Analysis
-
max time kernel
188s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 16:37
Static task
static1
Behavioral task
behavioral1
Sample
9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe
Resource
win10v2004-20220812-en
General
-
Target
9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe
-
Size
487KB
-
MD5
f3c99f387838d9b8ec318a42fc74182e
-
SHA1
4479698bfc9e884f833e4e4dad6dbf9d20832c55
-
SHA256
9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80
-
SHA512
933e9227ce53e38034301ab4c8c4794190c0c567bbce64a5c8ff88a172f3a954950d2123ba30754a61e4d3a7a3e55f891565d78e4268e8842c3c8dce62d063f0
-
SSDEEP
6144:80nDtmLMjvgmt2ojZ/BU8XLMmruOClyg1ukZ/A8BO0/4NuwE1pfiWagW:8ZLa2I/PX7ruOCljsKAJ0AkkKW
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1560-138-0x0000000000400000-0x0000000000421000-memory.dmp modiloader_stage2 behavioral2/memory/1560-139-0x0000000000400000-0x0000000000421000-memory.dmp modiloader_stage2 behavioral2/memory/1560-142-0x0000000000400000-0x0000000000421000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 1872 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/1560-135-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1560-136-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1560-137-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1560-138-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1560-139-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1560-142-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exedescription pid process target process PID 1316 set thread context of 1560 1316 9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe vbc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exevbc.exedescription pid process target process PID 1316 wrote to memory of 1560 1316 9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe vbc.exe PID 1316 wrote to memory of 1560 1316 9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe vbc.exe PID 1316 wrote to memory of 1560 1316 9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe vbc.exe PID 1316 wrote to memory of 1560 1316 9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe vbc.exe PID 1316 wrote to memory of 1560 1316 9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe vbc.exe PID 1316 wrote to memory of 1560 1316 9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe vbc.exe PID 1316 wrote to memory of 1560 1316 9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe vbc.exe PID 1316 wrote to memory of 1560 1316 9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe vbc.exe PID 1560 wrote to memory of 1872 1560 vbc.exe svchost.exe PID 1560 wrote to memory of 1872 1560 vbc.exe svchost.exe PID 1560 wrote to memory of 1872 1560 vbc.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe"C:\Users\Admin\AppData\Local\Temp\9cef1abb5b1c8cb9c46aacce924a581e5f6f22f6a94d40909c0d724de27a2a80.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\Services\svchost.exe"C:\Users\Admin\Documents\Services\svchost.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\Services\svchost.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
C:\Users\Admin\Documents\Services\svchost.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/1316-132-0x0000000075010000-0x00000000755C1000-memory.dmpFilesize
5.7MB
-
memory/1316-133-0x0000000075010000-0x00000000755C1000-memory.dmpFilesize
5.7MB
-
memory/1560-134-0x0000000000000000-mapping.dmp
-
memory/1560-135-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1560-136-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1560-137-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1560-138-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1560-139-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1560-142-0x0000000000400000-0x0000000000421000-memory.dmpFilesize
132KB
-
memory/1872-140-0x0000000000000000-mapping.dmp