modiloader | 6778fea0bea7bd311fbda7b2f6257a7826733a664199d8073c878e401ba20a33

Analysis

max time kernel
297s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stmt 2024-01.exe
Size

1.5MB
MD5

fe658ad9c31ff2b67f90178b00c48ecc
SHA1

1a066197e1e243409ef8cb70b9d71bf5a5a80f05
SHA256

6778fea0bea7bd311fbda7b2f6257a7826733a664199d8073c878e401ba20a33
SHA512

468fba52d876a39e1e72ea82f8a70dd758dd2c1e99e31dfe226749f3fbc49e64f635b8282e987e71f3b0b872842e61be016bfc24c9fc4592d3dbb8b5d8822f69
SSDEEP

24576:pA9PI47mMe3qTK/MYnyXXQ9cgAwFrDsRMzOFlB6WXg/jz8sleGu2bh:c2MYy6cqdDQSOFJg/jiwbh

Score

10^/10

modiloader remcos remotehost persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

meetre1ms.freeddns.org:2404

mysmeetr.ddns.net:2404

myumysmeetr.ddns.net:2404

bbhmeetre1ms.freeddns.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
hsgddj
mouse_option
false
mutex
WIN2024-GUC4V0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral3/memory/3596-2-0x0000000002A00000-0x0000000003A00000-memory.dmp	modiloader_stage2

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Executes dropped EXE 2 IoCs

pid	Process
1204	easinvoker.exe
1268	easinvoker.exe

Loads dropped DLL 2 IoCs

pid	Process
1204	easinvoker.exe
1268	easinvoker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qsgbkgqg = "C:\\Users\\Public\\Qsgbkgqg.url"	Stmt 2024-01.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1928	sc.exe
2268	sc.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe
1204	easinvoker.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3760	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4432	SndVol.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 4216	3596	Stmt 2024-01.exe	95
PID 3596 wrote to memory of 4216	3596	Stmt 2024-01.exe	95
PID 3596 wrote to memory of 4216	3596	Stmt 2024-01.exe	95
PID 4216 wrote to memory of 1368	4216	cmd.exe	97
PID 4216 wrote to memory of 1368	4216	cmd.exe	97
PID 4216 wrote to memory of 1368	4216	cmd.exe	97
PID 4216 wrote to memory of 3176	4216	cmd.exe	99
PID 4216 wrote to memory of 3176	4216	cmd.exe	99
PID 4216 wrote to memory of 3176	4216	cmd.exe	99
PID 4216 wrote to memory of 2104	4216	cmd.exe	100
PID 4216 wrote to memory of 2104	4216	cmd.exe	100
PID 4216 wrote to memory of 2104	4216	cmd.exe	100
PID 4216 wrote to memory of 3116	4216	cmd.exe	102
PID 4216 wrote to memory of 3116	4216	cmd.exe	102
PID 4216 wrote to memory of 3116	4216	cmd.exe	102
PID 4216 wrote to memory of 4872	4216	cmd.exe	101
PID 4216 wrote to memory of 4872	4216	cmd.exe	101
PID 4216 wrote to memory of 4872	4216	cmd.exe	101
PID 4216 wrote to memory of 4940	4216	cmd.exe	103
PID 4216 wrote to memory of 4940	4216	cmd.exe	103
PID 4216 wrote to memory of 4940	4216	cmd.exe	103
PID 4216 wrote to memory of 868	4216	cmd.exe	104
PID 4216 wrote to memory of 868	4216	cmd.exe	104
PID 4216 wrote to memory of 868	4216	cmd.exe	104
PID 4216 wrote to memory of 3608	4216	cmd.exe	105
PID 4216 wrote to memory of 3608	4216	cmd.exe	105
PID 4216 wrote to memory of 3608	4216	cmd.exe	105
PID 4216 wrote to memory of 1428	4216	cmd.exe	106
PID 4216 wrote to memory of 1428	4216	cmd.exe	106
PID 4216 wrote to memory of 1428	4216	cmd.exe	106
PID 4216 wrote to memory of 1204	4216	cmd.exe	107
PID 4216 wrote to memory of 1204	4216	cmd.exe	107
PID 1204 wrote to memory of 2520	1204	easinvoker.exe	108
PID 1204 wrote to memory of 2520	1204	easinvoker.exe	108
PID 2520 wrote to memory of 2336	2520	cmd.exe	110
PID 2520 wrote to memory of 2336	2520	cmd.exe	110
PID 2520 wrote to memory of 1928	2520	cmd.exe	112
PID 2520 wrote to memory of 1928	2520	cmd.exe	112
PID 2520 wrote to memory of 2268	2520	cmd.exe	113
PID 2520 wrote to memory of 2268	2520	cmd.exe	113
PID 2336 wrote to memory of 3760	2336	cmd.exe	114
PID 2336 wrote to memory of 3760	2336	cmd.exe	114
PID 3596 wrote to memory of 4412	3596	Stmt 2024-01.exe	115
PID 3596 wrote to memory of 4412	3596	Stmt 2024-01.exe	115
PID 3596 wrote to memory of 4412	3596	Stmt 2024-01.exe	115
PID 3596 wrote to memory of 4432	3596	Stmt 2024-01.exe	117
PID 3596 wrote to memory of 4432	3596	Stmt 2024-01.exe	117
PID 3596 wrote to memory of 4432	3596	Stmt 2024-01.exe	117
PID 3596 wrote to memory of 4432	3596	Stmt 2024-01.exe	117
PID 4412 wrote to memory of 1268	4412	cmd.exe	118
PID 4412 wrote to memory of 1268	4412	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\Stmt 2024-01.exe
"C:\Users\Admin\AppData\Local\Temp\Stmt 2024-01.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\QsgbkgqgO.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c mkdir "\\?\C:\Windows "
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:2104
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y
    3⤵
    - Enumerates system info in registry
    PID:1428
- - C:\Windows \System32\easinvoker.exe
    "C:\\Windows \\System32\\easinvoker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\system32\cmd.exe
        
        cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3760
    - - C:\Windows\system32\sc.exe
        
        sc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel
        5⤵
        Launches sc.exe
        
        PID:1928
    - - C:\Windows\system32\sc.exe
        
        sc.exe start truesight
        5⤵
        Launches sc.exe
        
        PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\\Windows \\System32\\easinvoker.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows \System32\easinvoker.exe
    "C:\\Windows \\System32\\easinvoker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1268
- C:\Windows\SysWOW64\SndVol.exe
  C:\Windows\System32\SndVol.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hsgddj\logs.dat

Filesize
144B

MD5
1e54e9964c59f9087e136ce8c3898bb8

SHA1
255a0f3fc3d1fd7bda38ef3509a9677d98b0ce18

SHA256
7437e0e5612a9fc32d178079d58fe7922806bb48500c7f35dc441d961054a9ca

SHA512
0a2fc0271c7c4d2e0ae9139fee60eafbcce3d187027fd2ab7a033e336b8c80bebb94fcce7f62e55aaa767fa3cc3bf5cf6ac23030c6270f26dba9042d52a7c689

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5vbc5lpe.1li.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Libraries\KDECO.bat

Filesize
271B

MD5
d62b11dc4dc821ef23260e5b0e74a835

SHA1
cdff2004cb9ef149f75fae296f50f4fbfefb2e84

SHA256
d1b19b878a3ae98f650843314cc3ef8d681013f6e18e0201cb47a0afa45fc349

SHA512
27b8292eb318413b965e1c7552165e65f9003d03b15ddc0c5c142420a1a174303f983c268942d7b60c74ac4e8e79e01f83510807fc0c492cabdf4948bc69c625

Download Submit
C:\Users\Public\Libraries\QsgbkgqgO.bat

Filesize
404B

MD5
6880148d6cd8fabdce94b7e91dbd8d17

SHA1
870e9ad13355a8452746e0904d004ee8c8ec66e5

SHA256
0bfe311ffb1de96cbb2616c2a59c2a1a4942ec03073cc2ddfdfc43f79c74d18a

SHA512
810ee2896597cbcf813b9285bb2d7f9127360a4d8a872c47460d32710fe114c27ed58f840dc8bcfdaf7b826e7e46c78c0e814e4fa3d380d10737673a1febf38e

Download Submit
C:\Users\Public\Libraries\easinvoker.exe

Filesize
128KB

MD5
231ce1e1d7d98b44371ffff407d68b59

SHA1
25510d0f6353dbf0c9f72fc880de7585e34b28ff

SHA256
30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

SHA512
520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

Download Submit
C:\Users\Public\Libraries\netutils.dll

Filesize
114KB

MD5
1a2d83c73343d26f40a50fe2fe2f3e99

SHA1
cce1c460b809c39f3be25d3e9b57bb5a1584923b

SHA256
e2a595076d88ab6a210c395a75a78409e0e4f51cd13f0e10ad1b8c153b4e90d7

SHA512
26fffe2a5543f92f2a04996436343b82f99f1cec6e7e6b7b6c40f888d65951c61cb31318bcb3e5af6bd624960069bfb732e31c9ab70da462e1548daaa1ac1734

Download Submit
memory/1204-27-0x00000000613C0000-0x00000000613E2000-memory.dmp

Filesize
136KB

Download
memory/1268-47-0x00000000613C0000-0x00000000613E2000-memory.dmp

Filesize
136KB

Download
memory/3596-4-0x0000000000400000-0x000000000059D000-memory.dmp

Filesize
1.6MB

Download
memory/3596-0-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/3596-2-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3596-1-0x0000000002A00000-0x0000000003A00000-memory.dmp

Filesize
16.0MB

Download
memory/3760-29-0x0000020155A60000-0x0000020155A82000-memory.dmp

Filesize
136KB

Download
memory/3760-39-0x00007FFCAEF50000-0x00007FFCAFA11000-memory.dmp

Filesize
10.8MB

Download
memory/3760-40-0x0000020155B40000-0x0000020155B50000-memory.dmp

Filesize
64KB

Download
memory/3760-43-0x00007FFCAEF50000-0x00007FFCAFA11000-memory.dmp

Filesize
10.8MB

Download
memory/4432-55-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-83-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-53-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-54-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-51-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-56-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-59-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-60-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-48-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-67-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-68-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-75-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-76-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-52-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-84-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-91-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-92-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-99-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-100-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-107-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-108-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-115-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-116-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-123-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download
memory/4432-124-0x0000000001090000-0x0000000002090000-memory.dmp

Filesize
16.0MB

Download