Analysis
-
max time kernel
139s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
26/12/2023, 00:10
General
-
Target
4562a57e178f2d04504f5d204de31261.exe
-
Size
42KB
-
MD5
4562a57e178f2d04504f5d204de31261
-
SHA1
1bd9c39e8b7809aa6513e033095988394acdfce8
-
SHA256
d47b4f7412c27388e4b549be22f318157bc4040651a798e25b2664f2c061ddbb
-
SHA512
e754032dfc39182db543602996960d4888281aa4c01f11cfc182cda81f7506892f4d181ac8b6a1f435cd28f55486aed98b8b866dcd7ed79dfa415b12ab921514
-
SSDEEP
768:cI3KNfNflsMVyzCnW103ULfjzIApe1o0:cVfFlsrCnE036fjBpQo
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4562a57e178f2d04504f5d204de31261.exe"C:\Users\Admin\AppData\Local\Temp\4562a57e178f2d04504f5d204de31261.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
-
Filesize
76KB
-
Filesize
76KB
-
Filesize
36KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
72KB