Overview

overview

10

Static

static

90ccaee873...97.exe

windows7-x64

10

90ccaee873...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe

  • Size

    255KB

  • MD5

    2c7b17320e20fdaad9b82e6802b43d69

  • SHA1

    98022315c931f275ec467534fc57452d742a82da

  • SHA256

    90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97

  • SHA512

    e79beaf703ce53b8faa4ba43b107691e07d7eeb331f5adc43ee10f74516994725efc271f9ce924921f7f25cb0b468f9b1a459c46e6aef65b5f0408f95ae3037a

  • SSDEEP

    6144:q7WZh22Ltnko1hznaMnVDnqr8sevNgJZPKM9cQ:KWZIqJTnFVDnqw3lgbjh

Score
10/10
modiloaderbootkitpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Modifies registry class 6 IoCs
  • Suspicious behavior: RenamesItself 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe
    "C:\Users\Admin\AppData\Local\Temp\90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Modifies registry class
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Windows\svchost.exe
      -bs
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Modifies registry class
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Program Files\Internet Explorer\iexplore.exe
        -bs
        3⤵
          PID:1616

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1712-54-0x00000000762B1000-0x00000000762B3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1712-55-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/1712-57-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/1860-56-0x0000000000000000-mapping.dmp
      Download
    • memory/1860-59-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download
    • memory/1860-60-0x0000000000400000-0x0000000000482000-memory.dmp
      Filesize

      520KB

      Download