modiloader | 1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45

Analysis

max time kernel
146s
max time network
194s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2022 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe
Size

676KB
MD5

04ad54f735adb698d516f64fdca3d8d1
SHA1

0c1bb7c47b7bfd72cbdd67cb129dbfabde88cfc8
SHA256

1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45
SHA512

63de2f64f760073f1de287114db9463e993fe7db7f3efd3c88ee33332ca0cac9ce21ef280d979e6c940c80edf9a6658c2f69e971f11e78909d48984bd447b766
SSDEEP

12288:S5gEwpGsYpvFRWJSDsw5jhC3CXjYstVSX3x7FRS8Hj/9lpB8:Sy3jYpvFRWJyrFSCX5tVSn52ArpB8

Score

10^/10

modiloader remcos duckdomain-file persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

DUCKDOMAIN-FILE

dapsan.duckdns.org:2404

www.dapsan.biz:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BERTBE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 63 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4516-132-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-135-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-136-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-137-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-134-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-139-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-140-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-141-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-138-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-143-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-142-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-145-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-144-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-146-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-148-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-147-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-149-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-151-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-150-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-153-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-152-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-155-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-154-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-157-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-161-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-160-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-159-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-158-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-156-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-162-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-163-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-164-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-165-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-166-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-167-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-168-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-170-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-171-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-172-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-169-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-173-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-174-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-175-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-176-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-177-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-178-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-179-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-180-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-181-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-182-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-183-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-184-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-185-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-186-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-187-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-188-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-189-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-190-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-191-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-192-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-193-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-194-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2
behavioral2/memory/4516-195-0x00000000044E0000-0x0000000004509000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

33 4152 wscript.exe

flow	pid	process
33	4152	wscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qcmxsaab = "C:\\Users\\Public\\Libraries\\baasxmcQ.url"	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe

pid	process
4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe
4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe

description	pid	process	target process
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe
PID 4516 wrote to memory of 4152	4516	1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe	wscript.exe

C:\Users\Admin\AppData\Local\Temp\1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe
"C:\Users\Admin\AppData\Local\Temp\1d22a7a17d50bd434e2e042ad9f64ea40631c41c7f35216c0662666748a66b45.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\wscript.exe
C:\Windows\System32\wscript.exe
2⤵
- Blocklisted process makes network request
PID:4152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4152-251-0x0000000000000000-mapping.dmp

Download
memory/4152-284-0x0000000010590000-0x000000001060E000-memory.dmp

Filesize
504KB

Download
memory/4152-285-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4152-286-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4516-132-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-135-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-136-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-137-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-134-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-139-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-140-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-141-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-138-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-143-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-142-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-145-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-144-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-146-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-148-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-147-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-149-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-151-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-150-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-153-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-152-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-155-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-154-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-157-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-161-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-160-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-159-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-158-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-156-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-162-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-163-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-164-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-165-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-166-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-167-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-168-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-170-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-171-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-172-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-169-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-173-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-174-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-175-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-176-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-177-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-178-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-179-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-180-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-181-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-182-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-183-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-184-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-185-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-186-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-187-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-188-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-189-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-190-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-191-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-192-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-193-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-194-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download
memory/4516-195-0x00000000044E0000-0x0000000004509000-memory.dmp

Filesize
164KB

Download