Analysis

  • max time kernel
    93s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 14:12

General

  • Target

    8c87b8613d433da6c8c69d7e5db0e1b9.exe

  • Size

    686KB

  • MD5

    8c87b8613d433da6c8c69d7e5db0e1b9

  • SHA1

    91b6ffeb1640c24858a6c984f11afd4aa2a34725

  • SHA256

    e98f80c2687495eb2d2e2098d92d5dcaf6d90212c14f9d2cc0d9f64c9cd4861d

  • SHA512

    7b6ecc92f3386e038868570b3017c62916d3b24b5447dbd22b7589a58414369550cda5fe5002d2af9422081418482e9f9e630dd11210841909d874b57cadbc6e

  • SSDEEP

    12288:/0F7HMH/IyifhQiTCwKEywv+Ic51O/woQoaf5vwq7/YrdCFzKQ:/FH/7iGwPydIc/OY55v6dfQ

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c87b8613d433da6c8c69d7e5db0e1b9.exe
    "C:\Users\Admin\AppData\Local\Temp\8c87b8613d433da6c8c69d7e5db0e1b9.exe"
    1⤵
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\system_32.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\system_32.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\program files\internet explorer\IEXPLORE.EXE
        "C:\program files\internet explorer\IEXPLORE.EXE"
        3⤵
          PID:4300
        • C:\Windows\SysWOW64\calc.exe
          "C:\Windows\system32\calc.exe"
          3⤵
            PID:748
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 12
              4⤵
              • Program crash
              PID:2768
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""
          2⤵
            PID:3016
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 748 -ip 748
          1⤵
            PID:960

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat

                  Filesize

                  184B

                  MD5

                  8feab5be9206005614302013f3c0d0ce

                  SHA1

                  065000fac2570d00ccf048eebe0eb77a44c0fc98

                  SHA256

                  b3d5588d1dda66b0550878614958b4d1303c2c1a68a5eaed3e1ff28d45a3b623

                  SHA512

                  e3a7d83418f921ec21e3a7a004d9fa03629e29a9fbb54823d0b9ff03462f26e9de062784f9dd80dfb8c0b8edffeba73913f01fddd400218b13af751dce555bc4

                • C:\Program Files\Common Files\Microsoft Shared\MSINFO\system_32.exe

                  Filesize

                  638KB

                  MD5

                  0e196dd92940e4d4a852373858dd23ae

                  SHA1

                  0b156e6fc05f17a99a3ec2732829a08a1d2967d8

                  SHA256

                  30175f57813d6873d24b0ba1e9108e0ed0d7395fc24793023c0a5aac9cf94042

                  SHA512

                  e3c962d1458026971093309af29dc820d748fbc93f8fa3662a262e9be2ccd079f35f231e63102c775b386a1fcb8fa11eabae1a54637cac8421d93b01b48e1ee8

                • F:\system_32.exe

                  Filesize

                  686KB

                  MD5

                  8c87b8613d433da6c8c69d7e5db0e1b9

                  SHA1

                  91b6ffeb1640c24858a6c984f11afd4aa2a34725

                  SHA256

                  e98f80c2687495eb2d2e2098d92d5dcaf6d90212c14f9d2cc0d9f64c9cd4861d

                  SHA512

                  7b6ecc92f3386e038868570b3017c62916d3b24b5447dbd22b7589a58414369550cda5fe5002d2af9422081418482e9f9e630dd11210841909d874b57cadbc6e

                • memory/748-18-0x0000000000400000-0x00000000004BE000-memory.dmp

                  Filesize

                  760KB

                • memory/4760-15-0x0000000002030000-0x0000000002031000-memory.dmp

                  Filesize

                  4KB

                • memory/4760-20-0x0000000000400000-0x00000000004BD200-memory.dmp

                  Filesize

                  756KB

                • memory/4908-0-0x0000000000400000-0x00000000004BD200-memory.dmp

                  Filesize

                  756KB

                • memory/4908-9-0x0000000002350000-0x0000000002351000-memory.dmp

                  Filesize

                  4KB

                • memory/4908-24-0x0000000000400000-0x00000000004BD200-memory.dmp

                  Filesize

                  756KB