Analysis
-
max time kernel
31s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-04-2023 14:55
Static task
static1
Behavioral task
behavioral1
Sample
IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT/IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT/IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe
Resource
win10v2004-20230220-en
General
-
Target
IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT/IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe
-
Size
1.4MB
-
MD5
5d640e845ee35e1ebdd91fd9ae93c80d
-
SHA1
7f16c1d10b622f8d9e9f9a3e851a24b14759b8e2
-
SHA256
769ac6fd667c5fd54ff9f4e9476cb54aa7844d19d4551f5b9f415780ddeb3b1d
-
SHA512
fc9b2681285839a2cb70a558dd4ffaa1d8a5e111087771a7997df9bb5a4f4cf27d049378d1ef1155e1b9476b755d1d9abd8a994bff3ebcda7ef3845181a75aee
-
SSDEEP
24576:ezhCv4xm8E+fEc6ta2SAaQBn2NDld56BeKwjYq897JoVCu:ezZUaQB2xh6BhwjYL97Lu
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1720-54-0x00000000034E0000-0x00000000035C1000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wmtvfogh = "C:\\Users\\Public\\Libraries\\hgofvtmW.url" IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exepid process 1720 IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exedescription pid process target process PID 1720 wrote to memory of 1320 1720 IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe wscript.exe PID 1720 wrote to memory of 1320 1720 IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe wscript.exe PID 1720 wrote to memory of 1320 1720 IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe wscript.exe PID 1720 wrote to memory of 1320 1720 IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe wscript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT\IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe"C:\Users\Admin\AppData\Local\Temp\IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT\IMAGEDDOC0559DOC030273YALUMINUMPROFIL3554EQUANT.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wscript.exe2⤵PID:1320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1720-54-0x00000000034E0000-0x00000000035C1000-memory.dmpFilesize
900KB
-
memory/1720-56-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/1720-57-0x0000000000400000-0x000000000056A000-memory.dmpFilesize
1.4MB
-
memory/1720-60-0x0000000030590000-0x0000000030649000-memory.dmpFilesize
740KB
-
memory/1720-61-0x0000000030590000-0x0000000030649000-memory.dmpFilesize
740KB