modiloader | 0ceab68641ca19a5f55d30cfc6f0e714c62cbec56683dd723704b890e9863983

General

Target

SWIFTCOPY_110255293303484_SANTANDER.doc
Size

1.6MB
MD5

2669b367e19d303277d90e1df00141d6
SHA1

e1acf19515cc4ce7cd4946226510a4b63a20571c
SHA256

0ceab68641ca19a5f55d30cfc6f0e714c62cbec56683dd723704b890e9863983
SHA512

a7c4fa232f8c6b70eeaab34b184a737e317340ecd69ce099e147151c90987d7fe57899ddfab96efaf8b96b6a716e75d841bc68b0541ea6587772ca07cf149008

Score

10^/10

modiloader remcos persistence rat trojan

Malware Config

Extracted

Family

remcos

C2

official.myq-see.com:2310

official.ydns.eu:2310

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 2 IoCs

Processes:

EQNEDT32.EXE

flow pid process

6 1740 EQNEDT32.EXE
7 1740 EQNEDT32.EXE
Executes dropped EXE 1 IoCs

Processes:

69577.exe

pid process

572 69577.exe
Loads dropped DLL 2 IoCs

Processes:

EQNEDT32.EXE

pid process

1740 EQNEDT32.EXE
1740 EQNEDT32.EXE

flow	pid	process
6	1740	EQNEDT32.EXE
7	1740	EQNEDT32.EXE

pid	process
572	69577.exe

pid	process
1740	EQNEDT32.EXE
1740	EQNEDT32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

69577.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nsrgar = "C:\\Users\\Public\\Libraries\\ragrsN.url"	69577.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1740 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1740	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1636 WINWORD.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEieinstal.exe

pid process

1636 WINWORD.EXE
1636 WINWORD.EXE
1300 ieinstal.exe

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1636	WINWORD.EXE

pid	process
1636	WINWORD.EXE
1636	WINWORD.EXE
1300	ieinstal.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXE69577.exe

description	pid	process	target process
PID 1636 wrote to memory of 1952	1636	WINWORD.EXE	splwow64.exe
PID 1636 wrote to memory of 1952	1636	WINWORD.EXE	splwow64.exe
PID 1636 wrote to memory of 1952	1636	WINWORD.EXE	splwow64.exe
PID 1636 wrote to memory of 1952	1636	WINWORD.EXE	splwow64.exe
PID 1740 wrote to memory of 572	1740	EQNEDT32.EXE	69577.exe
PID 1740 wrote to memory of 572	1740	EQNEDT32.EXE	69577.exe
PID 1740 wrote to memory of 572	1740	EQNEDT32.EXE	69577.exe
PID 1740 wrote to memory of 572	1740	EQNEDT32.EXE	69577.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe
PID 572 wrote to memory of 1300	572	69577.exe	ieinstal.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SWIFTCOPY_110255293303484_SANTANDER.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1952

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Public\69577.exe
"C:\Users\Public\69577.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:572

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Suspicious use of SetWindowsHookEx
PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1

T1203

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\69577.exe
MD5
d5852dca87eaa4df0cf21616a30be33b

SHA1
895f766ba9cf537ba5446e5482046e88fe4a7e10

SHA256
fee06f1a31cdd93b91bf8d0a5991023b2bf6d0ed2957c3bc0f40f05609eb689b

SHA512
2b691a7e356a395b772198006e87cbfcf9b807ec0d0e0e8ac7c300e3a6f5a7653a9c05ca484f1b1fbf6f0f8f968f6dc6659e4674122ea6f7dc797bd45de889da

Download Submit
C:\Users\Public\69577.exe
MD5
d5852dca87eaa4df0cf21616a30be33b

SHA1
895f766ba9cf537ba5446e5482046e88fe4a7e10

SHA256
fee06f1a31cdd93b91bf8d0a5991023b2bf6d0ed2957c3bc0f40f05609eb689b

SHA512
2b691a7e356a395b772198006e87cbfcf9b807ec0d0e0e8ac7c300e3a6f5a7653a9c05ca484f1b1fbf6f0f8f968f6dc6659e4674122ea6f7dc797bd45de889da

Download Submit
\Users\Public\69577.exe
MD5
d5852dca87eaa4df0cf21616a30be33b

SHA1
895f766ba9cf537ba5446e5482046e88fe4a7e10

SHA256
fee06f1a31cdd93b91bf8d0a5991023b2bf6d0ed2957c3bc0f40f05609eb689b

SHA512
2b691a7e356a395b772198006e87cbfcf9b807ec0d0e0e8ac7c300e3a6f5a7653a9c05ca484f1b1fbf6f0f8f968f6dc6659e4674122ea6f7dc797bd45de889da

Download Submit
\Users\Public\69577.exe
MD5
d5852dca87eaa4df0cf21616a30be33b

SHA1
895f766ba9cf537ba5446e5482046e88fe4a7e10

SHA256
fee06f1a31cdd93b91bf8d0a5991023b2bf6d0ed2957c3bc0f40f05609eb689b

SHA512
2b691a7e356a395b772198006e87cbfcf9b807ec0d0e0e8ac7c300e3a6f5a7653a9c05ca484f1b1fbf6f0f8f968f6dc6659e4674122ea6f7dc797bd45de889da

Download Submit
memory/572-11-0x0000000000000000-mapping.dmp

Download
memory/572-14-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1300-18-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1300-17-0x0000000000000000-mapping.dmp

Download
memory/1300-16-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1300-20-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1300-26-0x0000000010590000-0x000000001060B000-memory.dmp

Filesize
492KB

Download
memory/1300-27-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1516-8-0x000007FEF77E0000-0x000007FEF7A5A000-memory.dmp

Filesize
2.5MB

Download
memory/1636-2-0x0000000072821000-0x0000000072824000-memory.dmp

Filesize
12KB

Download
memory/1636-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1636-3-0x00000000702A1000-0x00000000702A3000-memory.dmp

Filesize
8KB

Download
memory/1740-7-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/1952-6-0x000007FEFBEC1000-0x000007FEFBEC3000-memory.dmp

Filesize
8KB

Download
memory/1952-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads