Analysis
-
max time kernel
212s -
max time network
231s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
03-12-2022 13:12
General
-
Target
d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe
-
Size
650KB
-
MD5
8da7970c2d7fefa91dde87347f240486
-
SHA1
f279f1a8347f90aeaa2bc1c744b8a27fb28cdb25
-
SHA256
d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3
-
SHA512
5e91fca941877b257a0f32646505d877176036d3209f6c4d5f674afe8d98ef440b6161c0312382316665e2b62b46965c9cda4a7151d37db040d36ef143419683
-
SSDEEP
12288:V7Dbxv8LbH1nRQJ5WJVjDbykWZYJDDVcdnNwPl2kAQQLgpMjuNZMNyYZ:VLxEPVRQJgf/bONRNZQQcpZDMNBZ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe"C:\Users\Admin\AppData\Local\Temp\d7d38af8e2f1c0cdfee83547348f39292a4cf1859cf7238613f9ee6a5bbbb9c3.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exe"C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\MSInfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exeFilesize
672KB
MD5c70eb040086b3260956cc5fad3ed9a8d
SHA1fca6484dd65e74e858bf5b3c2d49443264d0bd69
SHA2561d90509e2594ae20cb098a35829d54e1ef69c3953d6096439dba22aad60828cf
SHA512b05899a474ba936057408bab845d3ca4ebecce656c09c581241ffcd607b99a1307aae1412817a96e43514b23d82482720e3788c7b72478a653e4e57cc0a17bbc
-
C:\program files\common files\microsoft shared\msinfo\Ë¢»áÔ±¼ÓÁù×깤¾ß.exeFilesize
672KB
MD5c70eb040086b3260956cc5fad3ed9a8d
SHA1fca6484dd65e74e858bf5b3c2d49443264d0bd69
SHA2561d90509e2594ae20cb098a35829d54e1ef69c3953d6096439dba22aad60828cf
SHA512b05899a474ba936057408bab845d3ca4ebecce656c09c581241ffcd607b99a1307aae1412817a96e43514b23d82482720e3788c7b72478a653e4e57cc0a17bbc
-
memory/3060-132-0x0000000000400000-0x00000000005AD000-memory.dmpFilesize
1.7MB
-
memory/3060-133-0x0000000002250000-0x00000000022AB000-memory.dmpFilesize
364KB
-
memory/3060-137-0x0000000000400000-0x00000000005AD000-memory.dmpFilesize
1.7MB
-
memory/3200-134-0x0000000000000000-mapping.dmp