Analysis

  • max time kernel
    22s
  • max time network
    72s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2024, 17:49

General

  • Target

    8cf591136fec7bd474a84c232e01155a.exe

  • Size

    719KB

  • MD5

    8cf591136fec7bd474a84c232e01155a

  • SHA1

    2e7abf19970c4bfe1bd7a83542d31dec71aa2240

  • SHA256

    791e84d0017b4fabe903ae49cf3379bfd333c23d927b402d85e9d9bd669ba52f

  • SHA512

    45d581c3c406c3959b240d16f5ac409e7ac8c68718dfe96e57315adc6f21e3c6d94434cc6f9f5843e4a616559e0e663d1bd2d023f92e5ed03d7128c2a4e08235

  • SSDEEP

    12288:6XgPVmsO7H+JeYkZQors8sEyMGXxeDlX4EEPSwDfAmgBJbf8AwnBrRm8dZ/X:AoZ3J78GEX4bEmCb+rRvZ/X

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe
    "C:\Users\Admin\AppData\Local\Temp\8cf591136fec7bd474a84c232e01155a.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3992
    • C:\Users\Admin\cog.exe
      cog.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3324
      • C:\Users\Admin\cog.exe
        cog.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4272
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del 8cf591136fec7bd474a84c232e01155a.exe
      2⤵
        PID:4872
      • C:\Users\Admin\cof.exe
        cof.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3288
      • C:\Users\Admin\cod.exe
        cod.exe
        2⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of AdjustPrivilegeToken
        PID:232
      • C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe
        B85EgtCQKi4p6Z9Kt2.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:5076
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\XmphtpT.dll",Startup
      1⤵
      • Loads dropped DLL
      • Adds Run key to start application
      PID:2416

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\XmphtpT.dll

            Filesize

            103KB

            MD5

            be60099ceffb0aece0bc0c52998e9d65

            SHA1

            6ff11181390b5eccfb9a832ea5311d58bcc7a3a3

            SHA256

            e41f195954abff7c7bdc150773ad9f0b4029a883386ac179c1aa9d44f9ab6e4a

            SHA512

            c4beef5b86370a959b624041cc2db1de2da07a15df17077d728ea74036398fd1e62b6e7e147c53ea944606d751d0934f423b70193ad570a8cba097a823facdc0

          • C:\Users\Admin\B85EgtCQKi4p6Z9Kt2.exe

            Filesize

            152KB

            MD5

            72e9d71fe7ad21610b846614566d6e2f

            SHA1

            35071ef247823ff6fa675449c6506caa2f5b145f

            SHA256

            4dc0b35a38321c71c24289acf43c102e6aa875307f830900d39f25491c83cda9

            SHA512

            14431710838e2eea0fdb3a7b73743b6d101ec6a4ceebdf0716e2855e845bd2b1722e5178d310a24ce7e5754076a9dc0e62f351c1518c391c6db8533af35203f3

          • C:\Users\Admin\baugig.exe

            Filesize

            152KB

            MD5

            f091e5fa9e30e83ec2d3459d1f98b042

            SHA1

            cec0a10b627d17e48f20b4090ca96d90a5dc0611

            SHA256

            62079f5ae2f1cb501e16f6df4c523faddb7b9777a4e983a73508edc579f4f6c8

            SHA512

            8d9bee720a3a2ef4699fb58387c1677fe7ec96d6756004bbb7febcc752bcdb4720b726ea3dceeaebf0c2f6a09e09b8a41b7912eac70188169a60a4e43a3b291d

          • C:\Users\Admin\cod.exe

            Filesize

            56KB

            MD5

            c7f5ebab338e2879b2809b3828d0807d

            SHA1

            1fc561bd445eb7e6e3bd709d0ee70f23edf27fa3

            SHA256

            6ac792e9d80ff13ddaa11610f95a23e2d1c0746e9a7c5511c2048c15babc6009

            SHA512

            51c6fcd637e0e1ca2d3f47d20a303b457eba5a94e119c73332ec70427c947b11f40f27f0cbb932549284fb8da78b7f6d4546b473aef42f98c3a677942d10a24e

          • C:\Users\Admin\cod.exe

            Filesize

            176KB

            MD5

            dbadc5fadb7497f5761537c06026ff47

            SHA1

            c8bd7319e170bd5966a73bae6f34cee4782b4f97

            SHA256

            b8fdc5c5f8aa378ef3ba8ee5172550a8f7ca295bebe858dab8ec171f1328036e

            SHA512

            7bced6bbdeb0f770d78f199d16d8ed86e90794141df101d1bb4878c55313af058a5551e0df2da65f6cd3507185cca13c7459aabf97c22faa83518b53321c2b7e

