Analysis
-
max time kernel
123s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 09:59
Static task
static1
Behavioral task
behavioral1
Sample
IMG_3100003664999576400.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
IMG_3100003664999576400.exe
Resource
win10-en-20211208
General
-
Target
IMG_3100003664999576400.exe
-
Size
779KB
-
MD5
c69fdd6ab6ec38f6caa4254fc0160e2d
-
SHA1
a0cc76173c576dc1ce58a81649df71a8165d99ba
-
SHA256
5508d3fe5c41c4dec4a7570f0d60af3b6ba8cb9251ee1eae91e8fc061c3f58ef
-
SHA512
e31064aea87cbaa59f89f8b0bfc5d6a7b7474771f17354223e9b11e4c600558345f2a3ae371ee7d223773d87237ea0a932db8a6993dadb868977c726bb795c75
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3408-117-0x0000000002340000-0x000000000235B000-memory.dmp modiloader_stage1 behavioral2/memory/3408-174-0x0000000002340000-0x000000000235B000-memory.dmp modiloader_stage1 behavioral2/memory/3408-175-0x0000000002340000-0x000000000235B000-memory.dmp modiloader_stage1 behavioral2/memory/3408-176-0x0000000002340000-0x000000000235B000-memory.dmp modiloader_stage1 behavioral2/memory/3408-177-0x0000000002340000-0x000000000235B000-memory.dmp modiloader_stage1 behavioral2/memory/3408-178-0x0000000002340000-0x000000000235B000-memory.dmp modiloader_stage1 behavioral2/memory/3408-173-0x0000000002340000-0x000000000235B000-memory.dmp modiloader_stage1 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
IMG_3100003664999576400.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lvughbdemq = "C:\\Users\\Admin\\Contacts\\qmedbhguvL.url" IMG_3100003664999576400.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1204 856 WerFault.exe logagent.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1204 WerFault.exe Token: SeBackupPrivilege 1204 WerFault.exe Token: SeDebugPrivilege 1204 WerFault.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
IMG_3100003664999576400.exedescription pid process target process PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe PID 3408 wrote to memory of 856 3408 IMG_3100003664999576400.exe logagent.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG_3100003664999576400.exe"C:\Users\Admin\AppData\Local\Temp\IMG_3100003664999576400.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\logagent.exeC:\Windows\System32\logagent.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 3523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/856-225-0x0000000000630000-0x0000000000631000-memory.dmpFilesize
4KB
-
memory/856-226-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/856-227-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/3408-115-0x0000000002210000-0x0000000002211000-memory.dmpFilesize
4KB
-
memory/3408-117-0x0000000002340000-0x000000000235B000-memory.dmpFilesize
108KB
-
memory/3408-174-0x0000000002340000-0x000000000235B000-memory.dmpFilesize
108KB
-
memory/3408-175-0x0000000002340000-0x000000000235B000-memory.dmpFilesize
108KB
-
memory/3408-176-0x0000000002340000-0x000000000235B000-memory.dmpFilesize
108KB
-
memory/3408-177-0x0000000002340000-0x000000000235B000-memory.dmpFilesize
108KB
-
memory/3408-178-0x0000000002340000-0x000000000235B000-memory.dmpFilesize
108KB
-
memory/3408-173-0x0000000002340000-0x000000000235B000-memory.dmpFilesize
108KB