Analysis
-
max time kernel
141s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31/01/2024, 09:56
Static task
static1
Behavioral task
behavioral1
Sample
841d1d706e5fda5a4c6c2f6c512c18c2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
841d1d706e5fda5a4c6c2f6c512c18c2.exe
Resource
win10v2004-20231215-en
General
-
Target
841d1d706e5fda5a4c6c2f6c512c18c2.exe
-
Size
493KB
-
MD5
841d1d706e5fda5a4c6c2f6c512c18c2
-
SHA1
1b5c9251c9f5bf24e7a014e20b4e710f17e4a540
-
SHA256
dfcd8994628bee6d7f0aa4575047e01e3f8caf1a5cd126fe79f70fcf89e5a24b
-
SHA512
2ba25dba4f736c6f93d98eb12c99cbaaffb4c018f5fc6a8572e95eb95aa298964fd54b5d0a206d3894ebf054e37f67322f7d134ab3d7cc8ff2466664d1a9c1ee
-
SSDEEP
12288:6LagqJq0Dlep9o3LgVhJXhfRZafOMj2jZGshfOuG:6LadlUvrR1V2uG
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2868-22-0x0000000000400000-0x00000000005D4000-memory.dmp modiloader_stage2 behavioral1/memory/496-23-0x0000000000400000-0x00000000005D4000-memory.dmp modiloader_stage2 behavioral1/memory/2868-35-0x0000000000400000-0x00000000005D4000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 2832 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 496 rejoice51.exe -
Loads dropped DLL 5 IoCs
pid Process 2868 841d1d706e5fda5a4c6c2f6c512c18c2.exe 2868 841d1d706e5fda5a4c6c2f6c512c18c2.exe 404 WerFault.exe 404 WerFault.exe 404 WerFault.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_rejoice51.exe rejoice51.exe File opened for modification C:\Windows\SysWOW64\_rejoice51.exe rejoice51.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe 841d1d706e5fda5a4c6c2f6c512c18c2.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe 841d1d706e5fda5a4c6c2f6c512c18c2.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat 841d1d706e5fda5a4c6c2f6c512c18c2.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 404 496 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2868 wrote to memory of 496 2868 841d1d706e5fda5a4c6c2f6c512c18c2.exe 28 PID 2868 wrote to memory of 496 2868 841d1d706e5fda5a4c6c2f6c512c18c2.exe 28 PID 2868 wrote to memory of 496 2868 841d1d706e5fda5a4c6c2f6c512c18c2.exe 28 PID 2868 wrote to memory of 496 2868 841d1d706e5fda5a4c6c2f6c512c18c2.exe 28 PID 496 wrote to memory of 404 496 rejoice51.exe 29 PID 496 wrote to memory of 404 496 rejoice51.exe 29 PID 496 wrote to memory of 404 496 rejoice51.exe 29 PID 496 wrote to memory of 404 496 rejoice51.exe 29 PID 2868 wrote to memory of 2832 2868 841d1d706e5fda5a4c6c2f6c512c18c2.exe 30 PID 2868 wrote to memory of 2832 2868 841d1d706e5fda5a4c6c2f6c512c18c2.exe 30 PID 2868 wrote to memory of 2832 2868 841d1d706e5fda5a4c6c2f6c512c18c2.exe 30 PID 2868 wrote to memory of 2832 2868 841d1d706e5fda5a4c6c2f6c512c18c2.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe"C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 2883⤵
- Loads dropped DLL
- Program crash
PID:404
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""2⤵
- Deletes itself
PID:2832
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373KB
MD5e755b4825a2b62a35cd43fd43c86d9da
SHA1c830b672aac2b12cb97517bfd939fa5745711f01
SHA2564794f0173154c712e0c3546523f1bb8f2c8718fe1a44606a8d0336122025ff1f
SHA51260a82a21229b216b5b07017448a84b34215f9762ee39c2ca99eae1c3986a1cd325b8ba29ce8ae244dc1a936aaff8629034c612bfa745d30770f536103e3f9214
-
Filesize
184B
MD506c202ea021eb56220e615e2b21bafc2
SHA193dbc14d2d9b79e7c244bd8072c4d7729cd0283f
SHA2568489c4e58aa775d4c810a558a87280a2059ae749e0c3cf3d5df40b0ae637f3dd
SHA512f572d7de7699ba199b6ab85fc2ae5839624c72694de54eae166745050fbe4d705a33273c6908db3175a8b40e0eec01026fa16a972e213d1fba9b25ddc11a3180
-
Filesize
433KB
MD5ad371df1f3d46ad9b1aab8e03d3ec64a
SHA18e5bffa7287b21e2d030ecd19ca23a630335efe9
SHA256f1dbef6d6bb557e16c74c66fa333c6506441819f14990286e65adb04ec812ae8
SHA512ddd60412108803c358429ad3f5d213d4b4ece186b79f8485d770a7373bdb139ceccd14db80660b3b2c72a22502db0b5538d34ee6b75368ca30fca69a58359e6b
-
Filesize
448KB
MD5b13ecb3b61bb6f67032e2fc73b590fb9
SHA1e43f0d99de0918509f3ca4d5a76b587132ce4f4b
SHA256be3e1dd31c7e6d4d15cf54ffbff075dde201fd6ffcc66febeb231578c06978dd
SHA5129c954d5d9083f4cfda876db28e5382397a479c675bbd9742ec562b54c25fc55e1fdca713633e70e9f4f7e9892c0e981eba69649c512f1ee02364ed36558b20f2
-
Filesize
306KB
MD5d89cb9a7358663bca4d4463fa725f6d7
SHA1a626d0c513c7be3c5a6800d6a662eb41cbb7b33e
SHA256759c1218366e30b37451574781cfcced60fbb7eec9b4266b474c037ae8951d10
SHA5122375a6a4f0cc8276960caf044c47b93de47a10391758ce8e67c1da23247dd56d35b63fba3f8fb1bc07113bdf672e2141b1937c0bb34ccc60414af79605017b73
-
Filesize
359KB
MD523f014ee5d6dd2064293093f0c47adc2
SHA10588e028ed9a495ec95b36fdb07bfc53c0983c63
SHA2565ee5f62591ca30dd4bf594c4086daa8fbe9a96ab062ffab1883ef01f6dc605f3
SHA51240f07b52b901bcbde9bd647683b9b466f7f6314c1491a14018c1af004b7eaf99e67acaed0efe24ab0f4db55da5962ca14e7223924c7bc67096ae4daee2d675c8
-
Filesize
403KB
MD5f0d678bc6582e5e78b6df6429036b2c7
SHA12ac3fac6227676f705d876e88a30a6cff07dd886
SHA25643bb3847d25ff8175ca5a4e32386be6a5a5ff59a3aaebec71baa3e3f8766c56f
SHA512101b7e778c44ca2ee056c29298613b52289354f77cace877c978ee11e0635285bd19d363270fde78dc70eae6ccb6412626ed7467f53c29ec5a9fcb245c9ba97b
-
Filesize
493KB
MD5841d1d706e5fda5a4c6c2f6c512c18c2
SHA11b5c9251c9f5bf24e7a014e20b4e710f17e4a540
SHA256dfcd8994628bee6d7f0aa4575047e01e3f8caf1a5cd126fe79f70fcf89e5a24b
SHA5122ba25dba4f736c6f93d98eb12c99cbaaffb4c018f5fc6a8572e95eb95aa298964fd54b5d0a206d3894ebf054e37f67322f7d134ab3d7cc8ff2466664d1a9c1ee