Overview

overview

10

Static

static

10

e477a80970...80.exe

windows7-x64

10

e477a80970...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2022 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e477a8097003204eb7f070ee081fdf996ad7239e4468b4a6bfc13abd36a4cd80.exe

  • Size

    1.8MB

  • MD5

    2ede29b32d18267e6a736be17d4f4664

  • SHA1

    43673541f114e5071145932886e69266f0f3f166

  • SHA256

    e477a8097003204eb7f070ee081fdf996ad7239e4468b4a6bfc13abd36a4cd80

  • SHA512

    6af657c000f19f0ab3b47fcffe2e1e80cb5bf55cb5096a2ad467e4a2eb2f6ac5398b9b57747e098d1331d46bcc6282786cc3804976bce0838ae837ec0fbed63d

  • SSDEEP

    49152:AoQU9Z5Y4+YSembcj3jjTcDuNML851cM9whEWby9o1Kx0J7w:AoQU9Z64+YFmb03jju0ML8ncMmGWbyqY

Score
10/10
modiloaderpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 4 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e477a8097003204eb7f070ee081fdf996ad7239e4468b4a6bfc13abd36a4cd80.exe
    "C:\Users\Admin\AppData\Local\Temp\e477a8097003204eb7f070ee081fdf996ad7239e4468b4a6bfc13abd36a4cd80.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Windows\msnmsgr.exe
      "C:\Windows\msnmsgr.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\ldapi32.exe
        C:\Windows\system32\ldapi32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1488

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\ldapi32.exe
    Filesize

    20KB

    MD5

    92acb5d55bc589ea424d174b31f76686

    SHA1

    1f9f023b1ae0b1be5c397fe103ac520b371fbd6b

    SHA256

    3bea383242a4439634618a86993c8e70c43cb8810e5324f3f9c6b9cbe7b3ead4

    SHA512

    e89ea8bf0b6c2bd11072a5d455e67b2b8470292dfb8382a3bfb5da4a409b86390a62f448e7cdd496f286b1ac4097436efd83e886ae5b45accda6da7dc4d9938e

    Download Submit

  • C:\Windows\msnmsgr.exe
    Filesize

    315KB

    MD5

    6997ab8f74fb80dfec93b6bd6a8dfab5

    SHA1

    0ff3955239cf3ca07d51d2a0f9c0a14e8b2106dc

    SHA256

    c9cb053d8080fe35cb334d85e3a3f855910ec1c46331db9077f0980f74e516c6

    SHA512

    71529d83cb5ed57b231512e355115cd766eacfa1331ea041dc4cb85c5c468df57231d6755a88c630c070ad354b7e6825af22aee518910bd05935b3c4a2edc8bc

    Download Submit

  • \Windows\SysWOW64\ldapi32.exe
    Filesize

    20KB

    MD5

    92acb5d55bc589ea424d174b31f76686

    SHA1

    1f9f023b1ae0b1be5c397fe103ac520b371fbd6b

    SHA256

    3bea383242a4439634618a86993c8e70c43cb8810e5324f3f9c6b9cbe7b3ead4

    SHA512

    e89ea8bf0b6c2bd11072a5d455e67b2b8470292dfb8382a3bfb5da4a409b86390a62f448e7cdd496f286b1ac4097436efd83e886ae5b45accda6da7dc4d9938e

    Download Submit

  • \Windows\SysWOW64\ldapi32.exe
    Filesize

    20KB

    MD5

    92acb5d55bc589ea424d174b31f76686

    SHA1

    1f9f023b1ae0b1be5c397fe103ac520b371fbd6b

    SHA256

    3bea383242a4439634618a86993c8e70c43cb8810e5324f3f9c6b9cbe7b3ead4

    SHA512

    e89ea8bf0b6c2bd11072a5d455e67b2b8470292dfb8382a3bfb5da4a409b86390a62f448e7cdd496f286b1ac4097436efd83e886ae5b45accda6da7dc4d9938e

    Download Submit

  • \Windows\SysWOW64\ntswrl32.dll
    Filesize

    11KB

    MD5

    638f5a55fb714b6039ae0ace0ee70e44

    SHA1

    7b47cdf023822722b3b81e936cb16fbecb00babc

    SHA256

    7d671074387a6885c5a4815165242720be442689e276cf64cc376da49080bb1f

    SHA512

    68f8fb741566d9e4cb2a420a3fe179db59b29f9ab5f9aee7fd5312e1e7f0991b4d1491b2e557374ca7c4f3aee8948201721408601f68f9f86d36a4df5947e357

    Download Submit

  • \Windows\SysWOW64\ntswrl32.dll
    Filesize

    11KB

    MD5

    638f5a55fb714b6039ae0ace0ee70e44

    SHA1

    7b47cdf023822722b3b81e936cb16fbecb00babc

    SHA256

    7d671074387a6885c5a4815165242720be442689e276cf64cc376da49080bb1f

    SHA512

    68f8fb741566d9e4cb2a420a3fe179db59b29f9ab5f9aee7fd5312e1e7f0991b4d1491b2e557374ca7c4f3aee8948201721408601f68f9f86d36a4df5947e357

    Download Submit

  • memory/932-56-0x0000000000000000-mapping.dmp

    Download

  • memory/932-65-0x0000000000400000-0x00000000005BD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/932-66-0x0000000000400000-0x00000000005BD000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1488-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1780-59-0x0000000000400000-0x000000000054A000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1780-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1780-55-0x0000000000400000-0x000000000054A000-memory.dmp

    Filesize

    1.3MB

    Download