Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 15:00
Behavioral task
behavioral1
Sample
8ca028d6a26153dfdcb0f67b66159ac9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8ca028d6a26153dfdcb0f67b66159ac9.exe
Resource
win10v2004-20231215-en
General
-
Target
8ca028d6a26153dfdcb0f67b66159ac9.exe
-
Size
295KB
-
MD5
8ca028d6a26153dfdcb0f67b66159ac9
-
SHA1
5362f1c2d6d3935fa505f4b1a57987abccd1cd3d
-
SHA256
be31185fc80afb305d668d523e70858d26f78ccf1175da83cc465eb949f8523a
-
SHA512
2d73cb95b92a25da8c15cabe5833129a077b6fed804d54616c1880b5a319058725208768ccafa7f2efe68f8bf99a53269089cb0b58079b98b79b0438b331475b
-
SSDEEP
6144:1RyIL4ImePaoQjVEc8FAkT7sRd54tFNX9xZRi5c1a15lajT0:1vLqePaoFcxkMUFNX9rsea1/x
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral1/memory/2628-13-0x0000000000400000-0x00000000004C5000-memory.dmp modiloader_stage2 behavioral1/memory/2416-28-0x0000000000400000-0x00000000004C5000-memory.dmp modiloader_stage2 behavioral1/memory/2628-29-0x0000000000400000-0x00000000004C5000-memory.dmp modiloader_stage2 behavioral1/memory/2416-41-0x0000000000400000-0x00000000004C5000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
pid Process 1772 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2628 rejoice101.exe -
Loads dropped DLL 5 IoCs
pid Process 2416 8ca028d6a26153dfdcb0f67b66159ac9.exe 2416 8ca028d6a26153dfdcb0f67b66159ac9.exe 2660 WerFault.exe 2660 WerFault.exe 2660 WerFault.exe -
resource yara_rule behavioral1/memory/2416-0-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/files/0x000b000000012185-4.dat upx behavioral1/memory/2628-13-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2780-22-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2416-28-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2628-29-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral1/memory/2416-41-0x0000000000400000-0x00000000004C5000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe File opened for modification C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2628 set thread context of 2780 2628 rejoice101.exe 29 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 8ca028d6a26153dfdcb0f67b66159ac9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 8ca028d6a26153dfdcb0f67b66159ac9.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat 8ca028d6a26153dfdcb0f67b66159ac9.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2660 2628 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2628 2416 8ca028d6a26153dfdcb0f67b66159ac9.exe 28 PID 2416 wrote to memory of 2628 2416 8ca028d6a26153dfdcb0f67b66159ac9.exe 28 PID 2416 wrote to memory of 2628 2416 8ca028d6a26153dfdcb0f67b66159ac9.exe 28 PID 2416 wrote to memory of 2628 2416 8ca028d6a26153dfdcb0f67b66159ac9.exe 28 PID 2628 wrote to memory of 2780 2628 rejoice101.exe 29 PID 2628 wrote to memory of 2780 2628 rejoice101.exe 29 PID 2628 wrote to memory of 2780 2628 rejoice101.exe 29 PID 2628 wrote to memory of 2780 2628 rejoice101.exe 29 PID 2628 wrote to memory of 2780 2628 rejoice101.exe 29 PID 2628 wrote to memory of 2780 2628 rejoice101.exe 29 PID 2628 wrote to memory of 2660 2628 rejoice101.exe 30 PID 2628 wrote to memory of 2660 2628 rejoice101.exe 30 PID 2628 wrote to memory of 2660 2628 rejoice101.exe 30 PID 2628 wrote to memory of 2660 2628 rejoice101.exe 30 PID 2416 wrote to memory of 1772 2416 8ca028d6a26153dfdcb0f67b66159ac9.exe 33 PID 2416 wrote to memory of 1772 2416 8ca028d6a26153dfdcb0f67b66159ac9.exe 33 PID 2416 wrote to memory of 1772 2416 8ca028d6a26153dfdcb0f67b66159ac9.exe 33 PID 2416 wrote to memory of 1772 2416 8ca028d6a26153dfdcb0f67b66159ac9.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe"C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2780
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 3003⤵
- Loads dropped DLL
- Program crash
PID:2660
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""2⤵
- Deletes itself
PID:1772
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD577ced2405e345f9cff39459401cb8406
SHA1746565c2db29e17a1f38923467646c9acdd396e4
SHA256a0c91442c2b7e8c2fde1b881c056c4006d3ac7437ac135a68b92c9830022d87a
SHA5126bfd800d6970e7cd2f10277aa3da01681632d52e1a79f839f6dfa6fd9bd45e7c77a661cfc1663d1d2426445e3b5373eb89968100bf2b5a3607cc2172a9cfebe6
-
Filesize
295KB
MD58ca028d6a26153dfdcb0f67b66159ac9
SHA15362f1c2d6d3935fa505f4b1a57987abccd1cd3d
SHA256be31185fc80afb305d668d523e70858d26f78ccf1175da83cc465eb949f8523a
SHA5122d73cb95b92a25da8c15cabe5833129a077b6fed804d54616c1880b5a319058725208768ccafa7f2efe68f8bf99a53269089cb0b58079b98b79b0438b331475b