Analysis
-
max time kernel
93s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 14:12
Static task
static1
Behavioral task
behavioral1
Sample
8c87b8613d433da6c8c69d7e5db0e1b9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8c87b8613d433da6c8c69d7e5db0e1b9.exe
Resource
win10v2004-20231215-en
General
-
Target
8c87b8613d433da6c8c69d7e5db0e1b9.exe
-
Size
686KB
-
MD5
8c87b8613d433da6c8c69d7e5db0e1b9
-
SHA1
91b6ffeb1640c24858a6c984f11afd4aa2a34725
-
SHA256
e98f80c2687495eb2d2e2098d92d5dcaf6d90212c14f9d2cc0d9f64c9cd4861d
-
SHA512
7b6ecc92f3386e038868570b3017c62916d3b24b5447dbd22b7589a58414369550cda5fe5002d2af9422081418482e9f9e630dd11210841909d874b57cadbc6e
-
SSDEEP
12288:/0F7HMH/IyifhQiTCwKEywv+Ic51O/woQoaf5vwq7/YrdCFzKQ:/FH/7iGwPydIc/OY55v6dfQ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/4760-20-0x0000000000400000-0x00000000004BD200-memory.dmp modiloader_stage2 behavioral2/memory/4908-24-0x0000000000400000-0x00000000004BD200-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 4760 system_32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\Y: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\A: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\L: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\M: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\P: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\Z: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\W: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\B: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\H: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\I: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\N: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\S: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\T: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\U: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\X: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\E: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\J: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\K: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\O: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\Q: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\R: 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened (read-only) \??\V: 8c87b8613d433da6c8c69d7e5db0e1b9.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AutoRun.inf 8c87b8613d433da6c8c69d7e5db0e1b9.exe File created F:\AutoRun.inf 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened for modification F:\AutoRun.inf 8c87b8613d433da6c8c69d7e5db0e1b9.exe File created C:\AutoRun.inf 8c87b8613d433da6c8c69d7e5db0e1b9.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_system_32.exe system_32.exe File opened for modification C:\Windows\SysWOW64\_system_32.exe system_32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4760 set thread context of 748 4760 system_32.exe 87 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\system_32.exe 8c87b8613d433da6c8c69d7e5db0e1b9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\system_32.exe 8c87b8613d433da6c8c69d7e5db0e1b9.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat 8c87b8613d433da6c8c69d7e5db0e1b9.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2768 748 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4908 wrote to memory of 4760 4908 8c87b8613d433da6c8c69d7e5db0e1b9.exe 84 PID 4908 wrote to memory of 4760 4908 8c87b8613d433da6c8c69d7e5db0e1b9.exe 84 PID 4908 wrote to memory of 4760 4908 8c87b8613d433da6c8c69d7e5db0e1b9.exe 84 PID 4760 wrote to memory of 748 4760 system_32.exe 87 PID 4760 wrote to memory of 748 4760 system_32.exe 87 PID 4760 wrote to memory of 748 4760 system_32.exe 87 PID 4760 wrote to memory of 748 4760 system_32.exe 87 PID 4760 wrote to memory of 748 4760 system_32.exe 87 PID 4760 wrote to memory of 4300 4760 system_32.exe 85 PID 4760 wrote to memory of 4300 4760 system_32.exe 85 PID 4908 wrote to memory of 3016 4908 8c87b8613d433da6c8c69d7e5db0e1b9.exe 88 PID 4908 wrote to memory of 3016 4908 8c87b8613d433da6c8c69d7e5db0e1b9.exe 88 PID 4908 wrote to memory of 3016 4908 8c87b8613d433da6c8c69d7e5db0e1b9.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c87b8613d433da6c8c69d7e5db0e1b9.exe"C:\Users\Admin\AppData\Local\Temp\8c87b8613d433da6c8c69d7e5db0e1b9.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\system_32.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\system_32.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:4300
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 124⤵
- Program crash
PID:2768
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupDel.bat""2⤵PID:3016
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 748 -ip 7481⤵PID:960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD58feab5be9206005614302013f3c0d0ce
SHA1065000fac2570d00ccf048eebe0eb77a44c0fc98
SHA256b3d5588d1dda66b0550878614958b4d1303c2c1a68a5eaed3e1ff28d45a3b623
SHA512e3a7d83418f921ec21e3a7a004d9fa03629e29a9fbb54823d0b9ff03462f26e9de062784f9dd80dfb8c0b8edffeba73913f01fddd400218b13af751dce555bc4
-
Filesize
638KB
MD50e196dd92940e4d4a852373858dd23ae
SHA10b156e6fc05f17a99a3ec2732829a08a1d2967d8
SHA25630175f57813d6873d24b0ba1e9108e0ed0d7395fc24793023c0a5aac9cf94042
SHA512e3c962d1458026971093309af29dc820d748fbc93f8fa3662a262e9be2ccd079f35f231e63102c775b386a1fcb8fa11eabae1a54637cac8421d93b01b48e1ee8
-
Filesize
686KB
MD58c87b8613d433da6c8c69d7e5db0e1b9
SHA191b6ffeb1640c24858a6c984f11afd4aa2a34725
SHA256e98f80c2687495eb2d2e2098d92d5dcaf6d90212c14f9d2cc0d9f64c9cd4861d
SHA5127b6ecc92f3386e038868570b3017c62916d3b24b5447dbd22b7589a58414369550cda5fe5002d2af9422081418482e9f9e630dd11210841909d874b57cadbc6e