Analysis
-
max time kernel
18s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 20:47
Static task
static1
Behavioral task
behavioral1
Sample
e68b08f8dfd24e634cdbb6e430056c7225386085c58248b89d45cfe7d7d07053.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
e68b08f8dfd24e634cdbb6e430056c7225386085c58248b89d45cfe7d7d07053.dll
Resource
win10v2004-20220812-en
General
-
Target
e68b08f8dfd24e634cdbb6e430056c7225386085c58248b89d45cfe7d7d07053.dll
-
Size
497KB
-
MD5
db5801aeaa4b02c6d0af8417eba08361
-
SHA1
00e6ee5b04f534523806d11a5f1480e1e6252fd2
-
SHA256
e68b08f8dfd24e634cdbb6e430056c7225386085c58248b89d45cfe7d7d07053
-
SHA512
bd43706e9313cd8f1967449b0fe16c5814cc1c188934038f90559c6656c2e357467e705aa06f2a23166894683a036ee44f08e3c6caf2edb21e89f1ff689f8d01
-
SSDEEP
12288:qnd75fG1khOCeHJ/DG74W/ndL29IA1FBg2dd/DjvU:qnF1UkhOCeHxS0W/ndLaIqFBgsd7bU
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/852-56-0x0000000001F40000-0x00000000020BD000-memory.dmp modiloader_stage2 behavioral1/memory/852-57-0x0000000001F40000-0x00000000020BD000-memory.dmp modiloader_stage2 behavioral1/memory/852-59-0x0000000001F40000-0x00000000020BD000-memory.dmp modiloader_stage2 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1628 wrote to memory of 852 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 852 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 852 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 852 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 852 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 852 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 852 1628 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e68b08f8dfd24e634cdbb6e430056c7225386085c58248b89d45cfe7d7d07053.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e68b08f8dfd24e634cdbb6e430056c7225386085c58248b89d45cfe7d7d07053.dll,#12⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/852-54-0x0000000000000000-mapping.dmp
-
memory/852-55-0x0000000075ED1000-0x0000000075ED3000-memory.dmpFilesize
8KB
-
memory/852-56-0x0000000001F40000-0x00000000020BD000-memory.dmpFilesize
1.5MB
-
memory/852-57-0x0000000001F40000-0x00000000020BD000-memory.dmpFilesize
1.5MB
-
memory/852-58-0x00000000002D0000-0x0000000000324000-memory.dmpFilesize
336KB
-
memory/852-59-0x0000000001F40000-0x00000000020BD000-memory.dmpFilesize
1.5MB