Overview

overview

10

Static

static

1

0625413424416272.exe

windows7-x64

10

0625413424416272.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 13:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0625413424416272.exe

  • Size

    821KB

  • MD5

    5fc4c73e287297316316d56ec340bb98

  • SHA1

    306fd44b6d688e9f84d87e533605121bdf64eb9c

  • SHA256

    33ba34d8685f48fc23e074cf802716cce5f1b27a656a0996bdf88232c42a36d7

  • SHA512

    76b21a33991414c057d1d6eafa5f8b2327c7b6e1f2aeae6e60fc15f82c65e9c40252f4aaf9d0d3276a7401a6adfb93b35e4794d9987229aa456dcddfcb85f8d8

  • SSDEEP

    12288:1xkn6YuwDEgW0+K4tvzxn58XdUpGHnSieAi+Ze643VaxBP:nM6yG0+hhzxnidiGHSi3HuS

Score
10/10
modiloaderpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Users\Admin\AppData\Local\Temp\0625413424416272.exe
      "C:\Users\Admin\AppData\Local\Temp\0625413424416272.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Windows\SysWOW64\colorcpl.exe
        C:\Windows\System32\colorcpl.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2724
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1200
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1200 -s 116
            4⤵
            • Program crash
            PID:1372
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 476 -p 1200 -ip 1200
      1⤵
        PID:2924

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2724-154-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2724-158-0x0000000010410000-0x000000001043F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/2724-149-0x0000000004C30000-0x0000000004C31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2724-151-0x0000000005020000-0x000000000536A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2724-153-0x0000000010410000-0x000000001043F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/2724-152-0x0000000010410000-0x000000001043F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3136-165-0x0000000007A00000-0x0000000007AC8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/3136-162-0x0000000007A00000-0x0000000007AC8000-memory.dmp

        Filesize

        800KB

        Download

      • memory/3136-155-0x0000000003380000-0x0000000003435000-memory.dmp

        Filesize

        724KB

        Download

      • memory/4116-159-0x0000000000AE0000-0x0000000000B37000-memory.dmp

        Filesize

        348KB

        Download

      • memory/4116-157-0x0000000000AE0000-0x0000000000B37000-memory.dmp

        Filesize

        348KB

        Download

      • memory/4116-160-0x0000000000A40000-0x0000000000A6D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/4116-161-0x0000000002BE0000-0x0000000002F2A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4116-163-0x00000000027E0000-0x000000000286F000-memory.dmp

        Filesize

        572KB

        Download

      • memory/4660-148-0x0000000010410000-0x000000001043F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/4660-133-0x0000000003E30000-0x0000000003E5C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/4660-147-0x0000000010410000-0x000000001043F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/4660-136-0x0000000000400000-0x00000000004D7000-memory.dmp

        Filesize

        860KB

        Download

      • memory/4660-135-0x0000000002810000-0x0000000002811000-memory.dmp

        Filesize

        4KB

        Download