Overview

overview

10

Static

static

3

bc6626b114...76.exe

windows7-x64

10

bc6626b114...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    22-11-2023 08:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc6626b114d68546c5af018efe67a4f8c321a476.exe

  • Size

    1.8MB

  • MD5

    c0895699c1e9bd08c6b8f7e8c7bcd7d6

  • SHA1

    bc6626b114d68546c5af018efe67a4f8c321a476

  • SHA256

    5517cdcbe0571bef0456f9f214fd3cb73a7a0c7cb73a5833e31142938277623a

  • SHA512

    c8275534abce9d6c0b107e73971d160a2e5983816b961b543df1f18efcd27a0d62c155c168407f067f4fc484ef27af766a42582840781d53555e1338de35a266

  • SSDEEP

    49152:aD4+yRMXpcOX8IxTqh0eJa3DZEe9sRuCVCW40MyqChsyfue9Tb:aDqRMXpcOXX8Za31CuCc4MXC+yft

Score
10/10
modiloaderpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Local\Temp\bc6626b114d68546c5af018efe67a4f8c321a476.exe
      "C:\Users\Admin\AppData\Local\Temp\bc6626b114d68546c5af018efe67a4f8c321a476.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2732
      • C:\Windows\SysWOW64\colorcpl.exe
        C:\Windows\System32\colorcpl.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2004
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1128
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1128-21-0x0000000000160000-0x000000000016C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1128-26-0x0000000002210000-0x000000000229F000-memory.dmp

      Filesize

      572KB

      Download

    • memory/1128-25-0x00000000004F0000-0x000000000051D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1128-24-0x00000000024C0000-0x000000000280A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1128-23-0x00000000004F0000-0x000000000051D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1128-22-0x0000000000160000-0x000000000016C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2004-16-0x00000000050B0000-0x00000000060B0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2004-17-0x00000000050B0000-0x00000000060B0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2004-13-0x00000000050B0000-0x00000000060B0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2004-15-0x0000000017280000-0x00000000175CA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2004-18-0x0000000017140000-0x0000000017150000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2732-4-0x0000000073EE0000-0x0000000073EF2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2732-0-0x0000000002360000-0x0000000002361000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-6-0x0000000004510000-0x0000000005510000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/2732-5-0x0000000002360000-0x0000000002361000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2732-8-0x0000000000400000-0x00000000005D0000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2732-3-0x0000000000400000-0x00000000005D0000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2732-2-0x0000000000400000-0x00000000005D0000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2732-1-0x0000000004510000-0x0000000005510000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/3412-19-0x0000000008A40000-0x0000000008AF6000-memory.dmp

      Filesize

      728KB

      Download

    • memory/3412-27-0x0000000008B00000-0x0000000008C0B000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3412-37-0x0000000008B00000-0x0000000008C0B000-memory.dmp

      Filesize

      1.0MB

      Download