Overview

overview

10

Static

static

12.exe

windows7_x64

10

12.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-04-2021 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12.exe

  • Size

    619KB

  • MD5

    98f413548ec275b2b0ead9caf86119eb

  • SHA1

    cd39fdbed9c2011ef1d33dec7f50704664c33e63

  • SHA256

    ee6d59e7ff1910806b465f8ae5fd6b2dd918cbe56fb1e3144d1484ba7b266eec

  • SHA512

    266370e9871a3e8c9c26835de8dec3be658d4bbb8709b3e26bfd986c60d312a065b587935e737e866907946f07cd25a6b7b2e416aabf8693bccc6fb694d6c6ef

Score
10/10
modiloaderremcospersistencerattrojan

Malware Config

Extracted

Family

remcos

C2

abujafirms1.duckdns.org:12000

194.5.98.203:1988

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\12.exe
    "C:\Users\Admin\AppData\Local\Temp\12.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Program Files (x86)\internet explorer\ieinstal.exe
      "C:\Program Files (x86)\internet explorer\ieinstal.exe"
      2⤵
        PID:968

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/968-65-0x0000000000000000-mapping.dmp
      Download
    • memory/968-67-0x00000000000D0000-0x00000000000D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/968-69-0x0000000000280000-0x0000000000281000-memory.dmp
      Filesize

      4KB

      Download
    • memory/968-70-0x0000000010590000-0x000000001060B000-memory.dmp
      Filesize

      492KB

      Download
    • memory/968-71-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/968-72-0x0000000000090000-0x0000000000091000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1640-59-0x00000000769B1000-0x00000000769B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1640-60-0x0000000000220000-0x0000000000221000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1640-62-0x0000000000250000-0x000000000026A000-memory.dmp
      Filesize

      104KB

      Download