Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 14:12
Static task
static1
Behavioral task
behavioral1
Sample
8c87b8613d433da6c8c69d7e5db0e1b9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8c87b8613d433da6c8c69d7e5db0e1b9.exe
Resource
win10v2004-20231215-en
General
-
Target
8c87b8613d433da6c8c69d7e5db0e1b9.exe
-
Size
686KB
-
MD5
8c87b8613d433da6c8c69d7e5db0e1b9
-
SHA1
91b6ffeb1640c24858a6c984f11afd4aa2a34725
-
SHA256
e98f80c2687495eb2d2e2098d92d5dcaf6d90212c14f9d2cc0d9f64c9cd4861d
-
SHA512
7b6ecc92f3386e038868570b3017c62916d3b24b5447dbd22b7589a58414369550cda5fe5002d2af9422081418482e9f9e630dd11210841909d874b57cadbc6e
-
SSDEEP
12288:/0F7HMH/IyifhQiTCwKEywv+Ic51O/woQoaf5vwq7/YrdCFzKQ:/FH/7iGwPydIc/OY55v6dfQ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 5 IoCs
resource yara_rule behavioral1/memory/1048-20-0x0000000000400000-0x00000000004BD200-memory.dmp modiloader_stage2 behavioral1/memory/1976-21-0x0000000001E30000-0x0000000001EEE000-memory.dmp modiloader_stage2 behavioral1/memory/1976-36-0x0000000000400000-0x00000000004BD200-memory.dmp modiloader_stage2 behavioral1/memory/1048-37-0x0000000000400000-0x00000000004BD200-memory.dmp modiloader_stage2 behavioral1/memory/1976-49-0x0000000000400000-0x00000000004BD200-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 2268 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1048 system_32.exe -
Loads dropped DLL 5 IoCs
pid Process 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 2748 WerFault.exe 2748 WerFault.exe 2748 WerFault.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\V: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\B: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\I: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\K: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\N: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\R: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\Y: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\W: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\G: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\H: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\M: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\S: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\U: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\P: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\Q: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\X: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\A: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\E: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\J: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\L: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\O: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\Z: 8c87b8613d433da6c8c69d7e5db0e1b9.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\AutoRun.inf 8c87b8613d433da6c8c69d7e5db0e1b9.exe File created C:\AutoRun.inf 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened for modification C:\AutoRun.inf 8c87b8613d433da6c8c69d7e5db0e1b9.exe File created F:\AutoRun.inf 8c87b8613d433da6c8c69d7e5db0e1b9.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_system_32.exe system_32.exe File opened for modification C:\Windows\SysWOW64\_system_32.exe system_32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1048 set thread context of 2708 1048 system_32.exe 29 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat 8c87b8613d433da6c8c69d7e5db0e1b9.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\system_32.exe 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\system_32.exe 8c87b8613d433da6c8c69d7e5db0e1b9.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2748 1048 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 1976 wrote to memory of 1048 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 28 PID 1976 wrote to memory of 1048 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 28 PID 1976 wrote to memory of 1048 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 28 PID 1976 wrote to memory of 1048 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 28 PID 1048 wrote to memory of 2708 1048 system_32.exe 29 PID 1048 wrote to memory of 2708 1048 system_32.exe 29 PID 1048 wrote to memory of 2708 1048 system_32.exe 29 PID 1048 wrote to memory of 2708 1048 system_32.exe 29 PID 1048 wrote to memory of 2708 1048 system_32.exe 29 PID 1048 wrote to memory of 2708 1048 system_32.exe 29 PID 1048 wrote to memory of 2748 1048 system_32.exe 30 PID 1048 wrote to memory of 2748 1048 system_32.exe 30 PID 1048 wrote to memory of 2748 1048 system_32.exe 30 PID 1048 wrote to memory of 2748 1048 system_32.exe 30 PID 1976 wrote to memory of 2268 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 31 PID 1976 wrote to memory of 2268 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 31 PID 1976 wrote to memory of 2268 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 31 PID 1976 wrote to memory of 2268 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 31 PID 1976 wrote to memory of 2268 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 31 PID 1976 wrote to memory of 2268 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 31 PID 1976 wrote to memory of 2268 1976 8c87b8613d433da6c8c69d7e5db0e1b9.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c87b8613d433da6c8c69d7e5db0e1b9.exe"C:\Users\Admin\AppData\Local\Temp\8c87b8613d433da6c8c69d7e5db0e1b9.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\system_32.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\system_32.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2708
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 3003⤵
- Loads dropped DLL
- Program crash
PID:2748
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""2⤵
- Deletes itself
PID:2268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD58feab5be9206005614302013f3c0d0ce
SHA1065000fac2570d00ccf048eebe0eb77a44c0fc98
SHA256b3d5588d1dda66b0550878614958b4d1303c2c1a68a5eaed3e1ff28d45a3b623
SHA512e3a7d83418f921ec21e3a7a004d9fa03629e29a9fbb54823d0b9ff03462f26e9de062784f9dd80dfb8c0b8edffeba73913f01fddd400218b13af751dce555bc4
-
Filesize
686KB
MD58c87b8613d433da6c8c69d7e5db0e1b9
SHA191b6ffeb1640c24858a6c984f11afd4aa2a34725
SHA256e98f80c2687495eb2d2e2098d92d5dcaf6d90212c14f9d2cc0d9f64c9cd4861d
SHA5127b6ecc92f3386e038868570b3017c62916d3b24b5447dbd22b7589a58414369550cda5fe5002d2af9422081418482e9f9e630dd11210841909d874b57cadbc6e