Overview

overview

10

Static

static

8

b57aae31d6...83.exe

windows7-x64

10

b57aae31d6...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05/12/2022, 16:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b57aae31d652603c8b4452227becf1edcdbc851d9f03ded8ac567a3a70060783.exe

  • Size

    400KB

  • MD5

    f574a0b3535a2e36cd5a49e5d5d4873a

  • SHA1

    94590c998a2d60bb8407c8fe1cea45aa8b88c31e

  • SHA256

    b57aae31d652603c8b4452227becf1edcdbc851d9f03ded8ac567a3a70060783

  • SHA512

    bc984eaa2ac6cb7b340a8e7a455989854914e74f942cb82445afb784a216756ad5b23bdaa03adf1c154d10b6ef23dacd87ff03a7fb79f3535fb4e1f68e9bb0df

  • SSDEEP

    12288:g1PO8MeQh81uhNmq+jhfgKBRKnb/ZPSUuXzE:gPO8MeQS143+jhfjonb/Z6jI

Score
10/10
modiloaderevasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 6 IoCs
  • Executes dropped EXE 4 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b57aae31d652603c8b4452227becf1edcdbc851d9f03ded8ac567a3a70060783.exe
    "C:\Users\Admin\AppData\Local\Temp\b57aae31d652603c8b4452227becf1edcdbc851d9f03ded8ac567a3a70060783.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Users\Admin\AppData\Local\Temp\son.exe
      C:\Users\Admin\AppData\Local\Temp/son.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1756
      • C:\Users\Admin\AppData\Local\Temp\son.exe
        C:\Users\Admin\AppData\Local\Temp\son.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Windows\mstwain32.exe
          "C:\Windows\mstwain32.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:828
          • C:\Windows\mstwain32.exe
            C:\Windows\mstwain32.exe
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • System policy modification
            PID:304
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\son.exe
    Filesize

    128KB

    MD5

    789117b67b82e99d4a2047d393fa676f

    SHA1

    8367e221345959fa5a8c06b0f0c9cb13d08df056

    SHA256

    546ee5556fcec4d9ccd2baf25284b9e36eb42dc05315854b4f2d58a2692539a0

    SHA512

    f8de6d79a05bcbcd53d0e3db78967b16b7488db16b82f2486a298ff36e5614155639a8fdbbce4495d9c8b938aa8f34ee60d61bf3f8cabffcea50edada9d28852

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\son.exe
    Filesize

    128KB

    MD5

    789117b67b82e99d4a2047d393fa676f

    SHA1

    8367e221345959fa5a8c06b0f0c9cb13d08df056

    SHA256

    546ee5556fcec4d9ccd2baf25284b9e36eb42dc05315854b4f2d58a2692539a0

    SHA512

    f8de6d79a05bcbcd53d0e3db78967b16b7488db16b82f2486a298ff36e5614155639a8fdbbce4495d9c8b938aa8f34ee60d61bf3f8cabffcea50edada9d28852

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\son.exe
    Filesize

    128KB

    MD5

    789117b67b82e99d4a2047d393fa676f

    SHA1

    8367e221345959fa5a8c06b0f0c9cb13d08df056

    SHA256

    546ee5556fcec4d9ccd2baf25284b9e36eb42dc05315854b4f2d58a2692539a0

    SHA512

    f8de6d79a05bcbcd53d0e3db78967b16b7488db16b82f2486a298ff36e5614155639a8fdbbce4495d9c8b938aa8f34ee60d61bf3f8cabffcea50edada9d28852

    Download Submit

  • C:\Windows\mstwain32.exe
    Filesize

    128KB

    MD5

    789117b67b82e99d4a2047d393fa676f

    SHA1

    8367e221345959fa5a8c06b0f0c9cb13d08df056

    SHA256

    546ee5556fcec4d9ccd2baf25284b9e36eb42dc05315854b4f2d58a2692539a0

    SHA512

    f8de6d79a05bcbcd53d0e3db78967b16b7488db16b82f2486a298ff36e5614155639a8fdbbce4495d9c8b938aa8f34ee60d61bf3f8cabffcea50edada9d28852

