Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30/12/2023, 20:44
Static task
static1
Behavioral task
behavioral1
Sample
1c18011c2def0325b221efc7952112f9.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1c18011c2def0325b221efc7952112f9.exe
Resource
win10v2004-20231215-en
General
-
Target
1c18011c2def0325b221efc7952112f9.exe
-
Size
499KB
-
MD5
1c18011c2def0325b221efc7952112f9
-
SHA1
c39b52f5a7c856ebd9ca3049152e03da62abee8e
-
SHA256
771d46e06cdf01fc249bd965f721777ac5b89124d081bcc048189b3f7246e30f
-
SHA512
092f899c8d1ab57da9a80916831f211aa746097196983dfdeb545e95c4df3b4652ad0d9845ee884a7b50a823da77ace463c2060d7e8aa8430416a67ee9254037
-
SSDEEP
12288:RPfkp9tfoTrF3Z4mxxRSJGiz94/sCrxDVS:VuN2QmXIJG1BY
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 7 IoCs
resource yara_rule behavioral2/memory/2804-87-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral2/memory/2804-3-0x0000000000400000-0x00000000004BF000-memory.dmp modiloader_stage2 behavioral2/memory/2752-93-0x0000000000400000-0x000000000046F000-memory.dmp modiloader_stage2 behavioral2/memory/2752-96-0x0000000000400000-0x000000000046F000-memory.dmp modiloader_stage2 behavioral2/memory/2752-97-0x0000000000400000-0x000000000046F000-memory.dmp modiloader_stage2 behavioral2/memory/2752-98-0x0000000000400000-0x000000000046F000-memory.dmp modiloader_stage2 behavioral2/memory/2752-101-0x0000000000400000-0x000000000046F000-memory.dmp modiloader_stage2 -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\netrt\Parameters\ServiceDll = "C:\\Windows\\System32\\sysn.dll" 1c18011c2def0325b221efc7952112f9.exe -
Loads dropped DLL 1 IoCs
pid Process 2752 svchost.exe -
resource yara_rule behavioral2/memory/2752-93-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral2/memory/2752-96-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral2/memory/2752-97-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral2/memory/2752-98-0x0000000000400000-0x000000000046F000-memory.dmp upx behavioral2/memory/2752-101-0x0000000000400000-0x000000000046F000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysn.dll 1c18011c2def0325b221efc7952112f9.exe File opened for modification C:\Windows\SysWOW64\sysn.dll 1c18011c2def0325b221efc7952112f9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeBackupPrivilege 2804 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2804 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2804 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2804 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2804 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2804 1c18011c2def0325b221efc7952112f9.exe Token: SeBackupPrivilege 2804 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2804 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2804 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2804 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2804 1c18011c2def0325b221efc7952112f9.exe Token: SeRestorePrivilege 2804 1c18011c2def0325b221efc7952112f9.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2656 2804 1c18011c2def0325b221efc7952112f9.exe 93 PID 2804 wrote to memory of 2656 2804 1c18011c2def0325b221efc7952112f9.exe 93 PID 2804 wrote to memory of 2656 2804 1c18011c2def0325b221efc7952112f9.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c18011c2def0325b221efc7952112f9.exe"C:\Users\Admin\AppData\Local\Temp\1c18011c2def0325b221efc7952112f9.exe"1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\AppData\Local\Temp\1c18011c2def0325b221efc7952112f9.exe"2⤵PID:2656
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k network1⤵
- Loads dropped DLL
PID:2752