Overview

overview

10

Static

static

order conf...ar.exe

windows7_x64

10

order conf...ar.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    13-07-2020 06:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order confirmation PO#1912679,rar.exe

  • Size

    1.3MB

  • MD5

    0fffcf232ba8b08e1036a01c66d22f54

  • SHA1

    7222e9903ec892627197233498a6e0cede759630

  • SHA256

    76fff401edfeb7279561b52d1e6486145600c6834d7ce8e7c46a571f1161eabe

  • SHA512

    067a969a0084f1077652988d9a17bfa256127588a1af25b641afd737fb34bfae78816e86a6986bb9a84ab79e15d9eb112f0c351d630ab36f9ea28b0396bd19a0

Score
10/10
modiloaderremcospersistencerattrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\order confirmation PO#1912679,rar.exe
    "C:\Users\Admin\AppData\Local\Temp\order confirmation PO#1912679,rar.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      2⤵
        PID:1388

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1296-3-0x0000000010530000-0x0000000010553000-memory.dmp
      Filesize

      140KB

      Download
    • memory/1388-1-0x0000000000000000-mapping.dmp
      Download
    • memory/1388-0-0x0000000000000000-mapping.dmp
      Download
    • memory/1388-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1388-4-0x0000000000000000-mapping.dmp
      Download