Analysis
-
max time kernel
154s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
-
submitted
23-10-2023 21:16
General
-
Target
63a0bf6385356dd0297449bdca2a2f171846315505800e81a4c0285f09c87312.exe
-
Size
304KB
-
MD5
abebbf12d4f5c17f5fc6d295b780e5a0
-
SHA1
58f129763b6b98483f44c5847de8c34c01316d65
-
SHA256
63a0bf6385356dd0297449bdca2a2f171846315505800e81a4c0285f09c87312
-
SHA512
8f64772716006990bbca182fbee187d6792fd9eb9b6d891296bb4d9067a7568fc57ec845a5302afe206b935900e8f76061035f5cfd14bbe487f3311ae9dbb900
-
SSDEEP
6144:6h+ykFDX/tt5ipwQd3Zks1NqZNlPur5UMRjIjXn+Z:s+ykFJfimQd3V1QZNu5FRQ3s
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
ModiLoader Second Stage 45 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\63a0bf6385356dd0297449bdca2a2f171846315505800e81a4c0285f09c87312.exe"C:\Users\Admin\AppData\Local\Temp\63a0bf6385356dd0297449bdca2a2f171846315505800e81a4c0285f09c87312.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\63a0bf6385356dd0297449bdca2a2f171846315505800e81a4c0285f09c87312.exeC:\Users\Admin\AppData\Local\Temp\63a0bf6385356dd0297449bdca2a2f171846315505800e81a4c0285f09c87312.exe2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe4⤵
- Looks for VirtualBox Guest Additions in registry
- Adds policy Run key to start application
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\SysWOW64\dllhost.exe"5⤵
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/244-64-0x0000000000C00000-0x0000000000CC4000-memory.dmpFilesize
784KB
-
memory/244-37-0x0000000000C00000-0x0000000000CC4000-memory.dmpFilesize
784KB
-
memory/244-36-0x0000000000C00000-0x0000000000CC4000-memory.dmpFilesize
784KB
-
memory/244-35-0x00000000009D0000-0x00000000009D1000-memory.dmpFilesize
4KB
-
memory/244-34-0x0000000000580000-0x0000000000587000-memory.dmpFilesize
28KB
-
memory/244-33-0x0000000000580000-0x0000000000587000-memory.dmpFilesize
28KB
-
memory/244-39-0x0000000000C00000-0x0000000000CC4000-memory.dmpFilesize
784KB
-
memory/244-40-0x0000000000C00000-0x0000000000CC4000-memory.dmpFilesize
784KB
-
memory/244-38-0x0000000000C00000-0x0000000000CC4000-memory.dmpFilesize
784KB
-
memory/244-42-0x0000000000C00000-0x0000000000CC4000-memory.dmpFilesize
784KB
-
memory/384-11-0x000000000DD90000-0x000000000DE54000-memory.dmpFilesize
784KB
-
memory/384-12-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/384-2-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/384-4-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/384-5-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/384-6-0x000000000DD90000-0x000000000DE54000-memory.dmpFilesize
784KB
-
memory/384-7-0x000000000DD90000-0x000000000DE54000-memory.dmpFilesize
784KB
-
memory/1676-9-0x0000000000580000-0x0000000000587000-memory.dmpFilesize
28KB
-
memory/1676-13-0x00000000009C0000-0x00000000009C1000-memory.dmpFilesize
4KB
-
memory/1676-15-0x00000000008F0000-0x00000000009B4000-memory.dmpFilesize
784KB
-
memory/1676-17-0x00000000008F0000-0x00000000009B4000-memory.dmpFilesize
784KB
-
memory/1676-14-0x00000000008F0000-0x00000000009B4000-memory.dmpFilesize
784KB
-
memory/1676-10-0x0000000000580000-0x0000000000587000-memory.dmpFilesize
28KB
-
memory/2548-57-0x0000000000E20000-0x0000000000EE4000-memory.dmpFilesize
784KB
-
memory/2548-54-0x00000000006E0000-0x0000000000B13000-memory.dmpFilesize
4.2MB
-
memory/2548-62-0x0000000000E20000-0x0000000000EE4000-memory.dmpFilesize
784KB
-
memory/2548-56-0x00000000006E0000-0x0000000000B13000-memory.dmpFilesize
4.2MB
-
memory/2548-58-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/2548-61-0x0000000000E20000-0x0000000000EE4000-memory.dmpFilesize
784KB
-
memory/2548-66-0x0000000000E20000-0x0000000000EE4000-memory.dmpFilesize
784KB
-
memory/2548-59-0x0000000000E20000-0x0000000000EE4000-memory.dmpFilesize
784KB
-
memory/2548-60-0x0000000000E20000-0x0000000000EE4000-memory.dmpFilesize
784KB
-
memory/2964-0-0x0000000002250000-0x0000000002254000-memory.dmpFilesize
16KB
-
memory/4432-19-0x0000000000580000-0x0000000000587000-memory.dmpFilesize
28KB
-
memory/4432-32-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-31-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-30-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-44-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-45-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-46-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-48-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-49-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-51-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-52-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-53-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-50-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-29-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-28-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-27-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-26-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-23-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/4432-25-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-24-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-22-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-21-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-20-0x0000000000580000-0x0000000000587000-memory.dmpFilesize
28KB
-
memory/4432-75-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB
-
memory/4432-76-0x0000000000720000-0x00000000007E4000-memory.dmpFilesize
784KB