Overview

overview

10

Static

static

3

091fbd8d1a...b7.exe

windows7-x64

10

091fbd8d1a...b7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2023, 17:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    091fbd8d1a58a54f7d71cb449a3da0ccd6a845950017209d88e25d7b685a1bb7.exe

  • Size

    1.8MB

  • MD5

    95af57a740c5db3e1e52cdb5355daa28

  • SHA1

    02fa230076b630be472086ffefa77a1a7a9a542c

  • SHA256

    091fbd8d1a58a54f7d71cb449a3da0ccd6a845950017209d88e25d7b685a1bb7

  • SHA512

    6fc5d5fb4274a262e0bec4306b67656ffe51020ce9902e1d8e9e979bf6d01dc4bb23cfa2a4fb8babea7b82709023b58a42e4461065b3244537471ed51da5ad71

  • SSDEEP

    49152:bee0SeGwcSGQ3OvlzgzRlyYFT9xZdmPSw:blMGNQ3ywXFJQ

Score
10/10
modiloaderpersistencespywarestealertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Users\Admin\AppData\Local\Temp\091fbd8d1a58a54f7d71cb449a3da0ccd6a845950017209d88e25d7b685a1bb7.exe
      "C:\Users\Admin\AppData\Local\Temp\091fbd8d1a58a54f7d71cb449a3da0ccd6a845950017209d88e25d7b685a1bb7.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\SysWOW64\colorcpl.exe
        C:\Windows\System32\colorcpl.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1712
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1144

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1124-1-0x00000000048B0000-0x00000000058B0000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1124-2-0x0000000000400000-0x00000000005CF000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1124-3-0x00000000048B0000-0x00000000058B0000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1124-5-0x0000000000400000-0x00000000005CF000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/1124-6-0x0000000000630000-0x0000000000631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1124-0-0x0000000000630000-0x0000000000631000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1712-18-0x0000000004B50000-0x0000000005B50000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1712-9-0x0000000004B50000-0x0000000005B50000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1712-11-0x000000001CC70000-0x000000001CFBA000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1712-12-0x0000000004B50000-0x0000000005B50000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1712-13-0x0000000004B50000-0x0000000005B50000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/1712-15-0x000000001CB90000-0x000000001CBAF000-memory.dmp

            Filesize

            124KB

            Download

          • memory/3132-22-0x000000000AD40000-0x000000000AE58000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3132-14-0x000000000CB80000-0x000000000E4D7000-memory.dmp

            Filesize

            25.3MB

            Download

          • memory/3132-23-0x000000000AD40000-0x000000000AE58000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/3132-24-0x000000000CB80000-0x000000000E4D7000-memory.dmp

            Filesize

            25.3MB

            Download

          • memory/3132-33-0x000000000AD40000-0x000000000AE58000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/4880-17-0x0000000000360000-0x0000000000396000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4880-16-0x0000000000360000-0x0000000000396000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4880-19-0x00000000028E0000-0x0000000002C2A000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/4880-20-0x0000000000360000-0x0000000000396000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4880-21-0x0000000002670000-0x000000000270E000-memory.dmp

            Filesize

            632KB

            Download

          • memory/4880-31-0x0000000000360000-0x0000000000396000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4880-32-0x0000000002670000-0x000000000270E000-memory.dmp

            Filesize

            632KB

            Download