Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 16:39
Static task
static1
Behavioral task
behavioral1
Sample
8cd2099e44faea182081272b5cc46838.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8cd2099e44faea182081272b5cc46838.exe
Resource
win10v2004-20231215-en
General
-
Target
8cd2099e44faea182081272b5cc46838.exe
-
Size
285KB
-
MD5
8cd2099e44faea182081272b5cc46838
-
SHA1
c892742a8e36594b8c97e239594b823068fb7ac3
-
SHA256
c7b00350372958271605f03df277b1fd0781a8d7930bbe7c7636934233247453
-
SHA512
a9e335fef6cb073f1442eef56d7a5c4347f9db401766feafe0543c0f139b51b9e2f90d4894077414ffdca834dd857e95d27add37b16576d98950edc0496107c8
-
SSDEEP
6144:oSSSbUbMaY0dRhuvUkKwYEqYGU61rEcl8ahjOgEQIR8n6b/FI:oSTYbzndRhusEqpn1rEahKgjO80/FI
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2644-33-0x0000000000400000-0x0000000000553000-memory.dmp modiloader_stage2 behavioral1/memory/2704-35-0x0000000000400000-0x0000000000553000-memory.dmp modiloader_stage2 behavioral1/memory/2644-36-0x0000000000400000-0x0000000000553000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2704 systems32.exe -
Loads dropped DLL 5 IoCs
pid Process 2644 8cd2099e44faea182081272b5cc46838.exe 2644 8cd2099e44faea182081272b5cc46838.exe 2708 WerFault.exe 2708 WerFault.exe 2708 WerFault.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\G: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\P: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\Q: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\R: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\V: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\Z: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\J: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\O: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\S: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\T: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\W: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\Y: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\I: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\K: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\L: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\N: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\M: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\X: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\A: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\B: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\E: 8cd2099e44faea182081272b5cc46838.exe File opened (read-only) \??\H: 8cd2099e44faea182081272b5cc46838.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\AutoRun.inf 8cd2099e44faea182081272b5cc46838.exe File opened for modification C:\AutoRun.inf 8cd2099e44faea182081272b5cc46838.exe File created F:\AutoRun.inf 8cd2099e44faea182081272b5cc46838.exe File opened for modification F:\AutoRun.inf 8cd2099e44faea182081272b5cc46838.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_systems32.exe systems32.exe File opened for modification C:\Windows\SysWOW64\_systems32.exe systems32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\systems32.exe 8cd2099e44faea182081272b5cc46838.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\systems32.exe 8cd2099e44faea182081272b5cc46838.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2708 2704 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2704 2644 8cd2099e44faea182081272b5cc46838.exe 28 PID 2644 wrote to memory of 2704 2644 8cd2099e44faea182081272b5cc46838.exe 28 PID 2644 wrote to memory of 2704 2644 8cd2099e44faea182081272b5cc46838.exe 28 PID 2644 wrote to memory of 2704 2644 8cd2099e44faea182081272b5cc46838.exe 28 PID 2704 wrote to memory of 2708 2704 systems32.exe 29 PID 2704 wrote to memory of 2708 2704 systems32.exe 29 PID 2704 wrote to memory of 2708 2704 systems32.exe 29 PID 2704 wrote to memory of 2708 2704 systems32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cd2099e44faea182081272b5cc46838.exe"C:\Users\Admin\AppData\Local\Temp\8cd2099e44faea182081272b5cc46838.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\systems32.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\systems32.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 2963⤵
- Loads dropped DLL
- Program crash
PID:2708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
285KB
MD58cd2099e44faea182081272b5cc46838
SHA1c892742a8e36594b8c97e239594b823068fb7ac3
SHA256c7b00350372958271605f03df277b1fd0781a8d7930bbe7c7636934233247453
SHA512a9e335fef6cb073f1442eef56d7a5c4347f9db401766feafe0543c0f139b51b9e2f90d4894077414ffdca834dd857e95d27add37b16576d98950edc0496107c8