Analysis
-
max time kernel
310s -
max time network
359s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 02:09
Static task
static1
Behavioral task
behavioral1
Sample
b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe
Resource
win10v2004-20221111-en
General
-
Target
b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe
-
Size
35KB
-
MD5
bd93249784028828869b896537e5340b
-
SHA1
0bae5593a4aefae0155baeb1126e6089f1107bb9
-
SHA256
b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161
-
SHA512
f397ddc26f5c4f767ac3cd2b0b0180f39628cefd1bb212517656743497848602b25f603895ba77750942b6537c825b72b358e3f7088eb15f4c68142c2ba7d5db
-
SSDEEP
768:p11ZCrVD1tuLAXGX2g0ClGe65c+azbKUKrxLiZEK8hKuuTYe0IRu:X2VZMkXGn8XcUxeZEK8UxVRu
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3984-136-0x0000000002020000-0x000000000203F000-memory.dmp modiloader_stage2 behavioral2/memory/3984-137-0x0000000002020000-0x000000000203F000-memory.dmp modiloader_stage2 -
Loads dropped DLL 2 IoCs
Processes:
b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exepid process 3984 b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe 3984 b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe -
Drops file in Program Files directory 1 IoCs
Processes:
b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\atmQQ2.dll b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exepid process 3984 b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe 3984 b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe 3984 b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe 3984 b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe 3984 b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe 3984 b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe 3984 b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe 3984 b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exepid process 3984 b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe"C:\Users\Admin\AppData\Local\Temp\b0a30508d2032142c808163fc761803290c38155d326d46263a195d5e9553161.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dllFilesize
25KB
MD540289d66b14c54bed03c247de8b95c6e
SHA1ce659b37442d7276a9f877ec7562a865d2814405
SHA256da1d80941092ccc970727b5e4feb84e2a67aa47efb9a1a595cf1a9a525c47b61
SHA5126e12b1897873da86144bcad1d11a3c137aca434e43daa31b07a203469b21d218a3e06b6a6735f9fe30addaa357583985d44c58900a27d2ea379891eada4e7dfa
-
C:\Program Files\Common Files\microsoft shared\MSInfo\atmQQ2.dllFilesize
25KB
MD540289d66b14c54bed03c247de8b95c6e
SHA1ce659b37442d7276a9f877ec7562a865d2814405
SHA256da1d80941092ccc970727b5e4feb84e2a67aa47efb9a1a595cf1a9a525c47b61
SHA5126e12b1897873da86144bcad1d11a3c137aca434e43daa31b07a203469b21d218a3e06b6a6735f9fe30addaa357583985d44c58900a27d2ea379891eada4e7dfa
-
memory/3984-132-0x0000000000400000-0x0000000000425000-memory.dmpFilesize
148KB
-
memory/3984-135-0x0000000002020000-0x000000000203F000-memory.dmpFilesize
124KB
-
memory/3984-136-0x0000000002020000-0x000000000203F000-memory.dmpFilesize
124KB
-
memory/3984-137-0x0000000002020000-0x000000000203F000-memory.dmpFilesize
124KB