Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
8d83768b151d2efde1fc4692e39b4a41.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8d83768b151d2efde1fc4692e39b4a41.exe
Resource
win10v2004-20231215-en
General
-
Target
8d83768b151d2efde1fc4692e39b4a41.exe
-
Size
609KB
-
MD5
8d83768b151d2efde1fc4692e39b4a41
-
SHA1
0b628b91474e43b17fa32ddb0a489b0050c8c730
-
SHA256
40a3268a8ea94299a2135fc021fe25b907694463c9380fbfbc6c7e834aa6294b
-
SHA512
8bc1bf8067409172668639a6587164f0af2beed9254b647b96627dba5f2817f2134fccd2682d13949ba415922074ff8b1ad1c760617579db010562c69d5b498b
-
SSDEEP
12288:uP0E0cVS+vHV6toWuOhbRuo4QF3Z4mxxG0MHoTAFbv:/u/Hst7hUopQmXGK8
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2372-97-0x0000000000400000-0x000000000056D000-memory.dmp modiloader_stage2 behavioral1/memory/2492-89-0x0000000000400000-0x000000000056D000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 1532 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2492 Indxiwg.exe -
Loads dropped DLL 2 IoCs
pid Process 2372 8d83768b151d2efde1fc4692e39b4a41.exe 2372 8d83768b151d2efde1fc4692e39b4a41.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Indxiwg.exe 8d83768b151d2efde1fc4692e39b4a41.exe File opened for modification C:\Windows\SysWOW64\Indxiwg.exe 8d83768b151d2efde1fc4692e39b4a41.exe File opened for modification C:\Windows\SysWOW64\Indxiwg.exe Indxiwg.exe File created C:\Windows\SysWOW64\Deleteme.bat 8d83768b151d2efde1fc4692e39b4a41.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2492 2372 8d83768b151d2efde1fc4692e39b4a41.exe 30 PID 2372 wrote to memory of 2492 2372 8d83768b151d2efde1fc4692e39b4a41.exe 30 PID 2372 wrote to memory of 2492 2372 8d83768b151d2efde1fc4692e39b4a41.exe 30 PID 2372 wrote to memory of 2492 2372 8d83768b151d2efde1fc4692e39b4a41.exe 30 PID 2372 wrote to memory of 1532 2372 8d83768b151d2efde1fc4692e39b4a41.exe 28 PID 2372 wrote to memory of 1532 2372 8d83768b151d2efde1fc4692e39b4a41.exe 28 PID 2372 wrote to memory of 1532 2372 8d83768b151d2efde1fc4692e39b4a41.exe 28 PID 2372 wrote to memory of 1532 2372 8d83768b151d2efde1fc4692e39b4a41.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe"C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\system32\Deleteme.bat2⤵
- Deletes itself
PID:1532
-
-
C:\Windows\SysWOW64\Indxiwg.exeC:\Windows\system32\Indxiwg.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD576548ddbf2a885b58278b53bb642c3e2
SHA192fc8f271f6c18835a75b54510bba05dddb49cd6
SHA256092b5bffbb0210d17ba551a0aa234f264e4b72842e5e97bd55e33e6e141f5b7c
SHA51240820c5e2f9016fccd37832e4ee4f47fa55eead773624af548d8ddd7d0bea9cc006aa7ccb6723c4beb456c25585e58bf4b0af1a8319474f5ddbfe1f42729dbe0
-
Filesize
94KB
MD567b69e93a7b3aa33a74afbbf52dbf61f
SHA1ce48b01e35245f992a41fd9edc2384a159ddfe71
SHA256b6db83a0eef8a818af352d62d68004aeb954a1e84c92e625194316e7a6cc3174
SHA5128d299bdc6e6715696a845c70536b52103e07a5abb4589a4c9ab445e8986fb2c714c06e5036308e323deb28a365c095e0c63683322b8b45f4dd2d4c2eaeedd13e
-
Filesize
191KB
MD5877b95a76cdeae4d04b7985bc2cc68e6
SHA14a66c330a47dce3fcc16bb7ec3ed8a7372bb4b65
SHA256e3d5e614880e25d4d3e418759f0d7524adbbda836748c7416d05796c57cc14d7
SHA51260c4aaf84615aeaec832a7df314a71818a3dca449c22c3ad6e8b6e4bbc16822e3738443765f5f653de32eafe0f58129c7d36a0c8410d8620ee25a8916d58a90a
-
Filesize
216KB
MD53260fe7e4ec7774e2e7f463595fd2fb0
SHA1f5d496f9bb2852e835b68cc371a0de9bd4a7c678
SHA256defbb067dad94cc0b2d17d4c984d8cc89eb6daeeb124f4d3573f8c7524745ec7
SHA512f3b87a26cbe44df551c40289b27d06d15b2a3a2561aeb36e87d3fcf9f93b69474a2f6950080fae5837f19495f95daa42d93e13092f6d8ecead9bc3ca28a893eb
-
Filesize
170KB
MD5bd99b69ba8724cb226ac3dbf45a7d9cf
SHA1005cafa03a5ab7c643f0c8f9fbb8c2cdfa69e7d7
SHA2561728a0c1ae715633f9897f141693ea434b2707558815b340c2635a5d6aae90aa
SHA512a1cca13157d95920db3f33206697e1f75e7b1fb4a3a2192a2884e71a94ef02c518ed1e6d63926b8636d45f627018f9ac334bb09f86c026e42f554ba89100423b
-
Filesize
238KB
MD5b0625ddf9b8185708a9f883c36d97ef3
SHA10d0296e441a6ef9818b6661cbff108c0ec3d2e12
SHA256065ba6ba92ced1029dd72881565fbcfcd6256b52aaea77a4848ba08b2c01ea75
SHA512c520e9d09ef5eb178cfecd48a1ada1b30ef922fbe872f6bfb7da799629ca49a7de4074f64d059856752af15bb466c56c1a1fc23ecf7014801b5bef1e31795680