          • C:\Users\Admin\cof.exe

            Filesize

            103KB

            MD5

            d15f3d9213e5972e1e2c069448d6f228

            SHA1

            224f67d7bcb15f1921211d68df19a072dc84ccfe

            SHA256

            9c0e3fcd2615c0a3678e77583970c5d9401ea223db3e517d048453db6427214d

            SHA512

            3e53dde211235f50f7507839f4f0e8ef6c0456f4f92b40e3a9d57eb64c1ee17774698858213e1cdefb8e87803648ff97001b2a00ad2c2c6b0c896774b1e785e3

          • C:\Users\Admin\cof.exe

            Filesize

            45KB

            MD5

            40310de11405420a15881f31a5965af0

            SHA1

            c6e4971184a6f40165f24c6a39465296a4d436cd

            SHA256

            ae9b5256dedd4289ce5126fae9566e91861c18cfb66907ccb2c087887c6064f7

            SHA512

            725908fd0631618190e370d9bce877ca48777e5d062cdb1cae7e83124275b33b1e8ca88881ce7e77d0b30377a240fbb285e648075371d2a74bbd1bd4d14725e6

          • C:\Users\Admin\cog.exe

            Filesize

            145KB

            MD5

            262a039229f90ba2461f2e810ad74447

            SHA1

            9dfe5040a3d6ea8262313953c02a1e6ae39c6916

            SHA256

            e20729c3095a40a637efb304bdf57902cd4948f22406138e0dbdf28f034cedb3

            SHA512

            d7612cdbc38aea73462aa7851ab3078dfb89a1b4c96414f5d8144c456f694971f08a79bbb1a738ffeb273f99122432b1009cbf4bd483884dd50ca115a64ef641

          • C:\Users\Admin\cog.exe

            Filesize

            72KB

            MD5

            2e3317b4abb4e3931ac16e0f1d5ed9e7

            SHA1

            79317fd0874a16a1aa7ac8ce77c951f5b640d3fe

            SHA256

            f9e727496f2bb12b9229a827a95c3db9b6a34e58074b6ad59a8ae9be17afd976

            SHA512

            c0462a0ac973f4a0c9c817ee85e6ca0f3cbca60d37672293fc034b82fa2d06769993972ff68af9c63b37670031fad81b295266ee59166b0b665e5e780741505e

          • memory/232-31-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/232-24-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/232-36-0x00000000005E1000-0x00000000005E2000-memory.dmp

            Filesize

            4KB

          • memory/232-35-0x00000000005E0000-0x0000000000638000-memory.dmp

            Filesize

            352KB

          • memory/232-39-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/232-13-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/232-25-0x0000000000400000-0x0000000000458000-memory.dmp

            Filesize

            352KB

          • memory/2416-33-0x0000000010000000-0x000000001001D000-memory.dmp

            Filesize

            116KB

          • memory/2416-37-0x0000000002700000-0x0000000002710000-memory.dmp

            Filesize

            64KB

          • memory/2416-38-0x0000000002700000-0x0000000002710000-memory.dmp

            Filesize

            64KB

          • memory/2416-50-0x0000000010000000-0x000000001001D000-memory.dmp

            Filesize

            116KB

          • memory/3288-34-0x0000000010000000-0x000000001001D000-memory.dmp

            Filesize

            116KB

          • memory/3288-22-0x0000000010000000-0x000000001001D000-memory.dmp

            Filesize

            116KB

          • memory/3288-21-0x0000000002240000-0x0000000002250000-memory.dmp

            Filesize

            64KB

          • memory/3288-23-0x0000000002240000-0x0000000002250000-memory.dmp

            Filesize

            64KB

          • memory/3324-47-0x0000000000400000-0x0000000000427000-memory.dmp

            Filesize

            156KB

          • memory/4272-40-0x0000000000400000-0x000000000040B000-memory.dmp

            Filesize

            44KB

          • memory/4272-41-0x0000000000400000-0x000000000040B000-memory.dmp

            Filesize

            44KB

          • memory/4272-42-0x0000000000400000-0x000000000040B000-memory.dmp

            Filesize

            44KB

          • memory/4272-43-0x0000000000400000-0x000000000040B000-memory.dmp

            Filesize

            44KB

          • memory/4272-44-0x0000000000400000-0x000000000040B000-memory.dmp

            Filesize

            44KB

          • memory/4272-49-0x0000000000400000-0x000000000040B000-memory.dmp

            Filesize

            44KB

          • memory/4272-51-0x0000000000400000-0x000000000040B000-memory.dmp

            Filesize

            44KB