Analysis
-
max time kernel
94s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
31-07-2022 08:44
General
-
Target
6a7094256c550e2b09363147e579f221637dc311ca29bfc4e7afc7c5e5847dba.exe
-
Size
1.6MB
-
MD5
189d808e63b0cab773bf93e2d223aa1e
-
SHA1
ba8ae355509c8c73cd53e32d09f3b756a9876884
-
SHA256
6a7094256c550e2b09363147e579f221637dc311ca29bfc4e7afc7c5e5847dba
-
SHA512
5cd92c6f1675b6ecafc8cb713625aeca66576b368cadb186c95f283e676b1bda8e328c1d40d307e7049280b47d831413d5153cefb55b6096012c59af564e3642
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a7094256c550e2b09363147e579f221637dc311ca29bfc4e7afc7c5e5847dba.exe"C:\Users\Admin\AppData\Local\Temp\6a7094256c550e2b09363147e579f221637dc311ca29bfc4e7afc7c5e5847dba.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Cache.exeC:\Users\Admin\AppData\Local\Cache.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ctfmon.exectfmon.exe3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\logagent.exelogagent.exe4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 805⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3104 -ip 31041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Cache.exeFilesize
413KB
MD5c6db6ae46411c10036f472634524d56e
SHA1edea43634f29770ae45806a3784c92d936cb39d0
SHA2565d383909ae9cb8cd0cd947c6dd7c1b4efa4c6ee390ac205c796ee659c7846261
SHA512b898f47b688f51f36ef6eb49b9d84abcac7c72beacf5eba61a53f8d1e9173bf3180917538826fac52bcecedf075fe56052f0f5658b757048f8e957eb675c54ec
-
C:\Users\Admin\AppData\Local\Cache.exeFilesize
413KB
MD5c6db6ae46411c10036f472634524d56e
SHA1edea43634f29770ae45806a3784c92d936cb39d0
SHA2565d383909ae9cb8cd0cd947c6dd7c1b4efa4c6ee390ac205c796ee659c7846261
SHA512b898f47b688f51f36ef6eb49b9d84abcac7c72beacf5eba61a53f8d1e9173bf3180917538826fac52bcecedf075fe56052f0f5658b757048f8e957eb675c54ec
-
C:\Users\Admin\AppData\Local\Tm.bmpFilesize
690KB
MD5b18c102b88890dec91896b5a591bd59d
SHA19cd180e2d83f72013d4be79dc0f59abbb33ec159
SHA256fabc7103396904bd7d967c81ffea1218c1cc7adf5bc33d7ff29fdcbc206bb0f2
SHA51214a1fe14b825cd7c8bf230a6aeb5bc74d9738ab2cbe715e8dcd0056a12a19184c0b636f80d699d465989372b0dbcd1a3905a49c218dd96170c79a09c2f4567d1
-
memory/1408-149-0x0000000020010000-0x00000000200A0000-memory.dmpFilesize
576KB
-
memory/1408-146-0x0000000020010000-0x00000000200A0000-memory.dmpFilesize
576KB
-
memory/1408-139-0x0000000000000000-mapping.dmp
-
memory/3104-147-0x0000000000000000-mapping.dmp
-
memory/4060-140-0x0000000020010000-0x00000000200A0000-memory.dmpFilesize
576KB
-
memory/4060-133-0x0000000000000000-mapping.dmp
-
memory/4380-136-0x0000000000400000-0x00000000005DC000-memory.dmpFilesize
1.9MB
-
memory/4380-130-0x0000000000400000-0x00000000005DC000-memory.dmpFilesize
1.9MB
-
memory/4380-132-0x0000000000400000-0x00000000005DC000-memory.dmpFilesize
1.9MB
-
memory/4380-131-0x0000000000400000-0x00000000005DC000-memory.dmpFilesize
1.9MB
