Analysis

  • max time kernel
    93s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/02/2024, 04:08 UTC

General

  • Target

    9ab78b703e248f58de1a797591c6630b.exe

  • Size

    765KB

  • MD5

    9ab78b703e248f58de1a797591c6630b

  • SHA1

    a59946346b8f875cc7ad6c0024db14da8928fa74

  • SHA256

    9667031ee31c3492a484e102744829c6e83fec13c37a3a2c95a1679cb6aef59a

  • SHA512

    c68f78d5f0709da8ff82445d26cf563d8001fae3abe42dc6008bf33aa6ec81386ead83e016321de98d1f9f4ac3ba4e6665fa58e64bc0993a557bb7ef9441dda7

  • SSDEEP

    12288:NtPUekZkx1AEyYmueCkXyShXz2/iINCM3V5TDXTLwc9RdvK:NtnexEyYmufzyo/YcXDXTBHy

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ab78b703e248f58de1a797591c6630b.exe
    "C:\Users\Admin\AppData\Local\Temp\9ab78b703e248f58de1a797591c6630b.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoiceda.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoiceda.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3320
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
        • Suspicious use of UnmapMainImage
        PID:2004
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 12
          4⤵
          • Program crash
          PID:4676
      • C:\program files\internet explorer\IEXPLORE.EXE
        "C:\program files\internet explorer\IEXPLORE.EXE"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4352
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4352 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2192
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat""
      2⤵
        PID:3080
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2004 -ip 2004
      1⤵
        PID:5096

      Network

      • flag-us
        DNS
        149.220.183.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        149.220.183.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        209.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.178.17.96.in-addr.arpa
        IN PTR
        Response
        209.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-209deploystaticakamaitechnologiescom
      • flag-us
        DNS
        api.bing.com
        IEXPLORE.EXE
        Remote address:
        8.8.8.8:53
        Request
        api.bing.com
        IN A
        Response
        api.bing.com
        IN CNAME
        api-bing-com.e-0001.e-msedge.net
        api-bing-com.e-0001.e-msedge.net
        IN CNAME
        e-0001.e-msedge.net
        e-0001.e-msedge.net
        IN A
        13.107.5.80
      • flag-us
        DNS
        22.160.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        22.160.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        228.249.119.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        228.249.119.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        209.205.72.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.205.72.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        198.187.3.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        198.187.3.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        161.19.199.152.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        161.19.199.152.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        217.135.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.135.221.88.in-addr.arpa
        IN PTR
        Response
        217.135.221.88.in-addr.arpa
        IN PTR
        a88-221-135-217deploystaticakamaitechnologiescom
      • flag-us
        DNS
        31.243.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        31.243.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        173.178.17.96.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        173.178.17.96.in-addr.arpa
        IN PTR
        Response
        173.178.17.96.in-addr.arpa
        IN PTR
        a96-17-178-173deploystaticakamaitechnologiescom
      • 204.79.197.200:443
        ieonline.microsoft.com
        tls, http2
        IEXPLORE.EXE
        1.2kB
        8.1kB
        15
        14
      • 8.8.8.8:53
        149.220.183.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        149.220.183.52.in-addr.arpa

      • 8.8.8.8:53
        209.178.17.96.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        209.178.17.96.in-addr.arpa

      • 8.8.8.8:53
        api.bing.com
        dns
        IEXPLORE.EXE
        58 B
        134 B
        1
        1

        DNS Request

        api.bing.com

        DNS Response

        13.107.5.80

      • 8.8.8.8:53
        22.160.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        22.160.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        228.249.119.40.in-addr.arpa
        dns
        73 B
        159 B
        1
        1

        DNS Request

        228.249.119.40.in-addr.arpa

      • 8.8.8.8:53
        209.205.72.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        209.205.72.20.in-addr.arpa

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        198.187.3.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        198.187.3.20.in-addr.arpa

      • 8.8.8.8:53
        161.19.199.152.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        161.19.199.152.in-addr.arpa

      • 8.8.8.8:53
        217.135.221.88.in-addr.arpa
        dns
        73 B
        139 B
        1
        1

        DNS Request

        217.135.221.88.in-addr.arpa

      • 8.8.8.8:53
        31.243.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        31.243.111.52.in-addr.arpa

      • 8.8.8.8:53
        173.178.17.96.in-addr.arpa
        dns
        72 B
        137 B
        1
        1

        DNS Request

        173.178.17.96.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\Microsoft Shared\MSINFO\SgotoDel.bat

        Filesize

        184B

        MD5

        abfe983036b1ab4bbe2d9f7b4d83b980

        SHA1

        b821234f3bf623d05e64c967f1be42d767604217

        SHA256

        dc123e3cdfd21b30eba4f8961aac0ebc54f29ee5f0fc0593d6e69b82df52c08a

        SHA512

        b38df7eb4b85d978a95f4233a0a826aeab23048f276f07d228472d58997bf399ffd4ced77bcb87a64aac1cfa1a5964dc21d3060c8355cff3d90ac6a791ae8503

      • C:\Program Files\Common Files\microsoft shared\MSInfo\rejoiceda.exe

        Filesize

        765KB

        MD5

        9ab78b703e248f58de1a797591c6630b

        SHA1

        a59946346b8f875cc7ad6c0024db14da8928fa74

        SHA256

        9667031ee31c3492a484e102744829c6e83fec13c37a3a2c95a1679cb6aef59a

        SHA512

        c68f78d5f0709da8ff82445d26cf563d8001fae3abe42dc6008bf33aa6ec81386ead83e016321de98d1f9f4ac3ba4e6665fa58e64bc0993a557bb7ef9441dda7

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        34a715b7eff98727a79196c12548166d

        SHA1

        d5e289b29da4499777553a8a18000554d3664059

        SHA256

        6b41a389423de69980de3d667fca2f72e5ce6224dcea62d765862d07e76f9f01

        SHA512

        62de58bac2f19abcfd8503f2b0abf64872a6354c140e020975d40fda1c975ed3ccc9f05a58ab45663c3eee52dbb5d6974aca6df78f7e60e780f5320622516860

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        b5331f3e28857c8e913697214210c204

        SHA1

        3e98433e66e4ebde6bcc1835025fc339f1ad5cba

        SHA256

        bf98ed986fd2040c4c070889016d37e38d93c908bde7d325beb3c8820f1ab654

        SHA512

        685031d5089a474c2a047773991b40461c8eae4dc45cd84b517875a404afc6a4c6b7dd4db9d589cc31680b9201f853c43759da8319c4196a9b64bcd0fbfd42ed

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NSWVVUXL\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • memory/2004-9-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/3320-8-0x00000000009A0000-0x00000000009A1000-memory.dmp

        Filesize

        4KB

      • memory/3320-12-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      • memory/4352-11-0x00000000005B0000-0x0000000000678000-memory.dmp

        Filesize

        800KB

      • memory/4956-0-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

        Filesize

        4KB

      • memory/4956-15-0x0000000000400000-0x00000000004C8000-memory.dmp

        Filesize

        800KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.