Analysis

  • max time kernel
    89s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 15:11

General

  • Target

    8ca5f1fa2d996a25c0d7d46e8a0725a2.exe

  • Size

    912KB

  • MD5

    8ca5f1fa2d996a25c0d7d46e8a0725a2

  • SHA1

    bef0493452f8830663321cc19d6f98f01f27c152

  • SHA256

    547b319609a15ad9aa358122f6730843ae541d6dc6b6c3ecc0135767664bf865

  • SHA512

    7a03715caa48029ec35dd283652c12a94a5a97d1aa14a949c8ea40334feea569aaf1fb8b9ac4e5e7a8d62b08a53025967354ebc365308597ef8bfa8f7287eb5f

  • SSDEEP

    24576:kqfoqT3CO1cjxZMXBrwuZUy5DPZWN+HuMSV653RGn0uEitV:kILCCcjxZ8fOy5DAN+OMSc8BdH

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe
    "C:\Users\Admin\AppData\Local\Temp\8ca5f1fa2d996a25c0d7d46e8a0725a2.exe"
    1⤵
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4360
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\program files\internet explorer\IEXPLORE.EXE
        "C:\program files\internet explorer\IEXPLORE.EXE"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4092
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4092 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2732
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
      2⤵
        PID:5020

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\AutoRun.inf

            Filesize

            172B

            MD5

            927852231949a3349759bf1b81099a00

            SHA1

            859edef102d3daef447a34a2c2db8b3e54a18bf0

            SHA256

            4fe401c28161efc84b7a28d236c79680fd6bc5631d23533ccaa3afe8a13e1297

            SHA512

            cbdcb8194be39dfea6015182a57d043c9e2de807e96283fcc967a243a9f8d6223cca4190082408dfb5b213f08aae0a2a4444787425f22f8c033b2ea8533fe3fb

          • C:\Program Files\Common Files\Microsoft Shared\MSINFO\RECYCLER.EXE

            Filesize

            524KB

            MD5

            63da2513b4156f984b19fb009507d721

            SHA1

            0df317b683f9d7d34f234cd9e9403f75c4918c1b

            SHA256

            acf20cc28f671c649120e20a60296a941c5f282cade4eb129d86148dd877e803

            SHA512

            0a2023b8f168e05366a6975d0bb8aeb68390a2c601a630531ee6102998dd98378a9deb1da7b1fd90cc48f35ec3cf4b2cce35a2b555edcd0577dc0568b7e66a50

          • C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat

            Filesize

            184B

            MD5

            095b5a7603826bc82c0715bb4e020857

            SHA1

            ad0058751abc54e94f3f006a550da5ad9b77a19b

            SHA256

            957d0e448031ac5ee780eac63970e355a67d083cecf02999ca655e81e29ffa87

            SHA512

            9edcf303d8562589708eb04fdb85c1a0770fe11de8e244051dcc664e13305c637e9063b10a50f90b25775e76ebbe09a6bea255887bea02d4f51dd20acd17de25

          • C:\Program Files\Common Files\microsoft shared\MSInfo\RECYCLER.EXE

            Filesize

            646KB

            MD5

            3f55f18044d59d8ae9a14c1efb1116c4

            SHA1

            f65ab6e5ff16affc96866785848eece4a55d075a

            SHA256

            d5f07ed5bc39e7bd1e2270d6bce8e9633ddcc4f8aa45406265d6bdfa5a66e636

            SHA512

            a34765e813f49e6be769b7c9dfd910f715f7197844e6562ebf1a6c8062949bd1d8613f5ca6df605d4ff00b75be8f6a4c51b97b0c1305daff61bbde09a4ca6aea

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            471B

            MD5

            52bfc02b370f1b48b834ce1c58ad6560

            SHA1

            d3dbca3ed04caabf69ec8d525a83cde0919809cf

            SHA256

            fce02a7cb2ed194e21949d8a394e69f1dd30c4c517addc831018b8a0b7235a97

            SHA512

            5fb4c1b2d4173f5de1237e2fd55b9081b99756217d5d639da3e0e1bbe339d87be2e9b732ef783446bdedee2af8730e4bedb3184d58ba0bce0881ddc199495289

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            404B

            MD5

            2db673590c5a15126b128570d1b2d3bb

            SHA1

            7c7163ef647b8be3cbebb8e053a1a21ed62e5ea8

            SHA256

            373a5d8f5d297372eae3ad761e8beaad18b995b47d6c6505f410042e8df49f65

            SHA512

            e9e4d1bbe455304735ff92c322495bbad4e84df539303543dce32589f7af8cab039d1c746e352a335136efc9a7df41936a76348f910243b325f9d74d1c2cb900

