Overview

overview

10

Static

static

1

Slf.msi

windows7-x64

10

Slf.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2024 00:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Slf.msi

  • Size

    3.4MB

  • MD5

    6f92f923d8f87afe5fe757ff2ff56951

  • SHA1

    44780713a7026b9b0ff3cadeaffacb3cc3584eca

  • SHA256

    6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321

  • SHA512

    100df666e8c5b4c2e21de703fe7210a41daedf1480e1fe4b7388aa63dd51eccbe46e141a275ef61061c97cf3cd268a129cfd5fa0e290e4525b07915789713f0a

  • SSDEEP

    49152:vm5X8r6F5mCmR+juZZZL+H9IyKficUAG595WpZsNAaudSIuvLZ8:co6wZLSIX6cZGZWUNAaudgZ

Score
10/10
hijackloaderremcosv2discoveryloaderpersistenceprivilege_escalationrat

Malware Config

Extracted

Family

remcos

Botnet

v2

C2

185.157.162.126:1995

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    qsdazeazd-EL00KX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Detects HijackLoader (aka IDAT Loader) 1 IoCs
  • HijackLoader

    HijackLoader is a multistage loader first seen in 2023.

    loaderhijackloader
  • Hijackloader family
    hijackloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 2 IoCs
    installer
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1652
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 91EFB2D73C2CB1410F46B58268572ECB
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3184
    • C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
      "C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2948
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe
        3⤵
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4880
        • C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
          C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:3556
    • C:\Users\Admin\AppData\Local\Temp\Updwork.exe
      "C:\Users\Admin\AppData\Local\Temp\Updwork.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\SysWOW64\WerFault.exe
        "C:\Windows\System32\WerFault.exe"
        3⤵
          PID:2588
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:4568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57bbe1.rbs
      Filesize

      2KB

      MD5

      4b01d4966a92edc2ba097f0d136f252a

      SHA1

      f900277c17cb552cbfbe96bf4a57ee1cf481f869

      SHA256

      3dd5afdd3456c1c8f22522220a2e8d17ea691026f521e2cf3813205301189f3b

      SHA512

      290408afe016fb6ecdc8dd12b25a5c7a04f58968a21f8c0b1277552bac1770ca7fe4b8d91a60ccc57fd0aaa8f92f10a29e1d9e03d309c84953ad689b36a7acad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\5796df21
      Filesize

      1.0MB

      MD5

      ca7d644a6d4a3ea6f8dc397a08665107

      SHA1

      c4ddcb90d9c5b09388b9d1f092a5c15a0ebde2f2

      SHA256

      dc7de43a8c31ab4b122535855e794b3d90dd5f6cd1c51e5730cbf9ad6b0d88d2

      SHA512

      bf0eac73dd1a4ce7b6b3ad27b1d16ab9ef43925dd6112100662e32f26885ca3912a6bea881fb8de3cbfba080f72cbc6444b2727b118fc6781620a61fb9c0f5fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe
      Filesize

      20KB

      MD5

      9329ba45c8b97485926a171e34c2abb8

      SHA1

      20118bc0432b4e8b3660a4b038b20ca28f721e5c

      SHA256

      effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659

      SHA512

      0af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MFC80U.DLL
      Filesize

      1.0MB

      MD5

      686b224b4987c22b153fbb545fee9657

      SHA1

      684ee9f018fbb0bbf6ffa590f3782ba49d5d096c

      SHA256

      a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36

      SHA512

      44d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI7b99b.LOG
      Filesize

      20KB

      MD5

      e7960b38964bdd7e255623b6675d61e9

      SHA1

      8170687a4e24cbc8516faa0774d2982028c0c760

      SHA256

      bad0d00273f60a9ad353d8f4976c1edc41c850a9f745f205c71c5625835a9aa6

      SHA512

      e3be7b1d02651174d76bd62fd8def66e369f3bfc20d33b793266936d4e1d533a6293e3265abc6e4f9552b2e200a62bf700e524431f5e505853457cf122bf5be3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RaftelibeGarss\zlib1.dll
      Filesize