    Download Submit

  • C:\Windows\mstwain32.exe
    Filesize

    128KB

    MD5

    789117b67b82e99d4a2047d393fa676f

    SHA1

    8367e221345959fa5a8c06b0f0c9cb13d08df056

    SHA256

    546ee5556fcec4d9ccd2baf25284b9e36eb42dc05315854b4f2d58a2692539a0

    SHA512

    f8de6d79a05bcbcd53d0e3db78967b16b7488db16b82f2486a298ff36e5614155639a8fdbbce4495d9c8b938aa8f34ee60d61bf3f8cabffcea50edada9d28852

    Download Submit

  • C:\Windows\mstwain32.exe
    Filesize

    128KB

    MD5

    789117b67b82e99d4a2047d393fa676f

    SHA1

    8367e221345959fa5a8c06b0f0c9cb13d08df056

    SHA256

    546ee5556fcec4d9ccd2baf25284b9e36eb42dc05315854b4f2d58a2692539a0

    SHA512

    f8de6d79a05bcbcd53d0e3db78967b16b7488db16b82f2486a298ff36e5614155639a8fdbbce4495d9c8b938aa8f34ee60d61bf3f8cabffcea50edada9d28852

    Download Submit

  • \Users\Admin\AppData\Local\Temp\son.exe
    Filesize

    128KB

    MD5

    789117b67b82e99d4a2047d393fa676f

    SHA1

    8367e221345959fa5a8c06b0f0c9cb13d08df056

    SHA256

    546ee5556fcec4d9ccd2baf25284b9e36eb42dc05315854b4f2d58a2692539a0

    SHA512

    f8de6d79a05bcbcd53d0e3db78967b16b7488db16b82f2486a298ff36e5614155639a8fdbbce4495d9c8b938aa8f34ee60d61bf3f8cabffcea50edada9d28852

    Download Submit

  • \Users\Admin\AppData\Local\Temp\son.exe
    Filesize

    128KB

    MD5

    789117b67b82e99d4a2047d393fa676f

    SHA1

    8367e221345959fa5a8c06b0f0c9cb13d08df056

    SHA256

    546ee5556fcec4d9ccd2baf25284b9e36eb42dc05315854b4f2d58a2692539a0

    SHA512

    f8de6d79a05bcbcd53d0e3db78967b16b7488db16b82f2486a298ff36e5614155639a8fdbbce4495d9c8b938aa8f34ee60d61bf3f8cabffcea50edada9d28852

    Download Submit

  • \Users\Admin\AppData\Local\Temp\son.exe
    Filesize

    128KB

    MD5

    789117b67b82e99d4a2047d393fa676f

    SHA1

    8367e221345959fa5a8c06b0f0c9cb13d08df056

    SHA256

    546ee5556fcec4d9ccd2baf25284b9e36eb42dc05315854b4f2d58a2692539a0

    SHA512

    f8de6d79a05bcbcd53d0e3db78967b16b7488db16b82f2486a298ff36e5614155639a8fdbbce4495d9c8b938aa8f34ee60d61bf3f8cabffcea50edada9d28852

    Download Submit

  • \Users\Admin\AppData\Local\Temp\son.exe
    Filesize

    128KB

    MD5

    789117b67b82e99d4a2047d393fa676f

    SHA1

    8367e221345959fa5a8c06b0f0c9cb13d08df056

    SHA256

    546ee5556fcec4d9ccd2baf25284b9e36eb42dc05315854b4f2d58a2692539a0

    SHA512

    f8de6d79a05bcbcd53d0e3db78967b16b7488db16b82f2486a298ff36e5614155639a8fdbbce4495d9c8b938aa8f34ee60d61bf3f8cabffcea50edada9d28852

    Download Submit

  • memory/304-88-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/304-84-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/304-85-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/304-86-0x0000000000570000-0x000000000057E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/304-87-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1268-69-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1268-75-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1268-71-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1268-70-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1268-64-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1268-62-0x0000000000400000-0x000000000044F000-memory.dmp

    Filesize

    316KB

    Download

  • memory/1956-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1956-59-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download