modiloader | 207470c31aebb98487d019c4ca219f77be687bca6c704321066f6b6f31c58d25

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factura.exe
Size

1.4MB
MD5

b7ae27c0f9ebaa19934b75ed05cea094
SHA1

4f8be01c46092555a8fe4871e40733b6f29c4c70
SHA256

c84953278a17d52f97efb2a10403d81e4f16e98dab2b4025d7049445e566e893
SHA512

e7585276448216bdd78f136f942d7027b394fdcaf26e655d7672d09254785cb6e457363b475607c810ad956b18af7a7539896e1e4179d11974097f3ebee889de
SSDEEP

24576:X/yPbQ/8GreJLDAvcFz7Q0U3VgAA2gUf3THW09jY86VxOsF:XYuUR7wg0gUf3Dtw

Score

10^/10

modiloader remcos anyanwu dollar discovery persistence rat trojan

Malware Config

Extracted

Family

remcos

Botnet

ANYANWU DOLLAR

ezeanyanwu.duckdns.org:1941

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1PA65J
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral5/memory/2244-2-0x00000000032D0000-0x00000000042D0000-memory.dmp	modiloader_stage2

Executes dropped EXE 9 IoCs

pid	Process
2568	alpha.pif
2764	alpha.pif
1880	alpha.pif
2708	xpha.pif
3028	per.exe
1468	per.exe
2356	alpha.pif
2060	alpha.pif
1208	alpha.pif

Loads dropped DLL 2 IoCs

pid	Process
2800	cmd.exe
1880	alpha.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sidoowcu = "C:\\Users\\Public\\Sidoowcu.url"	Factura.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
3	drive.google.com
5	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Factura.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SndVol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alpha.pif

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2196	esentutl.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2244	Factura.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
912	SndVol.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
912	SndVol.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
912	SndVol.exe
912	SndVol.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2800	2244	Factura.exe	31
PID 2244 wrote to memory of 2800	2244	Factura.exe	31
PID 2244 wrote to memory of 2800	2244	Factura.exe	31
PID 2244 wrote to memory of 2800	2244	Factura.exe	31
PID 2800 wrote to memory of 2920	2800	cmd.exe	33
PID 2800 wrote to memory of 2920	2800	cmd.exe	33
PID 2800 wrote to memory of 2920	2800	cmd.exe	33
PID 2800 wrote to memory of 2920	2800	cmd.exe	33
PID 2800 wrote to memory of 2196	2800	cmd.exe	34
PID 2800 wrote to memory of 2196	2800	cmd.exe	34
PID 2800 wrote to memory of 2196	2800	cmd.exe	34
PID 2800 wrote to memory of 2196	2800	cmd.exe	34
PID 2800 wrote to memory of 2568	2800	cmd.exe	35
PID 2800 wrote to memory of 2568	2800	cmd.exe	35
PID 2800 wrote to memory of 2568	2800	cmd.exe	35
PID 2800 wrote to memory of 2568	2800	cmd.exe	35
PID 2800 wrote to memory of 2764	2800	cmd.exe	36
PID 2800 wrote to memory of 2764	2800	cmd.exe	36
PID 2800 wrote to memory of 2764	2800	cmd.exe	36
PID 2800 wrote to memory of 2764	2800	cmd.exe	36
PID 2800 wrote to memory of 1880	2800	cmd.exe	37
PID 2800 wrote to memory of 1880	2800	cmd.exe	37
PID 2800 wrote to memory of 1880	2800	cmd.exe	37
PID 2800 wrote to memory of 1880	2800	cmd.exe	37
PID 1880 wrote to memory of 2708	1880	alpha.pif	38
PID 1880 wrote to memory of 2708	1880	alpha.pif	38
PID 1880 wrote to memory of 2708	1880	alpha.pif	38
PID 1880 wrote to memory of 2708	1880	alpha.pif	38
PID 2800 wrote to memory of 2356	2800	cmd.exe	41
PID 2800 wrote to memory of 2356	2800	cmd.exe	41
PID 2800 wrote to memory of 2356	2800	cmd.exe	41
PID 2800 wrote to memory of 2356	2800	cmd.exe	41
PID 2800 wrote to memory of 2060	2800	cmd.exe	42
PID 2800 wrote to memory of 2060	2800	cmd.exe	42
PID 2800 wrote to memory of 2060	2800	cmd.exe	42
PID 2800 wrote to memory of 2060	2800	cmd.exe	42
PID 2800 wrote to memory of 1208	2800	cmd.exe	43
PID 2800 wrote to memory of 1208	2800	cmd.exe	43
PID 2800 wrote to memory of 1208	2800	cmd.exe	43
PID 2800 wrote to memory of 1208	2800	cmd.exe	43
PID 2244 wrote to memory of 2508	2244	Factura.exe	44
PID 2244 wrote to memory of 2508	2244	Factura.exe	44
PID 2244 wrote to memory of 2508	2244	Factura.exe	44
PID 2244 wrote to memory of 2508	2244	Factura.exe	44
PID 2244 wrote to memory of 912	2244	Factura.exe	46
PID 2244 wrote to memory of 912	2244	Factura.exe	46
PID 2244 wrote to memory of 912	2244	Factura.exe	46
PID 2244 wrote to memory of 912	2244	Factura.exe	46
PID 2244 wrote to memory of 912	2244	Factura.exe	46

