Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 15:00
Behavioral task
behavioral1
Sample
8ca028d6a26153dfdcb0f67b66159ac9.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8ca028d6a26153dfdcb0f67b66159ac9.exe
Resource
win10v2004-20231215-en
General
-
Target
8ca028d6a26153dfdcb0f67b66159ac9.exe
-
Size
295KB
-
MD5
8ca028d6a26153dfdcb0f67b66159ac9
-
SHA1
5362f1c2d6d3935fa505f4b1a57987abccd1cd3d
-
SHA256
be31185fc80afb305d668d523e70858d26f78ccf1175da83cc465eb949f8523a
-
SHA512
2d73cb95b92a25da8c15cabe5833129a077b6fed804d54616c1880b5a319058725208768ccafa7f2efe68f8bf99a53269089cb0b58079b98b79b0438b331475b
-
SSDEEP
6144:1RyIL4ImePaoQjVEc8FAkT7sRd54tFNX9xZRi5c1a15lajT0:1vLqePaoFcxkMUFNX9rsea1/x
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/740-14-0x0000000000400000-0x00000000004C5000-memory.dmp modiloader_stage2 behavioral2/memory/1452-15-0x0000000000400000-0x00000000004C5000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 740 rejoice101.exe -
resource yara_rule behavioral2/memory/1452-0-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/files/0x00060000000231f0-4.dat upx behavioral2/memory/2268-10-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/740-14-0x0000000000400000-0x00000000004C5000-memory.dmp upx behavioral2/memory/1452-15-0x0000000000400000-0x00000000004C5000-memory.dmp upx -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe File opened for modification C:\Windows\SysWOW64\_rejoice101.exe rejoice101.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 740 set thread context of 2268 740 rejoice101.exe 85 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 8ca028d6a26153dfdcb0f67b66159ac9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe 8ca028d6a26153dfdcb0f67b66159ac9.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat 8ca028d6a26153dfdcb0f67b66159ac9.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3500 2268 WerFault.exe 85 -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1452 wrote to memory of 740 1452 8ca028d6a26153dfdcb0f67b66159ac9.exe 84 PID 1452 wrote to memory of 740 1452 8ca028d6a26153dfdcb0f67b66159ac9.exe 84 PID 1452 wrote to memory of 740 1452 8ca028d6a26153dfdcb0f67b66159ac9.exe 84 PID 740 wrote to memory of 2268 740 rejoice101.exe 85 PID 740 wrote to memory of 2268 740 rejoice101.exe 85 PID 740 wrote to memory of 2268 740 rejoice101.exe 85 PID 740 wrote to memory of 2268 740 rejoice101.exe 85 PID 740 wrote to memory of 2268 740 rejoice101.exe 85 PID 740 wrote to memory of 2064 740 rejoice101.exe 86 PID 740 wrote to memory of 2064 740 rejoice101.exe 86 PID 1452 wrote to memory of 4104 1452 8ca028d6a26153dfdcb0f67b66159ac9.exe 89 PID 1452 wrote to memory of 4104 1452 8ca028d6a26153dfdcb0f67b66159ac9.exe 89 PID 1452 wrote to memory of 4104 1452 8ca028d6a26153dfdcb0f67b66159ac9.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe"C:\Users\Admin\AppData\Local\Temp\8ca028d6a26153dfdcb0f67b66159ac9.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice101.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵PID:2268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 124⤵
- Program crash
PID:3500
-
-
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵PID:2064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""2⤵PID:4104
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2268 -ip 22681⤵PID:1972
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD577ced2405e345f9cff39459401cb8406
SHA1746565c2db29e17a1f38923467646c9acdd396e4
SHA256a0c91442c2b7e8c2fde1b881c056c4006d3ac7437ac135a68b92c9830022d87a
SHA5126bfd800d6970e7cd2f10277aa3da01681632d52e1a79f839f6dfa6fd9bd45e7c77a661cfc1663d1d2426445e3b5373eb89968100bf2b5a3607cc2172a9cfebe6
-
Filesize
295KB
MD58ca028d6a26153dfdcb0f67b66159ac9
SHA15362f1c2d6d3935fa505f4b1a57987abccd1cd3d
SHA256be31185fc80afb305d668d523e70858d26f78ccf1175da83cc465eb949f8523a
SHA5122d73cb95b92a25da8c15cabe5833129a077b6fed804d54616c1880b5a319058725208768ccafa7f2efe68f8bf99a53269089cb0b58079b98b79b0438b331475b