Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 16:33
Behavioral task
behavioral1
Sample
8ccf0e0b5fb64636472b6faec68f0325.exe
Resource
win7-20231215-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
8ccf0e0b5fb64636472b6faec68f0325.exe
Resource
win10v2004-20231222-en
8 signatures
150 seconds
General
-
Target
8ccf0e0b5fb64636472b6faec68f0325.exe
-
Size
46KB
-
MD5
8ccf0e0b5fb64636472b6faec68f0325
-
SHA1
b0b75f1ce34da22d9006b93f5647fd1a7fd30242
-
SHA256
82784171a3981f93fecd0b47299459552a820938aab658b869a0cef1f72508ba
-
SHA512
c51091830ac3d9762be18793f9042629f1dc49d995084d9126ec617ffdf05a33a37b0bdae38ca88b3556ff20fa15257a5e67727ab23db97d988bd35e09244c44
-
SSDEEP
768:CytdwZDKQH7g8xFrXtpsC/lPwqfZ8GJJS9qSCmw3n5MtWxMYvTMD:CyLIDlxFrXXzPwkqOFl6
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/1032-4-0x0000000010000000-0x000000001001E000-memory.dmp modiloader_stage2 -
resource yara_rule behavioral2/memory/1032-0-0x0000000010000000-0x000000001001E000-memory.dmp upx behavioral2/memory/1032-4-0x0000000010000000-0x000000001001E000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1032 set thread context of 1408 1032 8ccf0e0b5fb64636472b6faec68f0325.exe 17 -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1032 8ccf0e0b5fb64636472b6faec68f0325.exe Token: SeIncBasePriorityPrivilege 1032 8ccf0e0b5fb64636472b6faec68f0325.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe 1408 8ccf0e0b5fb64636472b6faec68f0325.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 1032 wrote to memory of 1408 1032 8ccf0e0b5fb64636472b6faec68f0325.exe 17 PID 1032 wrote to memory of 1408 1032 8ccf0e0b5fb64636472b6faec68f0325.exe 17 PID 1032 wrote to memory of 1408 1032 8ccf0e0b5fb64636472b6faec68f0325.exe 17 PID 1032 wrote to memory of 1408 1032 8ccf0e0b5fb64636472b6faec68f0325.exe 17 PID 1032 wrote to memory of 1408 1032 8ccf0e0b5fb64636472b6faec68f0325.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ccf0e0b5fb64636472b6faec68f0325.exe"C:\Users\Admin\AppData\Local\Temp\8ccf0e0b5fb64636472b6faec68f0325.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\8ccf0e0b5fb64636472b6faec68f0325.exeC:\Users\Admin\AppData\Local\Temp\8ccf0e0b5fb64636472b6faec68f0325.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1408
-