Analysis
-
max time kernel
30s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 12:51
Static task
static1
Behavioral task
behavioral1
Sample
90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe
Resource
win10v2004-20220812-en
General
-
Target
90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe
-
Size
255KB
-
MD5
2c7b17320e20fdaad9b82e6802b43d69
-
SHA1
98022315c931f275ec467534fc57452d742a82da
-
SHA256
90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97
-
SHA512
e79beaf703ce53b8faa4ba43b107691e07d7eeb331f5adc43ee10f74516994725efc271f9ce924921f7f25cb0b468f9b1a459c46e6aef65b5f0408f95ae3037a
-
SSDEEP
6144:q7WZh22Ltnko1hznaMnVDnqr8sevNgJZPKM9cQ:KWZIqJTnFVDnqw3lgbjh
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1712-55-0x0000000000400000-0x0000000000482000-memory.dmp modiloader_stage2 behavioral1/memory/1712-57-0x0000000000400000-0x0000000000482000-memory.dmp modiloader_stage2 behavioral1/memory/1860-60-0x0000000000400000-0x0000000000482000-memory.dmp modiloader_stage2 -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
svchost.exe90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exedescription ioc process File opened for modification \??\PhysicalDrive0 svchost.exe File opened for modification \??\PhysicalDrive0 90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe -
Modifies registry class 6 IoCs
Processes:
90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exesvchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" svchost.exe -
Suspicious behavior: RenamesItself 2 IoCs
Processes:
90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exesvchost.exepid process 1712 90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe 1860 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exesvchost.exedescription pid process target process PID 1712 wrote to memory of 1860 1712 90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe svchost.exe PID 1712 wrote to memory of 1860 1712 90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe svchost.exe PID 1712 wrote to memory of 1860 1712 90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe svchost.exe PID 1712 wrote to memory of 1860 1712 90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe svchost.exe PID 1860 wrote to memory of 1616 1860 svchost.exe iexplore.exe PID 1860 wrote to memory of 1616 1860 svchost.exe iexplore.exe PID 1860 wrote to memory of 1616 1860 svchost.exe iexplore.exe PID 1860 wrote to memory of 1616 1860 svchost.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe"C:\Users\Admin\AppData\Local\Temp\90ccaee873291b0b428339d3f7405a9574dc45624fd7c69bd5c6ac67ea681f97.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\svchost.exe-bs2⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe-bs3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1712-54-0x00000000762B1000-0x00000000762B3000-memory.dmpFilesize
8KB
-
memory/1712-55-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/1712-57-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/1860-56-0x0000000000000000-mapping.dmp
-
memory/1860-59-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB
-
memory/1860-60-0x0000000000400000-0x0000000000482000-memory.dmpFilesize
520KB