Overview

overview

10

Static

static

1

761F42F03E...6D.exe

windows7-x64

10

761F42F03E...6D.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    27/03/2023, 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    761F42F03E50EF9B2EB1B1041C81CC6ED24CBC8CE2D6D.exe

  • Size

    334KB

  • MD5

    a11ae57c068442f751c4a7f4f5f542b0

  • SHA1

    131eaded2b2507fa0b1fbf5677705a09496d0f4c

  • SHA256

    761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772

  • SHA512

    c62d70a3391f30cd5084d8ca4cfe0bdc65205205ac3913d4f9a9af847e1f224a780b3ddb4e981e105dd1dde6a1d52d628c6bb5380901f357156e3063dde2e674

  • SSDEEP

    6144:5P8U5dPZDa/iuqO2pi14MlxYSCG1H95dp4kq5bx4fbJr/CYzCIbeY3opBMc:F5VZDaj5xZC2dGkebubJr/CIbbopBp

Score
10/10
modiloaderevasionpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
    evasion
  • ModiLoader Second Stage 44 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\761F42F03E50EF9B2EB1B1041C81CC6ED24CBC8CE2D6D.exe
    "C:\Users\Admin\AppData\Local\Temp\761F42F03E50EF9B2EB1B1041C81CC6ED24CBC8CE2D6D.exe"
    1⤵
      PID:1704
    • C:\Windows\system32\mshta.exe
      "C:\Windows\system32\mshta.exe" javascript:ho5tm8Z="DFUS83";gd9=new%20ActiveXObject("WScript.Shell");A3lilIOk="qNSPA4U0";ZaU6r=gd9.RegRead("HKCU\\software\\h8RI9jV0\\EqpJDGj");Ax0p3ticr="Fx7ExEfu";eval(ZaU6r);cGE8o="Gr";
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:vsjxirfb
        2⤵
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:800
        • C:\Windows\SysWOW64\regsvr32.exe
          regsvr32.exe
          3⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VirtualBox drivers on disk
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Deletes itself
          • Adds Run key to start application
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1232
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\SysWOW64\regsvr32.exe"
            4⤵
              PID:1536

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\516d\2531.1389f
        Filesize

        30KB

        MD5

        02a25f8877254b57ae64defd393eac51

        SHA1

        6d549d2c7c093b37ba42908f6fcd360a3130d943

        SHA256

        7f368fbb1d11175992c9c1d1837b6162417769e8c7eea91251093c94a89e162e

        SHA512

        c79005844bee7087b45df0553b2a979d647d9e3dad920410687f26904a1abcb9889cd01f8df1509363c7ac0d8f7bfaa26b96dae25f288297e535a4e42ab9a5e9

        Download Submit

      • C:\Users\Admin\AppData\Local\516d\b1b1.bat
        Filesize

        65B

        MD5

        0f0e2181bd7e755e5b4368f7bfa43bf4

        SHA1

        057c40c16a76f83cc1801facaf88dcdbbc2ae98a

        SHA256

        570a4e9ca1242958796a4910f07bbc802281964d32029d1050150524908560aa

        SHA512

        38fd95b67cf9ff46224a1c379b1746c6666534a57f0f4f970ce9bc06e97c72b80cc4cbd99a01d3a37e7066a708d5609ac3cc4c234029c06725b32ee1cfcd74bb

        Download Submit

      • memory/800-72-0x0000000005C50000-0x0000000005D2C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/800-65-0x00000000023E0000-0x0000000002420000-memory.dmp

        Filesize

        256KB

        Download

      • memory/800-69-0x00000000023E0000-0x0000000002420000-memory.dmp

        Filesize

        256KB

        Download

      • memory/800-70-0x0000000004F90000-0x0000000004F91000-memory.dmp

        Filesize

        4KB

        Download

      • memory/800-71-0x0000000005C50000-0x0000000005D2C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/800-64-0x00000000023E0000-0x0000000002420000-memory.dmp

        Filesize

        256KB

        Download

      • memory/800-76-0x0000000005C50000-0x0000000005D2C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/1232-99-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-109-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-73-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-77-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-217-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-79-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-81-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-83-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-85-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-87-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-89-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-91-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-93-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-95-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-97-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-127-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-101-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-103-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-105-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-107-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-108-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-126-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-110-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-113-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-114-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-116-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-115-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-118-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-117-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1232-119-0x0000000000220000-0x000000000036A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1536-176-0x00000000001D0000-0x000000000031A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1536-230-0x00000000001D0000-0x000000000031A000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1704-60-0x0000000001F80000-0x000000000205C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/1704-56-0x0000000001F80000-0x000000000205C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/1704-61-0x0000000001F80000-0x000000000205C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/1704-66-0x0000000000400000-0x000000000045C5E8-memory.dmp

        Filesize

        369KB

        Download

      • memory/1704-67-0x0000000001F80000-0x000000000205C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/1704-130-0x0000000001F80000-0x000000000205C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/1704-57-0x0000000001F80000-0x000000000205C000-memory.dmp

        Filesize

        880KB

        Download

      • memory/1704-54-0x0000000000400000-0x000000000045C5E8-memory.dmp

        Filesize

        369KB

        Download

      • memory/1704-55-0x0000000001F80000-0x000000000205C000-memory.dmp

        Filesize

        880KB

        Download