modiloader | c351dac370d0364b1ef303338408a568d877eef020539818f09214adb338bf5c

General

Target

Devis de commande urgent SDX88467638,pdf.exe
Size

838KB
MD5

3cbd690be25928be30b522ad04785ef5
SHA1

e2f8ab8ceaaa0bf2a65fd8291f1355a58ad66561
SHA256

2644d67e0fbbce929f70bdc4c07912617a2a65e611faeb72acd51a091e529a5e
SHA512

388334e5ddc09edaefffa1050c6c2e6a5bbc88c24d1973b0fbfbb69a8fcace4d985e8166bbebc5d767749fde55b8fd2251f9bd9f6499f8f984c14f1d59c9a9e7

Score

10^/10

modiloader remcos persistence rat trojan

Malware Config

Extracted

Family

remcos

C2

ongod4life.ddns.net:4344

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

Netplwiz.exeNetplwiz.exe

pid process

556 Netplwiz.exe
904 Netplwiz.exe

pid	process
556	Netplwiz.exe
904	Netplwiz.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Devis de commande urgent SDX88467638,pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uatyvc = "C:\\Users\\Public\\Libraries\\cvytaU.url"	Devis de commande urgent SDX88467638,pdf.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Devis de commande urgent SDX88467638,pdf.exe

description	ioc	process
File opened (read-only)	\??\Z:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\E:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\O:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\Q:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\S:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\V:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\W:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\Y:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\H:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\J:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\K:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\M:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\N:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\U:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\X:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\B:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\G:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\I:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\L:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\P:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\T:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\A:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\F:	Devis de commande urgent SDX88467638,pdf.exe
File opened (read-only)	\??\R:	Devis de commande urgent SDX88467638,pdf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Devis de commande urgent SDX88467638,pdf.execmd.exe

description	pid	process	target process
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 672	1676	Devis de commande urgent SDX88467638,pdf.exe	ieinstal.exe
PID 1676 wrote to memory of 1140	1676	Devis de commande urgent SDX88467638,pdf.exe	cmd.exe
PID 1676 wrote to memory of 1140	1676	Devis de commande urgent SDX88467638,pdf.exe	cmd.exe
PID 1676 wrote to memory of 1140	1676	Devis de commande urgent SDX88467638,pdf.exe	cmd.exe
PID 1676 wrote to memory of 1140	1676	Devis de commande urgent SDX88467638,pdf.exe	cmd.exe
PID 1140 wrote to memory of 1784	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 1784	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 1784	1140	cmd.exe	cmd.exe
PID 1140 wrote to memory of 1784	1140	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Devis de commande urgent SDX88467638,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Devis de commande urgent SDX88467638,pdf.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1676

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
2⤵
PID:672

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\stt.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
3⤵
PID:1784

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
4⤵
- Executes dropped EXE
PID:556

C:\Windows \System32\Netplwiz.exe
"C:\Windows \System32\Netplwiz.exe"
4⤵
- Executes dropped EXE
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\NETUTILS.dll
MD5
39507d772c63ca496a25a14a8b5d14b2

SHA1
5b603f5c11eb9ab4313694315b4d4894ff4641d4

SHA256
36d1fa474cd8271f9b74b9481025614b6ff309f767f69d9f1ff3960c7205ad12

SHA512
0c740fd7b6d67d9938b0d8e1ea7d6c41910dd6d0b85b4ec8b6015ff8c0c73798dee01f01da0b5b0c07038663aca7945faca0e2b5afc1cb751aaba7567d332f5f

Download Submit
C:\Users\Public\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Users\Public\PXOR.bat
MD5
0d8aef656413642f55e0902cc5df5e6f

SHA1
73ec56d08bd9b3c45d55c97bd1c1286b77c8ff49

SHA256
670f94b92f45bc2f3f44a80c7f3021f874aa16fde38ed7d7f3ebed13ae09fa11

SHA512
efe690b1bcf06e16be469622b45c98b5dc1f1e06410cbf7e7dccb2975524c4d6bc7e23de9a129d50d73cd924f02e23f925555894f2c7da1064dcc57151f50876

Download Submit
C:\Users\Public\stt.bat
MD5
8a850253c31df9a7e1c00c80df2630d5

SHA1
e3da74081b027a3b591488b28da22742bcfe8495

SHA256
8fdeba3ec903bde700342083d16f72452366aa0b1b30d0e58dee0af74cebfa35

SHA512
30510bdc34680a0865a0811d9be29dec91c74717feccd58c9b4d88e77be9e5d13a539806a1b2901aff595b2fe2cc45926b69ed42e899d2dd2913c78a732e84d1

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
C:\Windows \System32\Netplwiz.exe
MD5
f94b7fb6dac49844d03c7087b2d8b472

SHA1
0e84139fced0ee8ef929d0bd5f01559a7dcf1db0

SHA256
46e31f337ed0d9a6fe3f159abc91c9b9b6a6062982bbcd84a51784d7128e7ae4

SHA512
d63878f94f7699e4cc63c2cd885c29455e0c423d32dba750e4fc3aa74dbaca80a1a4b176719213b9fc6584de6a40cddff7864c7fb4cfba13dfcb437a36e41b80

Download Submit
memory/672-76-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/672-65-0x0000000000000000-mapping.dmp

Download
memory/672-78-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/672-79-0x0000000010540000-0x0000000010564000-memory.dmp

Filesize
144KB

Download
memory/672-80-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/672-81-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1140-67-0x0000000000000000-mapping.dmp

Download
memory/1676-64-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/1676-61-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1676-59-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1784-69-0x0000000000000000-mapping.dmp

Download
memory/1784-82-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads