Overview

overview

10

Static

static

45f574d1e3...93.exe

windows7-x64

10

45f574d1e3...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    207s
  • max time network
    213s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 04:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45f574d1e3ad9bcd0eaa65565723fb4ce074374b89ebc01e7b231e1ceaf28293.exe

  • Size

    105KB

  • MD5

    bd25ce7ece2c47e45a2d01226468168f

  • SHA1

    674bc4ddef288ca92c372e0ecffb5d6a33750ce0

  • SHA256

    45f574d1e3ad9bcd0eaa65565723fb4ce074374b89ebc01e7b231e1ceaf28293

  • SHA512

    8e8a87123a07637a56af4f3655dea168df1345e19907fc777ef8607616510c90cdedac801ff74459a9374231f48cc8040ad4ba4497f0174d4fa51b416ed9efaf

  • SSDEEP

    3072:54sWwNhVHA6b5qu8G/57hUmN91+9QVyCbqur:gMg6b5quN7eQ9Y9QvZ

Score
10/10
modiloaderpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 11 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45f574d1e3ad9bcd0eaa65565723fb4ce074374b89ebc01e7b231e1ceaf28293.exe
    "C:\Users\Admin\AppData\Local\Temp\45f574d1e3ad9bcd0eaa65565723fb4ce074374b89ebc01e7b231e1ceaf28293.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Users\Admin\AppData\Local\Temp\45f574d1e3ad9bcd0eaa65565723fb4ce074374b89ebc01e7b231e1ceaf28293.exe
      "C:\Users\Admin\AppData\Local\Temp\45f574d1e3ad9bcd0eaa65565723fb4ce074374b89ebc01e7b231e1ceaf28293.exe"
      2⤵
        PID:2260
      • C:\Users\Admin\AppData\Local\Temp\45f574d1e3ad9bcd0eaa65565723fb4ce074374b89ebc01e7b231e1ceaf28293.exe
        "C:\Users\Admin\AppData\Local\Temp\45f574d1e3ad9bcd0eaa65565723fb4ce074374b89ebc01e7b231e1ceaf28293.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4472
        • C:\Users\Admin\AppData\Roaming\AdobeART.exe
          "C:\Users\Admin\AppData\Roaming\AdobeART.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:504
          • C:\Users\Admin\AppData\Roaming\AdobeART.exe
            "C:\Users\Admin\AppData\Roaming\AdobeART.exe"
            4⤵
            • Executes dropped EXE
            • Adds Run key to start application
            PID:2068

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\AdobeART.exe
      Filesize

      105KB

      MD5

      bd25ce7ece2c47e45a2d01226468168f

      SHA1

      674bc4ddef288ca92c372e0ecffb5d6a33750ce0

      SHA256

      45f574d1e3ad9bcd0eaa65565723fb4ce074374b89ebc01e7b231e1ceaf28293

      SHA512

      8e8a87123a07637a56af4f3655dea168df1345e19907fc777ef8607616510c90cdedac801ff74459a9374231f48cc8040ad4ba4497f0174d4fa51b416ed9efaf

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AdobeART.exe
      Filesize

      105KB

      MD5

      bd25ce7ece2c47e45a2d01226468168f

      SHA1

      674bc4ddef288ca92c372e0ecffb5d6a33750ce0

      SHA256

      45f574d1e3ad9bcd0eaa65565723fb4ce074374b89ebc01e7b231e1ceaf28293

      SHA512

      8e8a87123a07637a56af4f3655dea168df1345e19907fc777ef8607616510c90cdedac801ff74459a9374231f48cc8040ad4ba4497f0174d4fa51b416ed9efaf

      Download Submit

    • C:\Users\Admin\AppData\Roaming\AdobeART.exe
      Filesize

      105KB

      MD5

      bd25ce7ece2c47e45a2d01226468168f

      SHA1

      674bc4ddef288ca92c372e0ecffb5d6a33750ce0

      SHA256

      45f574d1e3ad9bcd0eaa65565723fb4ce074374b89ebc01e7b231e1ceaf28293

      SHA512

      8e8a87123a07637a56af4f3655dea168df1345e19907fc777ef8607616510c90cdedac801ff74459a9374231f48cc8040ad4ba4497f0174d4fa51b416ed9efaf

      Download Submit

    • memory/504-147-0x0000000000000000-mapping.dmp

      Download

    • memory/504-164-0x0000000073600000-0x0000000073BB1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/504-150-0x0000000073600000-0x0000000073BB1000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2068-163-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2068-162-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/2068-151-0x0000000000000000-mapping.dmp

      Download

    • memory/3876-145-0x0000000074650000-0x0000000074C01000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3876-132-0x0000000074650000-0x0000000074C01000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/3876-133-0x0000000074650000-0x0000000074C01000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/4472-146-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4472-144-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4472-142-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4472-141-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4472-140-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4472-138-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4472-136-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4472-135-0x0000000000400000-0x0000000000411000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4472-134-0x0000000000000000-mapping.dmp

      Download