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verCF08.tmp

            Filesize

            15KB

            MD5

            1a545d0052b581fbb2ab4c52133846bc

            SHA1

            62f3266a9b9925cd6d98658b92adec673cbe3dd3

            SHA256

            557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

            SHA512

            bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\suggestions[1].en-US

            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • F:\RECYCLER.EXE

            Filesize

            912KB

            MD5

            8ca5f1fa2d996a25c0d7d46e8a0725a2

            SHA1

            bef0493452f8830663321cc19d6f98f01f27c152

            SHA256

            547b319609a15ad9aa358122f6730843ae541d6dc6b6c3ecc0135767664bf865

            SHA512

            7a03715caa48029ec35dd283652c12a94a5a97d1aa14a949c8ea40334feea569aaf1fb8b9ac4e5e7a8d62b08a53025967354ebc365308597ef8bfa8f7287eb5f

          • memory/1272-57-0x0000000003500000-0x0000000003504000-memory.dmp

            Filesize

            16KB

          • memory/1272-63-0x0000000004720000-0x0000000004721000-memory.dmp

            Filesize

            4KB

          • memory/1272-50-0x0000000004600000-0x000000000461B000-memory.dmp

            Filesize

            108KB

          • memory/1272-65-0x0000000003310000-0x0000000003364000-memory.dmp

            Filesize

            336KB

          • memory/1272-64-0x0000000000400000-0x0000000001688000-memory.dmp

            Filesize

            18.5MB

          • memory/1272-56-0x0000000003500000-0x0000000003504000-memory.dmp

            Filesize

            16KB

          • memory/1272-62-0x00000000035B0000-0x00000000035B1000-memory.dmp

            Filesize

            4KB

          • memory/1272-60-0x0000000003500000-0x0000000003504000-memory.dmp

            Filesize

            16KB

          • memory/1272-61-0x0000000003500000-0x0000000003504000-memory.dmp

            Filesize

            16KB

          • memory/1272-55-0x0000000003500000-0x0000000003501000-memory.dmp

            Filesize

            4KB

          • memory/1272-54-0x0000000004600000-0x000000000461B000-memory.dmp

            Filesize

            108KB

          • memory/1272-53-0x0000000004600000-0x000000000461B000-memory.dmp

            Filesize

            108KB

          • memory/1272-40-0x0000000000400000-0x0000000001688000-memory.dmp

            Filesize

            18.5MB

          • memory/1272-51-0x0000000004600000-0x000000000461B000-memory.dmp

            Filesize

            108KB

          • memory/1272-49-0x0000000004500000-0x0000000004501000-memory.dmp

            Filesize

            4KB

          • memory/1272-43-0x0000000000400000-0x0000000001688000-memory.dmp

            Filesize

            18.5MB

          • memory/1272-44-0x0000000003310000-0x0000000003364000-memory.dmp

            Filesize

            336KB

          • memory/1272-45-0x0000000004510000-0x0000000004511000-memory.dmp

            Filesize

            4KB

          • memory/4092-52-0x00000000000D0000-0x0000000001358000-memory.dmp

            Filesize

            18.5MB

          • memory/4360-9-0x0000000003410000-0x0000000003411000-memory.dmp

            Filesize

            4KB

          • memory/4360-12-0x00000000035B0000-0x00000000035B1000-memory.dmp

            Filesize

            4KB

          • memory/4360-15-0x00000000045F0000-0x000000000460B000-memory.dmp

            Filesize

            108KB

          • memory/4360-41-0x0000000003320000-0x0000000003374000-memory.dmp

            Filesize

            336KB

          • memory/4360-4-0x0000000003320000-0x0000000003374000-memory.dmp

            Filesize

            336KB

          • memory/4360-5-0x0000000003460000-0x0000000003461000-memory.dmp

            Filesize

            4KB

          • memory/4360-6-0x0000000003440000-0x0000000003441000-memory.dmp

            Filesize

            4KB

          • memory/4360-14-0x00000000017F0000-0x00000000017F1000-memory.dmp

            Filesize

            4KB

          • memory/4360-42-0x00000000045F0000-0x000000000460B000-memory.dmp

            Filesize

            108KB

          • memory/4360-0-0x0000000000400000-0x0000000001688000-memory.dmp

            Filesize

            18.5MB

          • memory/4360-66-0x0000000000400000-0x0000000001688000-memory.dmp

            Filesize

            18.5MB

          • memory/4360-34-0x0000000004610000-0x0000000004611000-memory.dmp

            Filesize

            4KB

          • memory/4360-10-0x0000000003590000-0x0000000003591000-memory.dmp

            Filesize

            4KB

          • memory/4360-7-0x00000000035A0000-0x00000000035A1000-memory.dmp

            Filesize

            4KB

          • memory/4360-8-0x0000000003420000-0x0000000003421000-memory.dmp

            Filesize

            4KB

          • memory/4360-13-0x0000000003430000-0x0000000003431000-memory.dmp

            Filesize

            4KB

          • memory/4360-11-0x0000000003580000-0x0000000003581000-memory.dmp

            Filesize

            4KB

          • memory/4360-3-0x00000000017F0000-0x00000000017F1000-memory.dmp

            Filesize

            4KB

          • memory/4360-2-0x0000000000400000-0x0000000001688000-memory.dmp

            Filesize

            18.5MB

          • memory/4360-1-0x00000000017F0000-0x00000000017F1000-memory.dmp

            Filesize

            4KB