6ae91acb899ecc35
SHA2568d521f5b9796206e1768dde736682802c7c0239ec2397c9e2c4ad57619b535eb
SHA5120425d309741581245583a325329e11a27f2fee1d78fd437d0fe2865f3890510890f5c7e5178c7487fd189ae03b8c0a8c4bb0962a4509ffb47b1a2584ef213b36
-
Filesize
20KB
MD59329ba45c8b97485926a171e34c2abb8
SHA120118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA5120af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc
-
Filesize
1.0MB
MD5686b224b4987c22b153fbb545fee9657
SHA1684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA51244d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875
-
Filesize
20KB
MD5454bbf3704af450f8228f7b85a8935c5
SHA13643cb1b591c30b199f1e3edfac30f01d710005f
SHA256b2612a81c17f3624092c0b07dfac231f6de24bc0169b3d343916736a01944a3a
SHA51267d9490e261f22968efff430de457d9016fde7e3532f508e26d24c54ef05a827b664406416663fac8eea55fa113a92e2d37d62fa6602722af7d3c11eff1759e1
-
Filesize
877KB
MD55124236fd955464317fbb1f344a1d2f2
SHA1fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA5122b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252
-
Filesize
883KB
MD54366cd6c5d795811822b9ccc3df3eab4
SHA130f6050729b4c08b7657454cb79dd5a3d463c606
SHA25655497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA5124a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127