      363KB

      MD5

      3ca940e27e87443f7891d39536650f9b

      SHA1

      2603ff220c43f13591a51abb0cf339aecb758207

      SHA256

      a91f13aece1ea7ebe326f0e340bda9d00613d3365cd81b7f138a4c9446ffbd38

      SHA512

      0c0e04cbb8247f6dfe0790d1c3453596e3cb5f5ff0d2c3bc4e01fb38ad8e042322130072263c135c5637a745ef70ac68487bdade3510990ce8f609cad46566ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Updwork.exe
      Filesize

      494KB

      MD5

      253c52411b256e4af301cba58dcb6cef

      SHA1

      f21252c959b9eb47cd210f41b997cf598612d7c9

      SHA256

      7d57b704dd881413e7ee2effb3d85bdfff1e208b0f3f745419e640930d9d339d

      SHA512

      40de728edae55f97ac9459cf78bbc31b38e8b59bdb7a74fbd9e09d7efd2a81b1dc5fd8011007c66efb58e850f1c57d099ec340aecd62911d6aebf2e70d1275d0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\audiogram.tif
      Filesize

      877KB

      MD5

      5124236fd955464317fbb1f344a1d2f2

      SHA1

      fe3a91e252f1dc3c3b4980ade7157369ea6f5097

      SHA256

      ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6

      SHA512

      2b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\http_dll.dll
      Filesize

      883KB

      MD5

      4366cd6c5d795811822b9ccc3df3eab4

      SHA1

      30f6050729b4c08b7657454cb79dd5a3d463c606

      SHA256

      55497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da

      SHA512

      4a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349

      Download Submit

    • C:\Windows\Installer\MSIBC6A.tmp
      Filesize

      557KB

      MD5

      2c9c51ac508570303c6d46c0571ea3a1

      SHA1

      e3e0fe08fa11a43c8bca533f212bdf0704c726d5

      SHA256

      ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550

      SHA512

      df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127

      Download Submit

    • memory/2256-61-0x0000000062E80000-0x0000000062EE3000-memory.dmp

      Filesize

      396KB

      Download

    • memory/2588-67-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/2948-53-0x0000000074490000-0x000000007460B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/2948-59-0x0000000074490000-0x000000007460B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/3556-90-0x0000000000410000-0x0000000000494000-memory.dmp

      Filesize

      528KB

      Download

    • memory/3556-93-0x0000000000410000-0x0000000000494000-memory.dmp

      Filesize

      528KB

      Download

    • memory/3556-80-0x0000000073230000-0x0000000074484000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3556-82-0x00007FF8FDB70000-0x00007FF8FDD65000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/3556-83-0x0000000000410000-0x0000000000494000-memory.dmp

      Filesize

      528KB

      Download

    • memory/3556-86-0x0000000000410000-0x0000000000494000-memory.dmp

      Filesize

      528KB

      Download

    • memory/3556-87-0x0000000000410000-0x0000000000494000-memory.dmp

      Filesize

      528KB

      Download

    • memory/3556-98-0x0000000000410000-0x0000000000494000-memory.dmp

      Filesize

      528KB

      Download

    • memory/3556-91-0x0000000000410000-0x0000000000494000-memory.dmp

      Filesize

      528KB

      Download

    • memory/3556-92-0x0000000000410000-0x0000000000494000-memory.dmp

      Filesize

      528KB

      Download

    • memory/3556-97-0x0000000000410000-0x0000000000494000-memory.dmp

      Filesize

      528KB

      Download

    • memory/3556-94-0x0000000000410000-0x0000000000494000-memory.dmp

      Filesize

      528KB

      Download

    • memory/4880-78-0x0000000074490000-0x000000007460B000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/4880-76-0x00007FF8FDB70000-0x00007FF8FDD65000-memory.dmp

      Filesize

      2.0MB

      Download