Overview

overview

10

Static

static

d0c17c3c24...9a.exe

windows7-x64

10

d0c17c3c24...9a.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    75s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 22:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0c17c3c241e09ec0743375107261b0c6d485f083cdd57241e6041ba15fced9a.exe

  • Size

    286KB

  • MD5

    07efbae6984c16f7f273d61c6fba3fcf

  • SHA1

    090ba23abf7c8986b281383129a7e1e8bd2bb4f4

  • SHA256

    d0c17c3c241e09ec0743375107261b0c6d485f083cdd57241e6041ba15fced9a

  • SHA512

    bd066852cb8e8f7ec666885b7838c0c9828dea2fd5890b45cefcb90ebb5576d84c3d6fab4b6f160ee67bf9023cdfb23a55e3f645af4467face2385b233b8601c

  • SSDEEP

    6144:psCgExLvSE2OsEHgVh+TM6t0nT+1Od1EinVpiVnxkR0nHOOVJfk31U6+Yn12OFb:paWLK2Wh+tKT+1O9VMVHOOVJf8+012OB

Score
10/10
modiloadertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0c17c3c241e09ec0743375107261b0c6d485f083cdd57241e6041ba15fced9a.exe
    "C:\Users\Admin\AppData\Local\Temp\d0c17c3c241e09ec0743375107261b0c6d485f083cdd57241e6041ba15fced9a.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:560
    • C:\program files\internet explorer\IEXPLORE.EXE
      "C:\program files\internet explorer\IEXPLORE.EXE"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GGFBLLWV.txt
    Filesize

    603B

    MD5

    087f2c8a63cf676f9b5d722d48ee0e6a

    SHA1

    74e78b834c3b1f0a341c5eae24aaf7fbc6181c92

    SHA256

    cceaf36b3a146cba4becb72a5643c3dd492b0f2861dcec713e496a388022a7c9

    SHA512

    66f8e95a29fe0d5872993e1d89e0db230f330f6dc5a14f5cdafc40a09326afc24d7920cf632f9967eb426f53002c1a4bda697a5b1366bc66eede482f9935c56b

    Download Submit
  • memory/560-54-0x0000000076041000-0x0000000076043000-memory.dmp
    Filesize

    8KB

    Download
  • memory/560-55-0x0000000000400000-0x000000000053B000-memory.dmp
    Filesize

    1.2MB

    Download