Overview

overview

10

Static

static

order.scr

windows7-x64

10

order.scr

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    03-08-2022 05:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order.scr

  • Size

    943KB

  • MD5

    d898ec314df386d53273beae1740c7f9

  • SHA1

    48129f3aa13df929f1cb8ed23980eb350473d637

  • SHA256

    e78e1baff2d7a3f921993ef1537adbed0b4cead4154cc42c2bd760ace1dce46f

  • SHA512

    89acf578e9c40eb83e053d220c3793dacaa5bfb6fa5a7ea7b9ed8a33d5c0962dfe771c1e5f34605b86fa7a384decff22c42dd7cb8a48b98388aa0cd667917bc6

Score
10/10
modiloaderremcospersistencerattrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • ModiLoader Second Stage 44 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\order.scr
    "C:\Users\Admin\AppData\Local\Temp\order.scr" /S
    1⤵
    • Adds Run key to start application
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\SysWOW64\cleanmgr.exe
      "C:\Windows\System32\cleanmgr.exe"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/856-80-0x0000000000000000-mapping.dmp
    Download
  • memory/856-109-0x00000000038D0000-0x000000000451A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/856-108-0x00000000038D0000-0x000000000451A000-memory.dmp
    Filesize

    12.3MB

    Download
  • memory/856-105-0x0000000050590000-0x000000005061A000-memory.dmp
    Filesize

    552KB

    Download
  • memory/856-83-0x0000000050590000-0x000000005061A000-memory.dmp
    Filesize

    552KB

    Download
  • memory/856-82-0x0000000070DC1000-0x0000000070DC3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/860-71-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-88-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-68-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-67-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-66-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-65-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-54-0x0000000076681000-0x0000000076683000-memory.dmp
    Filesize

    8KB

    Download
  • memory/860-70-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-69-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-72-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-73-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-74-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-75-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-77-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-76-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-78-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-79-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-63-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-60-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-61-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-85-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-86-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-87-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-64-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-89-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-90-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-91-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-92-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-93-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-95-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-94-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-96-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-97-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-98-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-99-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-100-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-101-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-102-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-103-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-62-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-106-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-104-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-107-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-59-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download
  • memory/860-57-0x0000000004C20000-0x0000000004D17000-memory.dmp
    Filesize

    988KB

    Download