Analysis
-
max time kernel
142s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 16:04
Static task
static1
Behavioral task
behavioral1
Sample
8cc0bb1a00157351cf02c2d97c0b1831.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8cc0bb1a00157351cf02c2d97c0b1831.exe
Resource
win10v2004-20231215-en
General
-
Target
8cc0bb1a00157351cf02c2d97c0b1831.exe
-
Size
652KB
-
MD5
8cc0bb1a00157351cf02c2d97c0b1831
-
SHA1
b2f154a92ffb170c64d4c222ee6846d996f2761b
-
SHA256
555bc25a57d01bbb12b69d41995c7a4f41c86f7d05ce0e73d2cc95aa6e3775fd
-
SHA512
5f32589913beb077b2fc1c392a0cd5f0851511fa714253a7f7366ac0213ec67d5cc2acd06b40af55cc09801720122179ecb6fde1dbbc08b0972d3efcaff9a4f2
-
SSDEEP
12288:/e6g5JKP/Ic71V0ao0WADIyJjcSoF3Z4mxxPALW3mZxMZtk:W6g5MPl3Xlc9QmXPAi3qxMZt
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2060-112-0x0000000000400000-0x00000000005DB000-memory.dmp modiloader_stage2 behavioral1/memory/2364-113-0x0000000000400000-0x00000000005DB000-memory.dmp modiloader_stage2 behavioral1/memory/2060-130-0x0000000000400000-0x00000000005DB000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2364 KAV2007.exe -
Loads dropped DLL 5 IoCs
pid Process 2060 8cc0bb1a00157351cf02c2d97c0b1831.exe 2060 8cc0bb1a00157351cf02c2d97c0b1831.exe 1612 WerFault.exe 1612 WerFault.exe 1612 WerFault.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\O: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\X: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\Z: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\B: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\E: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\I: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\J: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\U: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\W: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\H: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\K: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\M: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\S: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\V: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\Y: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\A: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\G: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\L: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\P: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\Q: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\R: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\T: 8cc0bb1a00157351cf02c2d97c0b1831.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\AutoRun.inf 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened for modification C:\AutoRun.inf 8cc0bb1a00157351cf02c2d97c0b1831.exe File created F:\AutoRun.inf 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened for modification F:\AutoRun.inf 8cc0bb1a00157351cf02c2d97c0b1831.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\_KAV2007.exe KAV2007.exe File created C:\Windows\SysWOW64\_KAV2007.exe KAV2007.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe 8cc0bb1a00157351cf02c2d97c0b1831.exe -
Program crash 1 IoCs
pid pid_target Process 1612 2364 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2364 2060 8cc0bb1a00157351cf02c2d97c0b1831.exe 29 PID 2060 wrote to memory of 2364 2060 8cc0bb1a00157351cf02c2d97c0b1831.exe 29 PID 2060 wrote to memory of 2364 2060 8cc0bb1a00157351cf02c2d97c0b1831.exe 29 PID 2060 wrote to memory of 2364 2060 8cc0bb1a00157351cf02c2d97c0b1831.exe 29 PID 2364 wrote to memory of 1612 2364 KAV2007.exe 28 PID 2364 wrote to memory of 1612 2364 KAV2007.exe 28 PID 2364 wrote to memory of 1612 2364 KAV2007.exe 28 PID 2364 wrote to memory of 1612 2364 KAV2007.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe"C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2364
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 3041⤵
- Loads dropped DLL
- Program crash
PID:1612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5f694515906a8424c63e7a43c3a94ea5a
SHA14e15cefb4d3c724b6ad101309c514ef3b6eb21f3
SHA256567a1c15ce6a33ae9f7c60bf55725bffb22255ab1ddf3f904f636fe19cd0b91c
SHA512fe3d4b45bb51025361ff493c3f46f58c713ca29d73f3103fdeaf70fe5d3b9762c107464fe398495d045f5681b4d0f50e7e9d8eb87ebe640dd6ff103bc089d57f
-
Filesize
26KB
MD5d4947528e05995d8d7e34a8bb96b114d
SHA1a036d2b586d8fc21851084b7ae999709f4a348fe
SHA256ab52c4a90890e962d82f104aec011b0cee8261019da1033d947b82ce36e15a7e
SHA512c22e23230af2cb9ab5a9fce32fb4c363032c9083bf93eefd8fe12420348e1b40289071f5db4455a26a3f9cbd6052ffb2cacafe1dd9cb0b4b8c86391002b261fb
-
Filesize
95KB
MD5d2c1e8b492a0236c74e5f48dc674ca5a
SHA1c565a7da948d721d4907122ff2a16618052ccecd
SHA2561ca67416e6324448e5d8575dc7e8a7b817ab7b5db148af444fb932ad1cbe9ebf
SHA512d99bc00236e55f19d9419b54c2fc19d63577801575b5e28e576111b546ddbc2d3b9707b54476261b52be7df1893441fa7565dc1ae77bcc4e391953c3e5c56d1a
-
Filesize
48KB
MD5d898d96cc68fd0cee45e69a77be8ec4e
SHA13d2f26b520d478a2ca0f437906a16bc3f81b04f1
SHA256b700bcfd0705a367e9186da29c00ea38852b65a9ac919672dde12c9f34b44d00
SHA512fef53bfeb0cd08ef901df7fca73a37f386fa30172647b845f502746cced4ebc741780df12fef30b305acd7be7e889bc0224c2ea27402a214e0abe276297e4549
-
Filesize
145KB
MD516c824a07ad55a1bfc3ccce075f8d43e
SHA1efaa666331a6b3abc0ec23ed46cb0b49035b839f
SHA256d6fc56ac66a9d8c2deab7a80b2ab9d9589a17b2575418052d754c909977d8b77
SHA5128aed9c15a80e2d13839671a26a07dbe153c469c77951fd934ebc6f599a5d4aa4703ab637b02bbb7c5efcb2857b744a96a26fb77240f65380d31f2403a1da73a5
-
Filesize
62KB
MD599930b362d97bde5d859c4b02639568d
SHA156f7b34e3ed7c5514a1abf2bf32dc1d0e56b21c3
SHA256b4e04d5a83205ed29da731f30031b4bf8f77174295a5eb727e00a8871bb4527c
SHA5125c02586c86b68d13ed85214c59491550dab58f1c380df31c86140bc6998f762dfbcf9992329e9396f4ce52c12df50dc421382fa7c48b7a5420fdc8040484516c
-
Filesize
141KB
MD527bd21f47aa8fe3f17ac61a2721f91ac
SHA1db635a200a1d850c83b2e565ebd65f7bfff0cfc8
SHA25626c83585d3d86f4f90339e09d9e38ce4fe59c33b4b36c83eed7ab328d1f74973
SHA512d9a2b6e536357a2b39c815cd21d9f3ddf50bc79499b73bb90580e4a60f87e0e78a1646ae9fa14724cd29de486af64447a9a01b6632f7551dc187e784a29e169e
-
Filesize
24KB
MD58e5343e8a9209aa5b20cde76b81b1395
SHA1f94c6b1f1e9be71b109cdbcc715eb2e84cacfde5
SHA25647b5aacd545ae33a1185b360ba9c3e37c04224b665504b97cfa53bea9e41b714
SHA512ee983fb33e97c1768d190535b0715d5b86ba1f1033ea65b69341f47eac1d9a4e05a9ae348dea4e84267bd1b144e3b38798c20bbdf3a32c99c9cb4007f394b688