Overview

overview

10

Static

static

7

9553134727...6d.exe

windows7-x64

10

9553134727...6d.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    146s
  • max time network
    39s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 14:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9553134727fa4a71eed1b6f397d5c1ba0caeecc6e0b727324e57d51adecb836d.exe

  • Size

    1.3MB

  • MD5

    86b26f88dd49c24f509db5fcea871cfb

  • SHA1

    5e491a66461c2735c64c1c76c3e3a802ecdfd94d

  • SHA256

    9553134727fa4a71eed1b6f397d5c1ba0caeecc6e0b727324e57d51adecb836d

  • SHA512

    098dfcd7627103d0b32819901c211122cea2f515f97c1ac8d4b9818af56da89986529f50f361574f96c0693f2c5848525c574ba7357f2eddcd8f4ee0e8656639

  • SSDEEP

    24576:16dn930Z+o74N7sblqxcRQdvwiwVnbtpLrghuVYRyXCVYTVyiK7T+R7Voy8YsZoR:1yeZr4NKqeRQFw5IYMVVYZyiT7VoyHph

Score
10/10
modiloaderevasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\9553134727fa4a71eed1b6f397d5c1ba0caeecc6e0b727324e57d51adecb836d.exe
    "C:\Users\Admin\AppData\Local\Temp\9553134727fa4a71eed1b6f397d5c1ba0caeecc6e0b727324e57d51adecb836d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Users\Admin\AppData\Local\Temp\projeto.exe
      "C:\Users\Admin\AppData\Local\Temp\projeto.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • System policy modification
      PID:1328
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Projeto do kelton Misael.docx"
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1716
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:524

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Projeto do kelton Misael.docx
      Filesize

      12KB

      MD5

      e80efbc2fec67de4ab835c9162d9888c

      SHA1

      d1b453b0ec11b3c0287b26d9cb2074acbc79ad63

      SHA256

      f3175aabe37de94bbba63be08cdd50a994be15e0fbc3f3ce7dac8365ba1fb841

      SHA512

      a854861d5923d54a8df92d86a27510b9124c43bcc6b957fd3127c0187e8b68137dcb333e654f7d5c54c3cf84da35bce3d1546415bcea72de24a1f33447546b3a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cmsetac.dll
      Filesize

      33KB

      MD5

      7c3ff4d4d394fde7c693d04c488a55f8

      SHA1

      ae2b2acc7e91a910f9075e0e095b528e97827ba4

      SHA256

      4878bf71fd37ffac1fd6f5153357298544d0ef1f3a114c1f0451befcb85c59a8

      SHA512

      33c601d9e706cff0c3dce8280b040c361aa51004fd20b51946469b6a02453def5a7aad1e5f58bec3435cc6e25470155d07f71dc0f81ec642efc53215d7be316a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\projeto.exe
      Filesize

      108KB

      MD5

      4ed2988c4734c54a44c854c12f9f875a

      SHA1

      bb4e7f72ae5a484a8efd7e587af647b04ec79edd

      SHA256

      d57d23f8b6261b61cc5cac8ae31a011858ef462c6fd8da4f180ee2ae1688107f

      SHA512

      e5f74cd0b56a2defc68e86388138ed851dee32ecb57a3d5d8b5f9be62f6eea743c904cdb6c1e367ab6aedd1af65549be4fc7dff5e29b827567f4d276b009a693

      Download Submit

    • \Users\Admin\AppData\Local\Temp\cmsetac.dll
      Filesize

      33KB

      MD5

      7c3ff4d4d394fde7c693d04c488a55f8

      SHA1

      ae2b2acc7e91a910f9075e0e095b528e97827ba4

      SHA256

      4878bf71fd37ffac1fd6f5153357298544d0ef1f3a114c1f0451befcb85c59a8

      SHA512

      33c601d9e706cff0c3dce8280b040c361aa51004fd20b51946469b6a02453def5a7aad1e5f58bec3435cc6e25470155d07f71dc0f81ec642efc53215d7be316a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\cmsetac.dll
      Filesize

      33KB

      MD5

      7c3ff4d4d394fde7c693d04c488a55f8

      SHA1

      ae2b2acc7e91a910f9075e0e095b528e97827ba4

      SHA256

      4878bf71fd37ffac1fd6f5153357298544d0ef1f3a114c1f0451befcb85c59a8

      SHA512

      33c601d9e706cff0c3dce8280b040c361aa51004fd20b51946469b6a02453def5a7aad1e5f58bec3435cc6e25470155d07f71dc0f81ec642efc53215d7be316a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\ntdtcstp.dll
      Filesize

      7KB

      MD5

      67587e25a971a141628d7f07bd40ffa0

      SHA1

      76fcd014539a3bb247cc0b761225f68bd6055f6b

      SHA256

      e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

      SHA512

      6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

      Download Submit

    • \Users\Admin\AppData\Local\Temp\projeto.exe
      Filesize

      108KB

      MD5

      4ed2988c4734c54a44c854c12f9f875a

      SHA1

      bb4e7f72ae5a484a8efd7e587af647b04ec79edd

      SHA256

      d57d23f8b6261b61cc5cac8ae31a011858ef462c6fd8da4f180ee2ae1688107f

      SHA512

      e5f74cd0b56a2defc68e86388138ed851dee32ecb57a3d5d8b5f9be62f6eea743c904cdb6c1e367ab6aedd1af65549be4fc7dff5e29b827567f4d276b009a693

      Download Submit

    • \Users\Admin\AppData\Local\Temp\projeto.exe
      Filesize

      108KB

      MD5

      4ed2988c4734c54a44c854c12f9f875a

      SHA1

      bb4e7f72ae5a484a8efd7e587af647b04ec79edd

      SHA256

      d57d23f8b6261b61cc5cac8ae31a011858ef462c6fd8da4f180ee2ae1688107f

      SHA512

      e5f74cd0b56a2defc68e86388138ed851dee32ecb57a3d5d8b5f9be62f6eea743c904cdb6c1e367ab6aedd1af65549be4fc7dff5e29b827567f4d276b009a693

      Download Submit

    • memory/524-83-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

      Filesize

      8KB

      Download

    • memory/524-82-0x0000000000000000-mapping.dmp

      Download

    • memory/836-63-0x0000000005370000-0x00000000053C0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/836-64-0x0000000005370000-0x00000000053C0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/836-57-0x0000000001EC0000-0x0000000001FB0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/836-58-0x00000000045F0000-0x00000000045F3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/836-56-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1328-80-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1328-72-0x0000000000780000-0x000000000078E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1328-61-0x0000000000000000-mapping.dmp

      Download

    • memory/1328-65-0x0000000000400000-0x0000000000450000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1716-69-0x0000000070571000-0x0000000070573000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1716-75-0x0000000000550000-0x000000000055E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1716-76-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1716-77-0x000000007155D000-0x0000000071568000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1716-68-0x0000000072AF1000-0x0000000072AF4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1716-81-0x000000007155D000-0x0000000071568000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1716-67-0x0000000000000000-mapping.dmp

      Download

    • memory/1716-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1716-85-0x000000007155D000-0x0000000071568000-memory.dmp

      Filesize

      44KB

      Download