Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 17:22
Static task
static1
Behavioral task
behavioral1
Sample
7514ae16c869ca1fdad24668a7afe6bc.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
7514ae16c869ca1fdad24668a7afe6bc.exe
Resource
win10v2004-20231215-en
General
-
Target
7514ae16c869ca1fdad24668a7afe6bc.exe
-
Size
24KB
-
MD5
7514ae16c869ca1fdad24668a7afe6bc
-
SHA1
5b0ba3538c2b7d0c21ee7f57212751919b61658b
-
SHA256
bd3044d198f2ae306261418645298d5aa9ca1a5475911c5f7556384735b86d51
-
SHA512
8780176de32148c2ba4c80c6f5ed19818a462ae70bc8e69c4b9135318456af9dd360294b06cec2ea336f686d311fa397e8ad2c5384c183def27a15974714204b
-
SSDEEP
384:i3pJzu/RQ+mLyvXYu5+z0Y3wqahHcgPh6RuIkTTdSk4/MmlFOUlv1Hx+mGXO:KupC2/kzwzPsRun8k4/MmlFOEtS+
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2808-14-0x0000000000400000-0x0000000000422000-memory.dmp modiloader_stage2 behavioral2/memory/3188-17-0x0000000000400000-0x0000000000422000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
kulionzx.exepid process 3188 kulionzx.exe -
Loads dropped DLL 2 IoCs
Processes:
kulionzx.exepid process 3188 kulionzx.exe 3188 kulionzx.exe -
Drops file in Windows directory 5 IoCs
Processes:
7514ae16c869ca1fdad24668a7afe6bc.exekulionzx.exedescription ioc process File opened for modification C:\Windows\kulionzx.exe 7514ae16c869ca1fdad24668a7afe6bc.exe File created C:\Windows\kulionzx.dll kulionzx.exe File created C:\Windows\kulionzx.exe kulionzx.exe File created C:\Windows\kulionzx.dll 7514ae16c869ca1fdad24668a7afe6bc.exe File created C:\Windows\kulionzx.exe 7514ae16c869ca1fdad24668a7afe6bc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
kulionzx.exepid process 3188 kulionzx.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7514ae16c869ca1fdad24668a7afe6bc.exedescription pid process target process PID 2808 wrote to memory of 3188 2808 7514ae16c869ca1fdad24668a7afe6bc.exe kulionzx.exe PID 2808 wrote to memory of 3188 2808 7514ae16c869ca1fdad24668a7afe6bc.exe kulionzx.exe PID 2808 wrote to memory of 3188 2808 7514ae16c869ca1fdad24668a7afe6bc.exe kulionzx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7514ae16c869ca1fdad24668a7afe6bc.exe"C:\Users\Admin\AppData\Local\Temp\7514ae16c869ca1fdad24668a7afe6bc.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\kulionzx.exeC:\Windows\kulionzx.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3188
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\kulionzx.dllFilesize
27KB
MD5ea888177ae32de781a3635b90184dabf
SHA16f50e6a3778235f21c28518a0f16613b77b7d277
SHA2566f370807a395d00021e7d7f1232d59b151713a59cc76a190f97d831fd6cbf9f8
SHA512630a16d5a67893fcf7341cb5718e547cd2576e156f6860fe7f5bda1aed9a710131cb0b17bd044c938028dfe1a831603d5978019b7667678a86c2e0987808ea1c
-
C:\Windows\kulionzx.exeFilesize
24KB
MD57514ae16c869ca1fdad24668a7afe6bc
SHA15b0ba3538c2b7d0c21ee7f57212751919b61658b
SHA256bd3044d198f2ae306261418645298d5aa9ca1a5475911c5f7556384735b86d51
SHA5128780176de32148c2ba4c80c6f5ed19818a462ae70bc8e69c4b9135318456af9dd360294b06cec2ea336f686d311fa397e8ad2c5384c183def27a15974714204b
-
memory/2808-0-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/2808-14-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/3188-11-0x0000000002030000-0x000000000203D000-memory.dmpFilesize
52KB
-
memory/3188-15-0x0000000002030000-0x000000000203D000-memory.dmpFilesize
52KB
-
memory/3188-17-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB