Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 00:22
Static task
static1
Behavioral task
behavioral1
Sample
Slf.msi
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Slf.msi
Resource
win10v2004-20241007-en
General
-
Target
Slf.msi
-
Size
3.4MB
-
MD5
6f92f923d8f87afe5fe757ff2ff56951
-
SHA1
44780713a7026b9b0ff3cadeaffacb3cc3584eca
-
SHA256
6ed0c218b751ec93293b5922e783b7a9b147a3c7cd6070022cd707050108d321
-
SHA512
100df666e8c5b4c2e21de703fe7210a41daedf1480e1fe4b7388aa63dd51eccbe46e141a275ef61061c97cf3cd268a129cfd5fa0e290e4525b07915789713f0a
-
SSDEEP
49152:vm5X8r6F5mCmR+juZZZL+H9IyKficUAG595WpZsNAaudSIuvLZ8:co6wZLSIX6cZGZWUNAaudgZ
Malware Config
Extracted
remcos
v2
185.157.162.126:1995
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
qsdazeazd-EL00KX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detects HijackLoader (aka IDAT Loader) 1 IoCs
resource yara_rule behavioral1/files/0x00050000000191cf-50.dat family_hijackloader -
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
-
Hijackloader family
-
Remcos family
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2984 set thread context of 2264 2984 Updwork.exe 37 PID 1820 set thread context of 1504 1820 EHttpSrv.exe 34 PID 1504 set thread context of 1920 1504 cmd.exe 38 -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI56AA.tmp msiexec.exe File created C:\Windows\Installer\f765573.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI59A7.tmp msiexec.exe File opened for modification C:\Windows\Installer\f765573.ipi msiexec.exe File opened for modification C:\Windows\Installer\f765570.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI55AE.tmp msiexec.exe File created C:\Windows\Installer\f765570.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI566B.tmp msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 1820 EHttpSrv.exe 2984 Updwork.exe -
Loads dropped DLL 10 IoCs
pid Process 2788 MsiExec.exe 2788 MsiExec.exe 2788 MsiExec.exe 1820 EHttpSrv.exe 1820 EHttpSrv.exe 2984 Updwork.exe 1504 cmd.exe 1504 cmd.exe 1504 cmd.exe 1920 EHttpSrv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2252 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updwork.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EHttpSrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EHttpSrv.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0005000000019219-45.dat nsis_installer_1 behavioral1/files/0x0005000000019219-45.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2736 msiexec.exe 2736 msiexec.exe 1820 EHttpSrv.exe 1504 cmd.exe 1504 cmd.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1820 EHttpSrv.exe 1504 cmd.exe 1504 cmd.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 2252 msiexec.exe Token: SeIncreaseQuotaPrivilege 2252 msiexec.exe Token: SeRestorePrivilege 2736 msiexec.exe Token: SeTakeOwnershipPrivilege 2736 msiexec.exe Token: SeSecurityPrivilege 2736 msiexec.exe Token: SeCreateTokenPrivilege 2252 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2252 msiexec.exe Token: SeLockMemoryPrivilege 2252 msiexec.exe Token: SeIncreaseQuotaPrivilege 2252 msiexec.exe Token: SeMachineAccountPrivilege 2252 msiexec.exe Token: SeTcbPrivilege 2252 msiexec.exe Token: SeSecurityPrivilege 2252 msiexec.exe Token: SeTakeOwnershipPrivilege 2252 msiexec.exe Token: SeLoadDriverPrivilege 2252 msiexec.exe Token: SeSystemProfilePrivilege 2252 msiexec.exe Token: SeSystemtimePrivilege 2252 msiexec.exe Token: SeProfSingleProcessPrivilege 2252 msiexec.exe Token: SeIncBasePriorityPrivilege 2252 msiexec.exe Token: SeCreatePagefilePrivilege 2252 