Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2024, 09:56
Static task
static1
Behavioral task
behavioral1
Sample
841d1d706e5fda5a4c6c2f6c512c18c2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
841d1d706e5fda5a4c6c2f6c512c18c2.exe
Resource
win10v2004-20231215-en
General
-
Target
841d1d706e5fda5a4c6c2f6c512c18c2.exe
-
Size
493KB
-
MD5
841d1d706e5fda5a4c6c2f6c512c18c2
-
SHA1
1b5c9251c9f5bf24e7a014e20b4e710f17e4a540
-
SHA256
dfcd8994628bee6d7f0aa4575047e01e3f8caf1a5cd126fe79f70fcf89e5a24b
-
SHA512
2ba25dba4f736c6f93d98eb12c99cbaaffb4c018f5fc6a8572e95eb95aa298964fd54b5d0a206d3894ebf054e37f67322f7d134ab3d7cc8ff2466664d1a9c1ee
-
SSDEEP
12288:6LagqJq0Dlep9o3LgVhJXhfRZafOMj2jZGshfOuG:6LadlUvrR1V2uG
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/4812-13-0x0000000000400000-0x00000000005D4000-memory.dmp modiloader_stage2 behavioral2/memory/2296-15-0x0000000000400000-0x00000000005D4000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 4812 rejoice51.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\_rejoice51.exe rejoice51.exe File created C:\Windows\SysWOW64\_rejoice51.exe rejoice51.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe 841d1d706e5fda5a4c6c2f6c512c18c2.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat 841d1d706e5fda5a4c6c2f6c512c18c2.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe 841d1d706e5fda5a4c6c2f6c512c18c2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2296 wrote to memory of 4812 2296 841d1d706e5fda5a4c6c2f6c512c18c2.exe 86 PID 2296 wrote to memory of 4812 2296 841d1d706e5fda5a4c6c2f6c512c18c2.exe 86 PID 2296 wrote to memory of 4812 2296 841d1d706e5fda5a4c6c2f6c512c18c2.exe 86 PID 4812 wrote to memory of 3996 4812 rejoice51.exe 87 PID 4812 wrote to memory of 3996 4812 rejoice51.exe 87 PID 2296 wrote to memory of 4708 2296 841d1d706e5fda5a4c6c2f6c512c18c2.exe 88 PID 2296 wrote to memory of 4708 2296 841d1d706e5fda5a4c6c2f6c512c18c2.exe 88 PID 2296 wrote to memory of 4708 2296 841d1d706e5fda5a4c6c2f6c512c18c2.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe"C:\Users\Admin\AppData\Local\Temp\841d1d706e5fda5a4c6c2f6c512c18c2.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice51.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:3996
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\Delet.bat""2⤵PID:4708
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD506c202ea021eb56220e615e2b21bafc2
SHA193dbc14d2d9b79e7c244bd8072c4d7729cd0283f
SHA2568489c4e58aa775d4c810a558a87280a2059ae749e0c3cf3d5df40b0ae637f3dd
SHA512f572d7de7699ba199b6ab85fc2ae5839624c72694de54eae166745050fbe4d705a33273c6908db3175a8b40e0eec01026fa16a972e213d1fba9b25ddc11a3180
-
Filesize
493KB
MD5841d1d706e5fda5a4c6c2f6c512c18c2
SHA11b5c9251c9f5bf24e7a014e20b4e710f17e4a540
SHA256dfcd8994628bee6d7f0aa4575047e01e3f8caf1a5cd126fe79f70fcf89e5a24b
SHA5122ba25dba4f736c6f93d98eb12c99cbaaffb4c018f5fc6a8572e95eb95aa298964fd54b5d0a206d3894ebf054e37f67322f7d134ab3d7cc8ff2466664d1a9c1ee
-
Filesize
384KB
MD50addf595e63b56c35c3bfa41d94d1034
SHA11019eb49da5fe49e309ed933e0570afa7c4e72ac
SHA256cf6b86b823397708d29c1400526cd4ce670e8fd4852aee1a8a97c4a836793174
SHA512c343e7cea562ddfd80643518cee24254b3dd4d23e7a2838dc2b0fc6b1caaf155f2b9dd391e7d1266566b4d2f503178274f59b43fb75d256f50a47b4c0d5a915d
-
Filesize
112KB
MD55c7c571e3f754da751e125b4d377ef31
SHA1df1233b2cae04a9bb1c9ab82036382f31cf05637
SHA2568f4b03e396e82bc2e7b1fa843ad9ed4209d10cd58953492e2b84433517cb9714
SHA512050bc1951a9e720c9abf8ee452842bad63e39c4db4446451e7a6d2dbba9f0f9681d77e25633b108a8eea8f8dea9a359f7559860fdbf3a256f6bebda702188664