Analysis

  • max time kernel
    77s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 09:34

General

  • Target

    03231262773662516627.exe

  • Size

    767KB

  • MD5

    36bfbbc95d2597b3961e49d25449a5b6

  • SHA1

    39bfe69a283e1a9a3120af9bd9df8851bc12c61b

  • SHA256

    83935adb12e30326b0a1e7c5e835032e0d6814704f199ba2cc486b21d64d21d2

  • SHA512

    1e02abbdec65db90572972dc674df67e726d2b3fe38c045e6da53ea80dcc5bf5205a4062f756f7de5a2929394d88f1e36c706026574b3707f2a502fb6fb03e35

  • SSDEEP

    12288:iOrAkZrlpZxc3NKqgw9ONuRJoo5YqTdTB2O4rwSMpxwhx+g:is3hp4c6/aq5oOqLM2xh

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://onedrive.live.com/download?cid=E0CF7F9E6AAF27EF&resid=E0CF7F9E6AAF27EF%21818&authkey=AAhEuBv3snM3JmY

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03231262773662516627.exe
    "C:\Users\Admin\AppData\Local\Temp\03231262773662516627.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Public\Libraries\png.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps1
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1620
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 600
      2⤵
      • Program crash
      PID:1092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Public\Libraries\png.bat
    Filesize

    100B

    MD5

    c385a71887d828b1df961942e68ecfe8

    SHA1

    3f539a56267af3db91be9ac9ea2fd5d803a53279

    SHA256

    bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3

    SHA512

    83d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848

  • C:\Users\Public\Libraries\png.ps1
    Filesize

    241B

    MD5

    a5d6c745056fe98da24aab33f21dca2f

    SHA1

    0e600d52140aeaa13934a565b07220e6ddbf7193

    SHA256

    89c4b58d71d35705315a0d51aa8e28e0d8711b528f7401f1e88c4f0b4b908b62

    SHA512

    e7a1d5f3471fe245629488fb15e05279d83f116cead9005ade1ae1884c676b0bac766b8ced97377745a7b09f85a2f9484cde745fd82995a43a940baa21896347

  • memory/652-57-0x0000000000000000-mapping.dmp
  • memory/1092-65-0x0000000000000000-mapping.dmp
  • memory/1276-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
    Filesize

    8KB

  • memory/1276-55-0x0000000000880000-0x00000000008AC000-memory.dmp
    Filesize

    176KB

  • memory/1620-59-0x0000000000000000-mapping.dmp
  • memory/1620-61-0x0000000072DA0000-0x000000007334B000-memory.dmp
    Filesize

    5.7MB

  • memory/1620-63-0x0000000072DA0000-0x000000007334B000-memory.dmp
    Filesize

    5.7MB

  • memory/1620-64-0x0000000072DA0000-0x000000007334B000-memory.dmp
    Filesize

    5.7MB