msiexec.exe Token: SeCreatePermanentPrivilege 2252 msiexec.exe Token: SeBackupPrivilege 2252 msiexec.exe Token: SeRestorePrivilege 2252 msiexec.exe Token: SeShutdownPrivilege 2252 msiexec.exe Token: SeDebugPrivilege 2252 msiexec.exe Token: SeAuditPrivilege 2252 msiexec.exe Token: SeSystemEnvironmentPrivilege 2252 msiexec.exe Token: SeChangeNotifyPrivilege 2252 msiexec.exe Token: SeRemoteShutdownPrivilege 2252 msiexec.exe Token: SeUndockPrivilege 2252 msiexec.exe Token: SeSyncAgentPrivilege 2252 msiexec.exe Token: SeEnableDelegationPrivilege 2252 msiexec.exe Token: SeManageVolumePrivilege 2252 msiexec.exe Token: SeImpersonatePrivilege 2252 msiexec.exe Token: SeCreateGlobalPrivilege 2252 msiexec.exe Token: SeRestorePrivilege 2736 msiexec.exe Token: SeTakeOwnershipPrivilege 2736 msiexec.exe Token: SeRestorePrivilege 2736 msiexec.exe Token: SeTakeOwnershipPrivilege 2736 msiexec.exe Token: SeRestorePrivilege 2736 msiexec.exe Token: SeTakeOwnershipPrivilege 2736 msiexec.exe Token: SeRestorePrivilege 2736 msiexec.exe Token: SeTakeOwnershipPrivilege 2736 msiexec.exe Token: SeRestorePrivilege 2736 msiexec.exe Token: SeTakeOwnershipPrivilege 2736 msiexec.exe Token: SeRestorePrivilege 2736 msiexec.exe Token: SeTakeOwnershipPrivilege 2736 msiexec.exe Token: SeRestorePrivilege 2736 msiexec.exe Token: SeTakeOwnershipPrivilege 2736 msiexec.exe Token: SeRestorePrivilege 2736 msiexec.exe Token: SeTakeOwnershipPrivilege 2736 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2252 msiexec.exe 2252 msiexec.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2788 2736 msiexec.exe 31 PID 2736 wrote to memory of 2788 2736 msiexec.exe 31 PID 2736 wrote to memory of 2788 2736 msiexec.exe 31 PID 2736 wrote to memory of 2788 2736 msiexec.exe 31 PID 2736 wrote to memory of 2788 2736 msiexec.exe 31 PID 2736 wrote to memory of 2788 2736 msiexec.exe 31 PID 2736 wrote to memory of 2788 2736 msiexec.exe 31 PID 2736 wrote to memory of 1820 2736 msiexec.exe 32 PID 2736 wrote to memory of 1820 2736 msiexec.exe 32 PID 2736 wrote to memory of 1820 2736 msiexec.exe 32 PID 2736 wrote to memory of 1820 2736 msiexec.exe 32 PID 2736 wrote to memory of 2984 2736 msiexec.exe 33 PID 2736 wrote to memory of 2984 2736 msiexec.exe 33 PID 2736 wrote to memory of 2984 2736 msiexec.exe 33 PID 2736 wrote to memory of 2984 2736 msiexec.exe 33 PID 1820 wrote to memory of 1504 1820 EHttpSrv.exe 34 PID 1820 wrote to memory of 1504 1820 EHttpSrv.exe 34 PID 1820 wrote to memory of 1504 1820 EHttpSrv.exe 34 PID 1820 wrote to memory of 1504 1820 EHttpSrv.exe 34 PID 2984 wrote to memory of 2264 2984 Updwork.exe 37 PID 2984 wrote to memory of 2264 2984 Updwork.exe 37 PID 2984 wrote to memory of 2264 2984 Updwork.exe 37 PID 2984 wrote to memory of 2264 2984 Updwork.exe 37 PID 2984 wrote to memory of 2264 2984 Updwork.exe 37 PID 2984 wrote to memory of 2264 2984 Updwork.exe 37 PID 1820 wrote to memory of 1504 1820 EHttpSrv.exe 34 PID 1504 wrote to memory of 1920 1504 cmd.exe 38 PID 1504 wrote to memory of 1920 1504 cmd.exe 38 PID 1504 wrote to memory of 1920 1504 cmd.exe 38 PID 1504 wrote to memory of 1920 1504 cmd.exe 38 PID 1504 wrote to memory of 1920 1504 cmd.exe 38 PID 1504 wrote to memory of 1920 1504 cmd.exe 38
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Slf.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2252
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3A085D715CFBA99F5A80E5F3115AD962⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2788
-
-
C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe3⤵
- Suspicious use of SetThreadContext
