Analysis
-
max time kernel
93s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 16:04
Static task
static1
Behavioral task
behavioral1
Sample
8cc0bb1a00157351cf02c2d97c0b1831.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8cc0bb1a00157351cf02c2d97c0b1831.exe
Resource
win10v2004-20231215-en
General
-
Target
8cc0bb1a00157351cf02c2d97c0b1831.exe
-
Size
652KB
-
MD5
8cc0bb1a00157351cf02c2d97c0b1831
-
SHA1
b2f154a92ffb170c64d4c222ee6846d996f2761b
-
SHA256
555bc25a57d01bbb12b69d41995c7a4f41c86f7d05ce0e73d2cc95aa6e3775fd
-
SHA512
5f32589913beb077b2fc1c392a0cd5f0851511fa714253a7f7366ac0213ec67d5cc2acd06b40af55cc09801720122179ecb6fde1dbbc08b0972d3efcaff9a4f2
-
SSDEEP
12288:/e6g5JKP/Ic71V0ao0WADIyJjcSoF3Z4mxxPALW3mZxMZtk:W6g5MPl3Xlc9QmXPAi3qxMZt
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/2136-94-0x0000000000400000-0x00000000005DB000-memory.dmp modiloader_stage2 behavioral2/memory/4880-93-0x0000000000400000-0x00000000005DB000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 4880 KAV2007.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\Q: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\T: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\U: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\V: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\A: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\B: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\O: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\X: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\G: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\J: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\L: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\N: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\R: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\S: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\W: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\I: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\K: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\P: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\Y: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\Z: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\H: 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened (read-only) \??\M: 8cc0bb1a00157351cf02c2d97c0b1831.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\AutoRun.inf 8cc0bb1a00157351cf02c2d97c0b1831.exe File created F:\AutoRun.inf 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened for modification F:\AutoRun.inf 8cc0bb1a00157351cf02c2d97c0b1831.exe File created C:\AutoRun.inf 8cc0bb1a00157351cf02c2d97c0b1831.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\_KAV2007.exe KAV2007.exe File opened for modification C:\Windows\SysWOW64\_KAV2007.exe KAV2007.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4880 set thread context of 2296 4880 KAV2007.exe 86 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe 8cc0bb1a00157351cf02c2d97c0b1831.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe 8cc0bb1a00157351cf02c2d97c0b1831.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2092 2296 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2136 wrote to memory of 4880 2136 8cc0bb1a00157351cf02c2d97c0b1831.exe 85 PID 2136 wrote to memory of 4880 2136 8cc0bb1a00157351cf02c2d97c0b1831.exe 85 PID 2136 wrote to memory of 4880 2136 8cc0bb1a00157351cf02c2d97c0b1831.exe 85 PID 4880 wrote to memory of 2296 4880 KAV2007.exe 86 PID 4880 wrote to memory of 2296 4880 KAV2007.exe 86 PID 4880 wrote to memory of 2296 4880 KAV2007.exe 86 PID 4880 wrote to memory of 2296 4880 KAV2007.exe 86 PID 4880 wrote to memory of 2296 4880 KAV2007.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe"C:\Users\Admin\AppData\Local\Temp\8cc0bb1a00157351cf02c2d97c0b1831.exe"1⤵
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\KAV2007.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵PID:2296
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 124⤵
- Program crash
PID:2092
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2296 -ip 22961⤵PID:1588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD58685fd6e340191c57a725d37da4c2041
SHA141f742f4ccabe7e92105f91d576f9ad8b5c7fd9d
SHA256e488a48cb41f6e0a6f42bd3191cb9a1b9a801ff59ada7698fd6b03306384c73c
SHA512800fa36eb907a4571c4f4d18e4f533aeba779c03326ac39652c83613fda6d248c3aef1c0b6d0437553cfe2f9e1408e7e7ffa3dc12404e6312c6c35ef5d4f7d79
-
Filesize
57KB
MD571959f3d95511c35829be4ec361a1de0
SHA1a483167050aee0dcfe7b129de074a6cc691b5280
SHA256526d912f7393d4bd60a685935a3f52ab406821d6d7bfadaf806543b3325da8df
SHA512f26fba85322bdb80998df1a9c4a7e305ee58e238f732658202b17b9aa9ca4c99e8b70b8a865fe4484e2e3fc0b3343e5105c618bf434e05ff7a256e1b68797030
-
Filesize
157KB
MD563f6545f346ba674df9fd99d79232204
SHA1785bc1983450cc8c47bcd00ce7169f425685bba7
SHA256b61eab79f4db2f7a3dea01ccf8aadcdff5d27ca10b6e2a19f94654d4c8f5ecf7
SHA512a7ce03626e5c93019055c66c649d8afe1e904ddc850955dbc631177fe955191b9c77d3f535c3f0bdb39a868c18fdb283d1625b880137cda0b8da44f61491efd0