Overview

overview

10

Static

static

3

1d0ea9b1cc...3f.exe

windows7-x64

10

1d0ea9b1cc...3f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    0s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2023, 00:30

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    1d0ea9b1ccc6e74a45dcc66831f3a73f.exe

  • Size

    1.0MB

  • MD5

    1d0ea9b1ccc6e74a45dcc66831f3a73f

  • SHA1

    b19963d8afa9aebadc4bd50f568e746659293441

  • SHA256

    1fa647aa8be5c4d63e9cd695bf1eca6c418570700ddfceaafe7a127b4e984c43

  • SHA512

    fbcc23447e3120bd08aebb00ec86a475f9332500ca473379c225332386dbceceb39ba036bbea0f8a275c36ff8194bf75620e44eb82e5b50e7bf8a52b5e1683af

  • SSDEEP

    24576:p34lKBEwKJqkBEwKJqo8AAD/Or3s5PcimX:peK1k1oiD2r8xC

Score
10/10
modiloaderevasiontrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 23 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d0ea9b1ccc6e74a45dcc66831f3a73f.exe
    "C:\Users\Admin\AppData\Local\Temp\1d0ea9b1ccc6e74a45dcc66831f3a73f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Users\Admin\AppData\Local\Temp\1d0ea9b1ccc6e74a45dcc66831f3a73f.exe
      C:\Users\Admin\AppData\Local\Temp\1d0ea9b1ccc6e74a45dcc66831f3a73f.exe
      2⤵
      • Checks whether UAC is enabled
      • Suspicious use of AdjustPrivilegeToken
      PID:376
      • C:\Windows\mstwain32.exe
        "C:\Windows\mstwain32.exe"
        3⤵
          PID:1972
          • C:\Windows\mstwain32.exe
            C:\Windows\mstwain32.exe
            4⤵
              PID:624
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3172

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Windows\SysWOW64\EtNDuISBB.dll
              Filesize

              53KB

              MD5

              af80f177462967e446fd64006af9faf4

              SHA1

              9bb9eded88d221f00b86ade516769af06f12e382

              SHA256

              2f1ad5517517556c93c1aeae05b5199a5d49f24d9f7854bb8b063409cba01964

              SHA512

              73b7d0cd679ed0099e20e08f4bc48919dc080a08cc7c64738aa6e940b2e819a19fd51fd0d2b094ea35db3ab3d9dcf001e46a9d3ca0a2d7019669a263508f35d7

              Download Submit

            • C:\Windows\SysWOW64\EtNDuISBB.dll
              Filesize

              8KB

              MD5

              57c65f93b0d49e431ded280dee49d0a9

              SHA1

              942c2f227cfda4d2dc57504e6cd83025f75d49b2

              SHA256

              3bff6b8b0cc18876258911c74e7256758b93c80bee1933824519f4352499f466

              SHA512

              2b3e7afb1c002151f19cbe5943c7a462db90faa4b248b408da82929dda4687f37c7be0ed8b4673c4df44b947ed9436d8b805ad7e0fc09a855e16ac7db31ae1e1

              Download Submit

            • C:\Windows\SysWOW64\EtNDuISBB.dll
              Filesize

              39KB

              MD5

              26dfa3c4cfa01b02044b4e12da1d1e21

              SHA1

              95d0584f2dd3e723572e9f9260d362231f329b89

              SHA256

              3dfd0a56c2e635b0bb28f9d2ab6b640c688d589d9e99717c6c2aa7e10393b03b

              SHA512

              2403d103a840e3e4c31347ebf13e2a755607c5459c37600c16b8850db37cc2a137d01ae7dd8341c403e662f2e906e6367c5bfae137fdcb5094a4ed00e3147c22

              Download Submit

            • C:\Windows\SysWOW64\EtNDuISBB.dll
              Filesize

              26KB

              MD5

              3208e267df6ce8f76e615fba256eeb23

              SHA1

              e5c178c2dc0eb0cf346cde351176e1012606cc80

              SHA256

              8e1792aee98ae2cd20a4f631984a65ec4d89d1f3c104bdab80aefdbc27d92e3e

              SHA512

              0043d2c3ef85211236138f851571bd7d35fb8514101008a0b8b7b58ac4a994df14adffd0aafe2e3d2491cc74e7e3afc9236adad96aaf46cbd25c482f37475ce0

              Download Submit

            • C:\Windows\mstwain32.exe
              Filesize

              15KB

              MD5

              71e002ee400265bdc5578fa8e576ef2b

              SHA1

              c8ee41bfa70d367d09ca36308f05d172b16e9703

              SHA256

              0a51a3256ae9ca81fb3bead9e7bff08f085d25887a8a82affe70d11c4a0c25e0

              SHA512

              3f309083c00025bc6748c1c5280608f7cece0ec8d52e339859a25b8c3cb69cdde898526624cc8282eef7e97214fbe7c98fe98b6e8a1132ff2bed7187a19aa3c0

              Download Submit

            • C:\Windows\mstwain32.exe
              Filesize

              27KB

              MD5

              d1fbaf4dc4f96ad085fb881c7cca47e7

              SHA1

              5a512e8409caf715d91ca9ca09a92dfb7c3aeea6

              SHA256

              88c1a0efaf840d324be4dd6bbcc4e76dc0043733b57962587c48b7208d89e466

              SHA512

              0c12a7034ad4800bd52fe202eb166e06794414d862f30a508a69f23205c5a195df0b9b3b8a75fe2b02fc2fcc0d3455ab1c90d6b20704c2c315cf00d9a9031594

              Download Submit

            • C:\Windows\mstwain32.exe
              Filesize

              7KB

              MD5

              beeb814ec8ea48e18293763a500de841

              SHA1

              a3e2cf039d24323a7daa8ad1d914384e8d29a8f2

              SHA256

              f45a85749b6874be9b16783f7db045de7d3912030a8518cc460aaa7ddfae8629

              SHA512

              48f025ece7f09d8870c207ad30cc7386db9b9ab74b35ce3d38891d722bf72877d12b7e6f51a8037e8ee0bf5341af3af1c562344f67df8fc99379d8d134cc42bd

              Download Submit

            • C:\Windows\mstwain32.exe
              Filesize

              42KB

              MD5

              034d0dfb13e477cde6fd194498ac0a89

              SHA1

              6c9dc155f328a4f988f600998f562019707782d4

              SHA256

              237d68edda015d08cbe06d7ebd07e6a138ce0daaa6236ab2682d6f67f25c33f0

              SHA512

              3bce59105b03faf774f45a282ab851459564976a9eb6e2e9cb705a0453e45c90e7652ca3526ed0c0d4ab37fcf63b263b77e14948ecbec9ddac9a43564287cb37

              Download Submit

            • memory/376-7-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/376-11-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/376-26-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/376-24-0x0000000000450000-0x0000000000519000-memory.dmp

              Filesize

              804KB

              Download

            • memory/376-27-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/376-8-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/376-10-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-45-0x00000000006F0000-0x00000000006F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/624-56-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-39-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-46-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/624-40-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-41-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-61-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-47-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-48-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-49-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-50-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-51-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-52-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-53-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-54-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-55-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-60-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-57-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-58-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/624-59-0x0000000000400000-0x000000000044B000-memory.dmp

              Filesize

              300KB

              Download

            • memory/1972-38-0x0000000000400000-0x00000000004DB000-memory.dmp

              Filesize

              876KB

              Download

            • memory/5104-9-0x0000000000400000-0x00000000004DB000-memory.dmp

              Filesize

              876KB

              Download