Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 22:29

General

  • Target

    8d83768b151d2efde1fc4692e39b4a41.exe

  • Size

    609KB

  • MD5

    8d83768b151d2efde1fc4692e39b4a41

  • SHA1

    0b628b91474e43b17fa32ddb0a489b0050c8c730

  • SHA256

    40a3268a8ea94299a2135fc021fe25b907694463c9380fbfbc6c7e834aa6294b

  • SHA512

    8bc1bf8067409172668639a6587164f0af2beed9254b647b96627dba5f2817f2134fccd2682d13949ba415922074ff8b1ad1c760617579db010562c69d5b498b

  • SSDEEP

    12288:uP0E0cVS+vHV6toWuOhbRuo4QF3Z4mxxG0MHoTAFbv:/u/Hst7hUopQmXGK8

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe
    "C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 324
      2⤵
      • Program crash
      PID:4436
    • C:\Windows\SysWOW64\Indxiwg.exe
      C:\Windows\system32\Indxiwg.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:4476
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 324
        3⤵
        • Program crash
        PID:4860
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat
      2⤵
        PID:4572
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3592 -ip 3592
      1⤵
        PID:3172
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4476 -ip 4476
        1⤵
          PID:3128

        Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\SysWOW64\Deleteme.bat

                Filesize

                184B

                MD5

                76548ddbf2a885b58278b53bb642c3e2

                SHA1

                92fc8f271f6c18835a75b54510bba05dddb49cd6

                SHA256

                092b5bffbb0210d17ba551a0aa234f264e4b72842e5e97bd55e33e6e141f5b7c

                SHA512

                40820c5e2f9016fccd37832e4ee4f47fa55eead773624af548d8ddd7d0bea9cc006aa7ccb6723c4beb456c25585e58bf4b0af1a8319474f5ddbfe1f42729dbe0

              • C:\Windows\SysWOW64\Indxiwg.exe

                Filesize

                609KB

                MD5

                8d83768b151d2efde1fc4692e39b4a41

                SHA1

                0b628b91474e43b17fa32ddb0a489b0050c8c730

                SHA256

                40a3268a8ea94299a2135fc021fe25b907694463c9380fbfbc6c7e834aa6294b

                SHA512

                8bc1bf8067409172668639a6587164f0af2beed9254b647b96627dba5f2817f2134fccd2682d13949ba415922074ff8b1ad1c760617579db010562c69d5b498b

              • memory/3592-7-0x0000000002470000-0x0000000002471000-memory.dmp

                Filesize

                4KB

              • memory/3592-8-0x0000000002450000-0x0000000002451000-memory.dmp

                Filesize

                4KB

              • memory/3592-3-0x0000000002420000-0x0000000002421000-memory.dmp

                Filesize

                4KB

              • memory/3592-14-0x00000000024A0000-0x00000000024A1000-memory.dmp

                Filesize

                4KB

              • memory/3592-13-0x00000000023E0000-0x00000000023E1000-memory.dmp

                Filesize

                4KB

              • memory/3592-12-0x00000000033E0000-0x00000000033E1000-memory.dmp

                Filesize

                4KB

              • memory/3592-11-0x00000000033F0000-0x00000000033F1000-memory.dmp

                Filesize

                4KB

              • memory/3592-10-0x0000000002410000-0x0000000002411000-memory.dmp

                Filesize

                4KB

              • memory/3592-9-0x0000000002490000-0x0000000002491000-memory.dmp

                Filesize

                4KB

              • memory/3592-31-0x0000000000A30000-0x0000000000A84000-memory.dmp

                Filesize

                336KB

              • memory/3592-0-0x0000000000400000-0x000000000056D000-memory.dmp

                Filesize

                1.4MB

              • memory/3592-15-0x0000000002550000-0x0000000002551000-memory.dmp

                Filesize

                4KB

              • memory/3592-5-0x0000000002400000-0x0000000002401000-memory.dmp

                Filesize

                4KB

              • memory/3592-18-0x0000000002600000-0x0000000002601000-memory.dmp

                Filesize

                4KB

              • memory/3592-6-0x00000000023F0000-0x00000000023F1000-memory.dmp

                Filesize

                4KB

              • memory/3592-2-0x0000000002440000-0x0000000002441000-memory.dmp

                Filesize

                4KB

              • memory/3592-1-0x0000000000A30000-0x0000000000A84000-memory.dmp

                Filesize

                336KB

              • memory/3592-28-0x0000000000400000-0x000000000056D000-memory.dmp

                Filesize

                1.4MB

              • memory/3592-27-0x0000000000400000-0x000000000056D000-memory.dmp

                Filesize

                1.4MB

              • memory/3592-4-0x0000000002480000-0x0000000002481000-memory.dmp

                Filesize

                4KB

              • memory/4476-29-0x0000000000A80000-0x0000000000AD4000-memory.dmp

                Filesize

                336KB

              • memory/4476-24-0x0000000000400000-0x000000000056D000-memory.dmp

                Filesize

                1.4MB

              • memory/4476-23-0x0000000000A80000-0x0000000000AD4000-memory.dmp

                Filesize

                336KB

              • memory/4476-30-0x0000000002600000-0x0000000002601000-memory.dmp

                Filesize

                4KB

              • memory/4476-22-0x0000000000400000-0x000000000056D000-memory.dmp

                Filesize

                1.4MB