Overview

overview

10

Static

static

8

955b129de1...55.exe

windows7-x64

10

955b129de1...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    182s
  • max time network
    207s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 23:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    955b129de18dc8aa8cadddc64931977214c8f0315e061325a50c671cf4ea6a55.exe

  • Size

    108KB

  • MD5

    54935b927972df9fbc9a8e880fb62fad

  • SHA1

    695416fa4ed2c2152845280d80443e8eb8151005

  • SHA256

    955b129de18dc8aa8cadddc64931977214c8f0315e061325a50c671cf4ea6a55

  • SHA512

    ca9541428c229cf8b7a67ef4158bcb7d694715e346f66f74f694105be79035d77a2fd9e8758284890235a4d8192e3c101b47f574872705dc5c76def4cd282e7d

  • SSDEEP

    1536:5VuNAXTj4Fj/91/NnLZqeWEPVpa8DzePjkgcwYS7S5+Vfk09+2oUZ7vunouy8:3oy8j7VnNdrPHaSekwi+mW+2NZ7Gout

Score
10/10
modiloaderevasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 4 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\955b129de18dc8aa8cadddc64931977214c8f0315e061325a50c671cf4ea6a55.exe
    "C:\Users\Admin\AppData\Local\Temp\955b129de18dc8aa8cadddc64931977214c8f0315e061325a50c671cf4ea6a55.exe"
    1⤵
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:832
    • C:\Windows\mstwain32.exe
      "C:\Windows\mstwain32.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1240

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mstwain32.exe
    Filesize

    108KB

    MD5

    54935b927972df9fbc9a8e880fb62fad

    SHA1

    695416fa4ed2c2152845280d80443e8eb8151005

    SHA256

    955b129de18dc8aa8cadddc64931977214c8f0315e061325a50c671cf4ea6a55

    SHA512

    ca9541428c229cf8b7a67ef4158bcb7d694715e346f66f74f694105be79035d77a2fd9e8758284890235a4d8192e3c101b47f574872705dc5c76def4cd282e7d

    Download Submit

  • memory/832-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/832-55-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/832-59-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1240-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1240-60-0x0000000001DA0000-0x0000000001DAE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1240-61-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1240-62-0x0000000000400000-0x0000000000450000-memory.dmp

    Filesize

    320KB

    Download