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\EHttpSrv.exeC:\Users\Admin\AppData\Local\Temp\EHttpSrv.exe4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1920
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Updwork.exe"C:\Users\Admin\AppData\Local\Temp\Updwork.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\WerFault.exe"C:\Windows\System32\WerFault.exe"3⤵PID:2264
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}1⤵
- System Location Discovery: System Language Discovery
PID:2588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5ee39c19e5c925f709bb373e2b0a907b3
SHA18b0204cc969ae9abc84bac30d4b28132b56bcd46
SHA256b48e839ebe8b4b4f99a8408a16bcf39265d7d59e7cf31f8429f5f5e535df8f2b
SHA512a9bf66a7509a5bae9592fc6b9b03f25dee3bda92dcc667b9a54ae8d3ea2a488249b744beeb58126d326e5f7a2bb77a2be19df622b334f8041d669cde783d1e43
-
Filesize
20KB
MD59329ba45c8b97485926a171e34c2abb8
SHA120118bc0432b4e8b3660a4b038b20ca28f721e5c
SHA256effa6fcb8759375b4089ccf61202a5c63243f4102872e64e3eb0a1bdc2727659
SHA5120af06b5495142ba0632a46be0778a7bd3d507e9848b3159436aa504536919abbcacd8b740ef4b591296e86604b49e0642fee2c273a45e44b41a80f91a1d52acc
-
Filesize
19KB
MD55be873725a03c8c3b8921977a57cd8ea
SHA1a05323205e2d7f45b73ab723c1ced5a065638b99
SHA2566eac0a103423678c00b1d400ecda08b70c34b1f1f0d6c09f2787466023f55abe
SHA51209d031068c3a1c081f20e3f41b63b854dc431eef5ed76b0eb9a6728b36bdffb2504d0c5b30f59ecc662df1b694bc523aac0b9e5a99410a6bed4c08c76733bf7d
-
Filesize
494KB
MD5253c52411b256e4af301cba58dcb6cef
SHA1f21252c959b9eb47cd210f41b997cf598612d7c9
SHA2567d57b704dd881413e7ee2effb3d85bdfff1e208b0f3f745419e640930d9d339d
SHA51240de728edae55f97ac9459cf78bbc31b38e8b59bdb7a74fbd9e09d7efd2a81b1dc5fd8011007c66efb58e850f1c57d099ec340aecd62911d6aebf2e70d1275d0
-
Filesize
877KB
MD55124236fd955464317fbb1f344a1d2f2
SHA1fe3a91e252f1dc3c3b4980ade7157369ea6f5097
SHA256ed1389002cdf96c9b54de35b6e972166ee3296d628943fd594a383e674c5cba6
SHA5122b2ac23244b16f936ef9a4049586f58c809fcc4391a56390cc5db2e8d96140001e0b977680ed1d8b0ab9c410e865a880209e22add8d42e563dc40bc91236b252
-
Filesize
1.0MB
MD5febb989da36b083bd3f2a960db080393
SHA11fdd91981b63221f9c34b9691f060f9c40c85976
SHA2564c91f919e77277cf33edfd9e85bde82476e42cafbb54683a5b04d4c64da8de77
SHA51242fbfa7fb03db5ebb328bc02aae60900cb684cfa8a607bb5f555ddc3fe1a5fb6a37c2b757f0ebd232e885022b9192cddb688faadcca1c7a1a2fc57e3aaa08cf7
-
Filesize
363KB
MD53ca940e27e87443f7891d39536650f9b
SHA12603ff220c43f13591a51abb0cf339aecb758207
SHA256a91f13aece1ea7ebe326f0e340bda9d00613d3365cd81b7f138a4c9446ffbd38
SHA5120c0e04cbb8247f6dfe0790d1c3453596e3cb5f5ff0d2c3bc4e01fb38ad8e042322130072263c135c5637a745ef70ac68487bdade3510990ce8f609cad46566ee
-
Filesize
883KB
MD54366cd6c5d795811822b9ccc3df3eab4
SHA130f6050729b4c08b7657454cb79dd5a3d463c606
SHA25655497a3eced5d8d190400bcd1a4b43a304ebf74a0d6d098665474ed4b1b0e9da
SHA5124a56a2da7ded16125c2795d5760c7c08a93362536c9212cff3a31dbf6613cb3fca436efd77c256338f5134da955bc7ccc564b4af0c45ac0dfd645460b922a349
-
Filesize
1.0MB
MD5686b224b4987c22b153fbb545fee9657
SHA1684ee9f018fbb0bbf6ffa590f3782ba49d5d096c
SHA256a2ac851f35066c2f13a7452b7a9a3fee05bfb42907ae77a6b85b212a2227fc36
SHA51244d65db91ceea351d2b6217eaa27358dbc2ed27c9a83d226b59aecb336a9252b60aec5ce5e646706a2af5631d5ee0f721231ec751e97e47bbbc32d5f40908875
-
Filesize
557KB
MD52c9c51ac508570303c6d46c0571ea3a1
SHA1e3e0fe08fa11a43c8bca533f212bdf0704c726d5
SHA256ff86c76a8d5846b3a1ad58ff2fd8e5a06a84eb5899cdee98e59c548d33335550
SHA512df5f1def5aac44f39a2dfde9c6c73f15f83a7374b4ad42b67e425ccb7ac99a64c5701b676ae46d2f7167a04a955158031a839e7878d100aaf8fab0ce2059f127