Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 13:12
Static task
static1
Behavioral task
behavioral1
Sample
d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe
Resource
win10v2004-20221111-en
General
-
Target
d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe
-
Size
650KB
-
MD5
8da7970c2d7fefa91dde87347f240486
-
SHA1
f279f1a8347f90aeaa2bc1c744b8a27fb28cdb25
-
SHA256
d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3
-
SHA512
5e91fca941877b257a0f32646505d877176036d3209f6c4d5f674afe8d98ef440b6161c0312382316665e2b62b46965c9cda4a7151d37db040d36ef143419683
-
SSDEEP
12288:V7Dbxv8LbH1nRQJ5WJVjDbykWZYJDDVcdnNwPl2kAQQLgpMjuNZMNyYZ:VLxEPVRQJgf/bONRNZQQcpZDMNBZ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule \Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exe modiloader_stage2 \Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exe modiloader_stage2 C:\Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exe modiloader_stage2 C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exe modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
Ë¢»áÔ±¼ÓÁù×깤¾ß.exepid process 1336 Ë¢»áÔ±¼ÓÁù×깤¾ß.exe -
Loads dropped DLL 2 IoCs
Processes:
d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exepid process 1448 d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe 1448 d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Ë¢»áÔ±¼ÓÁù×깤¾ß.exeDllHost.exed7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Fiele Ps.txt Ë¢»áÔ±¼ÓÁù×깤¾ß.exe File opened for modification C:\program files\common files\microsoft shared\msinfo\ÊÓƵǿÖÆQQ.jpg DllHost.exe File created C:\program files\common files\microsoft shared\msinfo\ÊÓƵǿÖÆQQ.jpg d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe File created C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.jpg d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 1552 DllHost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exeË¢»áÔ±¼ÓÁù×깤¾ß.exedescription pid process target process PID 1448 wrote to memory of 1336 1448 d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe Ë¢»áÔ±¼ÓÁù×깤¾ß.exe PID 1448 wrote to memory of 1336 1448 d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe Ë¢»áÔ±¼ÓÁù×깤¾ß.exe PID 1448 wrote to memory of 1336 1448 d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe Ë¢»áÔ±¼ÓÁù×깤¾ß.exe PID 1448 wrote to memory of 1336 1448 d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe Ë¢»áÔ±¼ÓÁù×깤¾ß.exe PID 1336 wrote to memory of 1768 1336 Ë¢»áÔ±¼ÓÁù×깤¾ß.exe IEXPLORE.EXE PID 1336 wrote to memory of 1768 1336 Ë¢»áÔ±¼ÓÁù×깤¾ß.exe IEXPLORE.EXE PID 1336 wrote to memory of 1768 1336 Ë¢»áÔ±¼ÓÁù×깤¾ß.exe IEXPLORE.EXE PID 1336 wrote to memory of 1768 1336 Ë¢»áÔ±¼ÓÁù×깤¾ß.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe"C:\Users\Admin\AppData\Local\Temp\d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exe"C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exeFilesize
672KB
MD5c70eb040086b3260956cc5fad3ed9a8d
SHA1fca6484dd65e74e858bf5b3c2d49443264d0bd69
SHA2561d90509e2594ae20cb098a35829d54e1ef69c3953d6096439dba22aad60828cf
SHA512b05899a474ba936057408bab845d3ca4ebecce656c09c581241ffcd607b99a1307aae1412817a96e43514b23d82482720e3788c7b72478a653e4e57cc0a17bbc
-
C:\program files\common files\microsoft shared\msinfo\ÊÓƵǿÖÆQQ.jpgFilesize
27KB
MD5dbd2800832f7ddbb71468a3755d05bbe
SHA1775bbc51ecf70876bfea482e0d1545f1cd7c9576
SHA256a7dfd95da908363ca7e2b52515149b8b8caa6d941d3374930aa9ba221c061366
SHA512cf8494e4e1187012847d0889528e07a3305bd745d9f65a217397b7e39ad8329f275c2b2eea72b1e0f2624cd9d5de686fcfdd8fc9e2558243593f161775c43762
-
C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exeFilesize
672KB
MD5c70eb040086b3260956cc5fad3ed9a8d
SHA1fca6484dd65e74e858bf5b3c2d49443264d0bd69
SHA2561d90509e2594ae20cb098a35829d54e1ef69c3953d6096439dba22aad60828cf
SHA512b05899a474ba936057408bab845d3ca4ebecce656c09c581241ffcd607b99a1307aae1412817a96e43514b23d82482720e3788c7b72478a653e4e57cc0a17bbc
-
\Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exeFilesize
672KB
MD5c70eb040086b3260956cc5fad3ed9a8d
SHA1fca6484dd65e74e858bf5b3c2d49443264d0bd69
SHA2561d90509e2594ae20cb098a35829d54e1ef69c3953d6096439dba22aad60828cf
SHA512b05899a474ba936057408bab845d3ca4ebecce656c09c581241ffcd607b99a1307aae1412817a96e43514b23d82482720e3788c7b72478a653e4e57cc0a17bbc
-
\Program Files\Common Files\Microsoft Shared\MSInfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exeFilesize
672KB
MD5c70eb040086b3260956cc5fad3ed9a8d
SHA1fca6484dd65e74e858bf5b3c2d49443264d0bd69
SHA2561d90509e2594ae20cb098a35829d54e1ef69c3953d6096439dba22aad60828cf
SHA512b05899a474ba936057408bab845d3ca4ebecce656c09c581241ffcd607b99a1307aae1412817a96e43514b23d82482720e3788c7b72478a653e4e57cc0a17bbc
-
memory/1336-60-0x0000000000000000-mapping.dmp
-
memory/1448-54-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB
-
memory/1448-55-0x0000000000400000-0x00000000005AD000-memory.dmpFilesize
1.7MB
-
memory/1448-56-0x0000000000330000-0x000000000038B000-memory.dmpFilesize
364KB
-
memory/1448-63-0x0000000000330000-0x000000000038B000-memory.dmpFilesize
364KB
-
memory/1448-62-0x0000000000400000-0x00000000005AD000-memory.dmpFilesize
1.7MB