Overview

overview

10

Static

static

0d0dc130f5...17.exe

windows7_x64

10

0d0dc130f5...17.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    11-03-2021 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d0dc130f51749ea3e0efad156203217.exe

  • Size

    1.3MB

  • MD5

    0d0dc130f51749ea3e0efad156203217

  • SHA1

    2028c197c019c51e6ee10630dd45414319a677e6

  • SHA256

    620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257

  • SHA512

    718910fd0aa7182d6dd49a63c5d8428fc789b9141a9675cbc2f156c02dc85b00d859f4d49698d9ab1b034ddf40ee68a9aa5a2a254f1eb87d3748b30500557fce

Score
10/10
modiloaderbootkitpersistencespywarestealertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader First Stage 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d0dc130f51749ea3e0efad156203217.exe
    "C:\Users\Admin\AppData\Local\Temp\0d0dc130f51749ea3e0efad156203217.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c echo NVyGeu
      2⤵
        PID:3704
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Vertigine.aspx
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4268
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Windows\SysWOW64\findstr.exe
            findstr /V /R "^CiOOtpWUMhrxPPgbyQviZQOMazreGAXRAXKmntwbRsqQaiPSdzTfUGVMawcKuThkdjUStPZqOZfIPYxkElMhHHWTwYuvJssYtPmujWNAzTAVdhXxHlyViqEIfqQyIDsbHsEZnhYIvkTOuwC$" Ricordarti.dot
            4⤵
              PID:1932
            • C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.com
              Animatrici.com Piramide.xlam
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4352
              • C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.com
                C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.com Piramide.xlam
                5⤵
                • Executes dropped EXE
                • Drops startup file
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:644
                • C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.com
                  C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.com
                  6⤵
                  • Executes dropped EXE
                  • Writes to the Master Boot Record (MBR)
                  PID:932
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 30
              4⤵
              • Runs ping.exe
              PID:500

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Bootkit

      1
      T1067

      Privilege Escalation

      Defense Evasion

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Accostarmi.wks
        MD5

        2adab0cae9405b5ce8b471a47d2db583

        SHA1

        8e5d3c144a1a825c0cbefaa4b847b59ccf4b2324

        SHA256

        fccbd5f2d8048c8adad21c24e47e6352f7fae3d849e54a7d49f14d81671bcb89

        SHA512

        8c5010955b306ce299084ac28cb4642117b74ce74c9da818ee0cf2eba4c93c3929e7f5be5ed90f5b109737be3f697962ca5d5782518574f0f44bcacc6494485a

        Download Submit
      • C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.com
        MD5

        78ba0653a340bac5ff152b21a83626cc

        SHA1

        b12da9cb5d024555405040e65ad89d16ae749502

        SHA256

        05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

        SHA512

        efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

        Download Submit
      • C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.com
        MD5

        78ba0653a340bac5ff152b21a83626cc

        SHA1

        b12da9cb5d024555405040e65ad89d16ae749502

        SHA256

        05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

        SHA512

        efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

        Download Submit
      • C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.com
        MD5

        78ba0653a340bac5ff152b21a83626cc

        SHA1

        b12da9cb5d024555405040e65ad89d16ae749502

        SHA256

        05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

        SHA512

        efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

        Download Submit
      • C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.com
        MD5

        78ba0653a340bac5ff152b21a83626cc

        SHA1

        b12da9cb5d024555405040e65ad89d16ae749502

        SHA256

        05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

        SHA512

        efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

        Download Submit
      • C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Piramide.xlam
        MD5

        08c5319c5b5592ec89aeca130ffb5d1c

        SHA1

        dad9bd329aeecf8e2d6d35630cc4cb9b0903959c

        SHA256

        15d9ad9baf9068349940865dda8a4457d5e474d45ec3ada172d13ad7860fce3f

        SHA512

        2a5bdb03d3c275877017bbc79f26bf3a9600a8af7d2b4e6649c072ae6e349d88dacc41ce8e4506b9e0f374f41e83d645b4e9635e39ac4742c857fdd6f5dc26c2

        Download Submit
      • C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Ricordarti.dot
        MD5

        b8a0e30ebffbcbc2fa56af1cb85b0c93

        SHA1

        f531e920d4a2896ff2b842859a57750173d78ea3

        SHA256

        cbd34a5ef54d0eb45a426be0110ba5ec4adef34da295a20129a60431b97f1fb8

        SHA512

        f1c9c5718735d62e3f8661bc4a8c42182bf6e14ebaa2c02c9cef7e7588dcb63d6433f0d4591fdf8285a188d9bd8bd759f14f918fcce38b3770ef11fa0a0f942f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Vertigine.aspx
        MD5

        961bb3367e4e04cde3939fd34d9143c7

        SHA1

        bdddbabf55902a19aee7669c97f1822aec52a08e

        SHA256

        8266e80ee1e8c4a0329727e53c3cb79928bd1228b475fe431c9c8a111721bc45

        SHA512

        b97b06a941a5f6a3881bb1e0f1a2e7bae28cbbbae7a2ec64edc71ddef3f015ebfb29c103e3c6861bec0375eb5fbf8fb7577ca0665da70e3c3af2fc59520423df

        Download Submit
      • memory/500-11-0x0000000000000000-mapping.dmp
        Download
      • memory/644-12-0x0000000000000000-mapping.dmp
        Download
      • memory/644-16-0x0000000000870000-0x0000000000871000-memory.dmp
        Filesize

        4KB

        Download
      • memory/932-17-0x0000000000170000-0x00000000001CA000-memory.dmp
        Filesize

        360KB

        Download
      • memory/932-19-0x0000000000170000-0x00000000001CA000-memory.dmp
        Filesize

        360KB

        Download
      • memory/1932-6-0x0000000000000000-mapping.dmp
        Download
      • memory/3704-2-0x0000000000000000-mapping.dmp
        Download
      • memory/4268-3-0x0000000000000000-mapping.dmp
        Download
      • memory/4316-5-0x0000000000000000-mapping.dmp
        Download
      • memory/4352-8-0x0000000000000000-mapping.dmp
        Download