C:\Users\Admin\AppData\Local\Temp\Factura.exe
"C:\Users\Admin\AppData\Local\Temp\Factura.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Public\Libraries\ucwoodiS.cmd" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\esentutl.exe
    C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\esentutl.exe
    C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2196
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2568
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2764
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Users\Public\xpha.pif
      C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2708
- - C:\Windows \SysWOW64\per.exe
    "C:\\Windows \\SysWOW64\\per.exe
    3⤵
    - Executes dropped EXE
    PID:3028
- - C:\Windows \SysWOW64\per.exe
    "C:\Windows \SysWOW64\per.exe"
    3⤵
    - Executes dropped EXE
    PID:1468
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2356
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2060
- - C:\Users\Public\alpha.pif
    C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1208
- C:\Windows\SysWOW64\esentutl.exe
  C:\\Windows\\System32\\esentutl.exe /y C:\Users\Admin\AppData\Local\Temp\Factura.exe /d C:\\Users\\Public\\Libraries\\Sidoowcu.PIF /o
  2⤵
  PID:2508
- C:\Windows\SysWOW64\SndVol.exe
  C:\Windows\System32\SndVol.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
224B

MD5
32bbe9575efe80b04d8fafffb1e510d1

SHA1
129e0c3b67e78218d9eacaef627bfe561b1d679f

SHA256
c79776b3a16187386f5c65b1f544c29993a2395842506549262a99730cc4617f

SHA512
5350f4acc8178a956760de57a076dc3f804c9aa7a26a1b4122d1e2432b2a4f73520ff44d8b8a0037658f884f9cfd9e27f7f8609ca6c1dffd2836729e1977d1eb

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
a233780df072c78682bb23082bc0a7e9

SHA1
ca4ad38c806812b875581ce3fa7b58c13b80baa3

SHA256
edb7caff4b87454cedc3ff4d9f37b9dae3c4e551048a71eb9dcb4c247f9620d9

SHA512
bfc740aa8ef643914de65fbd501552145e3936de959fad20d2c42e66847dc9507d7493cd866499b02e2872a2b2f4b7da8e135d78823e0c6718152cd181c97806

Download Submit
C:\Users\Public\Libraries\ucwoodiS.cmd

Filesize
60KB

MD5
b87f096cbc25570329e2bb59fee57580

SHA1
d281d1bf37b4fb46f90973afc65eece3908532b2

SHA256
d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e

SHA512
72901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7

Download Submit
C:\Users\Public\xpha.pif

Filesize
15KB

MD5
6242e3d67787ccbf4e06ad2982853144

SHA1
6ac7947207d999a65890ab25fe344955da35028e

SHA256
4ca10dba7ff487fdb3f1362a3681d7d929f5aa1262cdfd31b04c30826983fb1d

SHA512
7d0d457e1537d624119a8023bcc086575696a5739c0460ef11554afac13af5e5d1edc7629a10e62834aba9f1b3ab1442011b15b4c3930399d91dca34b3b1cbaf

Download Submit
C:\Windows \SysWOW64\per.exe

Filesize
94KB

MD5
869640d0a3f838694ab4dfea9e2f544d

SHA1
bdc42b280446ba53624ff23f314aadb861566832

SHA256
0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

SHA512
6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

Download Submit
\Users\Public\alpha.pif

Filesize
295KB

MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
memory/912-90-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-94-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-72-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-71-0x00000000032A0000-0x00000000042A0000-memory.dmp

Filesize
16.0MB

Download
memory/912-75-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-77-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-78-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-81-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-80-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-79-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-84-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-121-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-120-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-91-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-93-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-118-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-95-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-96-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-101-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-102-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-104-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-105-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-107-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-109-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-110-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-111-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-112-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/912-115-0x000000001E4F0000-0x000000001E56F000-memory.dmp

Filesize
508KB

Download
memory/2244-4-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2244-2-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download
memory/2244-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2244-1-0x00000000032D0000-0x00000000042D0000-memory.dmp

Filesize
16.0MB

Download