Overview

overview

10

Static

static

10

136633e5ae...d0.exe

windows7-x64

10

136633e5ae...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2022 09:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    136633e5ae4f13410bac27584c3108d0.exe

  • Size

    37KB

  • MD5

    136633e5ae4f13410bac27584c3108d0

  • SHA1

    58c72d9cc3c79877feb6946da1584e448c8791b6

  • SHA256

    a9ddc02db6ca7df77bc719734f029da5b818604873f0bc7cef9664fdce1e7326

  • SHA512

    7c5267a23b2d9bba779dec3465c76df5e3a89f1f933f9644bccce0245b80b03e08db3639d63b90cb440c7e9f45072eea9d95d4815cf5c62668c5f69b17ca8c83

  • SSDEEP

    384:LalqiU154NLHdayszHtyPpzsobO7krAF+rMRTyN/0L+EcoinblneHQM3epzX1Nr9:u/ZdJszHtyxVOIrM+rMRa8NurVt

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops autorun.inf file 1 TTPs 3 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\136633e5ae4f13410bac27584c3108d0.exe
    "C:\Users\Admin\AppData\Local\Temp\136633e5ae4f13410bac27584c3108d0.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops autorun.inf file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\136633e5ae4f13410bac27584c3108d0.exe" "136633e5ae4f13410bac27584c3108d0.exe" ENABLE
      2⤵
      • Modifies Windows Firewall
      PID:1552
    • C:\Users\Admin\AppData\Local\Temp\tmp198A.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp198A.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:1160
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Modify Existing Service

1
T1031

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp198A.tmp.exe
    Filesize

    397KB

    MD5

    6f701d5889646a339ac4c5e316a46c3d

    SHA1

    9abc968718e4b8949727d403cf0b30313a7eca08

    SHA256

    54659e9800902c3809e5d9474a03ff1b756781b4ba1aad666dfd8bb5976eb7a2

    SHA512

    46864b0e9f6e81d700830a8ce305462098a549a3d962b799b3abd36cdf7594789f4c1b75322e4279f2f36ae3cc4df344ef98b52da945ada38ecab60764f81ba1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp198A.tmp.exe
    Filesize

    397KB

    MD5

    6f701d5889646a339ac4c5e316a46c3d

    SHA1

    9abc968718e4b8949727d403cf0b30313a7eca08

    SHA256

    54659e9800902c3809e5d9474a03ff1b756781b4ba1aad666dfd8bb5976eb7a2

    SHA512

    46864b0e9f6e81d700830a8ce305462098a549a3d962b799b3abd36cdf7594789f4c1b75322e4279f2f36ae3cc4df344ef98b52da945ada38ecab60764f81ba1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmp198A.tmp.exe
    Filesize

    397KB

    MD5

    6f701d5889646a339ac4c5e316a46c3d

    SHA1

    9abc968718e4b8949727d403cf0b30313a7eca08

    SHA256

    54659e9800902c3809e5d9474a03ff1b756781b4ba1aad666dfd8bb5976eb7a2

    SHA512

    46864b0e9f6e81d700830a8ce305462098a549a3d962b799b3abd36cdf7594789f4c1b75322e4279f2f36ae3cc4df344ef98b52da945ada38ecab60764f81ba1

    Download Submit
  • memory/1160-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1296-64-0x000007FEFB191000-0x000007FEFB193000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1552-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1672-55-0x0000000074170000-0x000000007471B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1672-58-0x0000000074170000-0x000000007471B000-memory.dmp
    Filesize

    5.7MB

    Download