Overview

overview

10

Static

static

8

ba0ad305e5...55.exe

windows7-x64

10

ba0ad305e5...55.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 09:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ba0ad305e5680f0f61789e864090fc11772378937b8adf1536b3273112c73d55.exe

  • Size

    243KB

  • MD5

    44643696a1c92cad0c89458847d6712d

  • SHA1

    b2d8c4b2dfae4b17b3bdbcf32984da816d6bbbd7

  • SHA256

    ba0ad305e5680f0f61789e864090fc11772378937b8adf1536b3273112c73d55

  • SHA512

    f0a81d56c6a6d5cd4c991831ba281b989952a212c247bded6c26616d4365298c9905025bbe6925e4bf851fd119ab05fb8994b5a98a8fd3bdd55453e46b76521f

  • SSDEEP

    6144:ttsH5vwieeDU5kU6qjBq+W8jZ7rvaU3+mW4ZeoSKo:ywiex5khq8jeFzF7ZeoSZ

Score
10/10
modiloaderevasiontrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba0ad305e5680f0f61789e864090fc11772378937b8adf1536b3273112c73d55.exe
    "C:\Users\Admin\AppData\Local\Temp\ba0ad305e5680f0f61789e864090fc11772378937b8adf1536b3273112c73d55.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Users\Admin\AppData\Local\Temp\IMG0012.exe
      "C:\Users\Admin\AppData\Local\Temp\IMG0012.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1692
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\kub.gif
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:2
        3⤵
        • Loads dropped DLL
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:956
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IMG0012.exe
    Filesize

    113KB

    MD5

    849dfc2e717d555679040c40ddbefee4

    SHA1

    e15aca3e1f9036ca94f091340e2cf29d3add4933

    SHA256

    0e07607bf4988792060788b79db2ef4c3f08c822f84d53f94df19bbe4a01a6da

    SHA512

    e92e080e9f81ca601a29bfbc3bbb9fde3ba521fcc7daf952a8d7c0aed09a96c698b79ed8145ec53fe2d8058e11282883295abb9ee3adfaaf468a43b08cb9d309

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\cmsetac.dll
    Filesize

    33KB

    MD5

    49616bec13d584f8e3b7db118a487152

    SHA1

    25311db5ff28d48c9eeb067fb185e8dff0f2e11d

    SHA256

    56f1dcd83fbfe3a0e067981dc44f9478c0b2200897b3d6c799d9ef105033c70e

    SHA512

    5deaa832321f5a49e8649cc55b4b429810afbc45d0f0d44fa2b6d6714d0c47ce1b6656ba6bd1cd2dfbfa0654c0cd813dcd02b19cc5820888b353917d4a541d8b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\kub.gif
    Filesize

    121KB

    MD5

    da7c2e72525f7b41163721cad6b7f513

    SHA1

    8f4d787b2de385b731cc8429426c2134b7d2f12a

    SHA256

    925f81f01e3ad300969f10af624febf1ea74a4d8c1a613ab72e9998bd41177d7

    SHA512

    dc35e038473e6c4f7be06cd0b6059551b59826555a9280924ed841959070e2859050a07810c25f70c2458b4160a4da6ee6130471b2742da3d7a3170cbbacebff

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0R9MH6P0.txt
    Filesize

    602B

    MD5

    42e8c3cef67c2f6f3ef0e77ee4cfc988

    SHA1

    c8d2988262870c8781cd917d517b71c4fa7209df

    SHA256

    a53bd2f763f16b7f6c6cc98a539cc18e6d13fe380d3b1d391e65b33e2c424893

    SHA512

    395e5c9af8a1ffe0fdea1cbb501f33ae4054d00cf0654d00d78febb421bf01b5f297531c4ac04aa0bfb55a3c7252bddd6d70eafac949086a8ac41c5a52c5575d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IMG0012.exe
    Filesize

    113KB

    MD5

    849dfc2e717d555679040c40ddbefee4

    SHA1

    e15aca3e1f9036ca94f091340e2cf29d3add4933

    SHA256

    0e07607bf4988792060788b79db2ef4c3f08c822f84d53f94df19bbe4a01a6da

    SHA512

    e92e080e9f81ca601a29bfbc3bbb9fde3ba521fcc7daf952a8d7c0aed09a96c698b79ed8145ec53fe2d8058e11282883295abb9ee3adfaaf468a43b08cb9d309

    Download Submit
  • \Users\Admin\AppData\Local\Temp\IMG0012.exe
    Filesize

    113KB

    MD5

    849dfc2e717d555679040c40ddbefee4

    SHA1

    e15aca3e1f9036ca94f091340e2cf29d3add4933

    SHA256

    0e07607bf4988792060788b79db2ef4c3f08c822f84d53f94df19bbe4a01a6da

    SHA512

    e92e080e9f81ca601a29bfbc3bbb9fde3ba521fcc7daf952a8d7c0aed09a96c698b79ed8145ec53fe2d8058e11282883295abb9ee3adfaaf468a43b08cb9d309

    Download Submit
  • \Users\Admin\AppData\Local\Temp\cmsetac.dll
    Filesize

    33KB

    MD5

    49616bec13d584f8e3b7db118a487152

    SHA1

    25311db5ff28d48c9eeb067fb185e8dff0f2e11d

    SHA256

    56f1dcd83fbfe3a0e067981dc44f9478c0b2200897b3d6c799d9ef105033c70e

    SHA512

    5deaa832321f5a49e8649cc55b4b429810afbc45d0f0d44fa2b6d6714d0c47ce1b6656ba6bd1cd2dfbfa0654c0cd813dcd02b19cc5820888b353917d4a541d8b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\cmsetac.dll
    Filesize

    33KB

    MD5

    49616bec13d584f8e3b7db118a487152

    SHA1

    25311db5ff28d48c9eeb067fb185e8dff0f2e11d

    SHA256

    56f1dcd83fbfe3a0e067981dc44f9478c0b2200897b3d6c799d9ef105033c70e

    SHA512

    5deaa832321f5a49e8649cc55b4b429810afbc45d0f0d44fa2b6d6714d0c47ce1b6656ba6bd1cd2dfbfa0654c0cd813dcd02b19cc5820888b353917d4a541d8b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\ntdtcstp.dll
    Filesize

    7KB

    MD5

    67587e25a971a141628d7f07bd40ffa0

    SHA1

    76fcd014539a3bb247cc0b761225f68bd6055f6b

    SHA256

    e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

    SHA512

    6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

    Download Submit
  • memory/896-54-0x0000000076411000-0x0000000076413000-memory.dmp
    Filesize

    8KB

    Download
  • memory/896-60-0x0000000000400000-0x000000000040D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1692-57-0x0000000000000000-mapping.dmp
    Download
  • memory/1692-66-0x0000000000400000-0x0000000000451000-memory.dmp
    Filesize

    324KB

    Download
  • memory/1692-65-0x0000000002960000-0x000000000296E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1692-61-0x0000000000400000-0x0000000000451000-memory.dmp
    Filesize

    324KB

    Download