Overview

overview

10

Static

static

10

d679ca0c28...ce.exe

windows7-x64

10

d679ca0c28...ce.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    19-03-2024 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d679ca0c28d63880a620b97b7ea4a4ce.exe

  • Size

    667KB

  • MD5

    d679ca0c28d63880a620b97b7ea4a4ce

  • SHA1

    4b72f5ca012d07c5611f70975c63e3ab4886a08b

  • SHA256

    58b453df84ee1a95c448ff6988371fddc921dbe52750a36199a4a7f0e1867c17

  • SHA512

    d92c73f73a13976260ae3ec1e5918f0f743a64160011c496f8ff67fd518cbc95999762070cdfb21fd2403962620eca9d5eb0cec2ff0d5ab54364bdb860318526

  • SSDEEP

    12288:WbMqmlEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WIvEEb4Ev/ATEXKGVnGTzpA1Ec1A

Score
10/10
modiloaderevasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • ModiLoader Second Stage 10 IoCs
  • Disables taskbar notifications via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 52 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 18 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d679ca0c28d63880a620b97b7ea4a4ce.exe
    "C:\Users\Admin\AppData\Local\Temp\d679ca0c28d63880a620b97b7ea4a4ce.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2144
    • C:\Users\Admin\AppData\Local\Temp\d679ca0c28d63880a620b97b7ea4a4ce.exe
      d679ca0c28d63880a620b97b7ea4a4ce.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:460
      • C:\Users\Admin\DV245F.exe
        C:\Users\Admin\DV245F.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2544
        • C:\Users\Admin\viiox.exe
          "C:\Users\Admin\viiox.exe"
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2728
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            5⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2436
      • C:\Users\Admin\aohost.exe
        C:\Users\Admin\aohost.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Users\Admin\aohost.exe
          aohost.exe
          4⤵
          • Executes dropped EXE
          • Maps connected drives based on registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2816
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\aohost.exe > nul
            5⤵
              PID:2312
        • C:\Users\Admin\bohost.exe
          C:\Users\Admin\bohost.exe
          3⤵
          • Modifies security service
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2476
          • C:\Users\Admin\bohost.exe
            C:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\932A7\65707.exe%C:\Users\Admin\AppData\Roaming\932A7
            4⤵
            • Executes dropped EXE
            PID:1036
          • C:\Users\Admin\bohost.exe
            C:\Users\Admin\bohost.exe startC:\Program Files (x86)\A7C9E\lvvm.exe%C:\Program Files (x86)\A7C9E
            4⤵
            • Executes dropped EXE
            PID:1344
        • C:\Users\Admin\dohost.exe
          C:\Users\Admin\dohost.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2292
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c tasklist&&del d679ca0c28d63880a620b97b7ea4a4ce.exe
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2196
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:1572
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:336
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1580

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Create or Modify System Process

    1
    T1543

    Windows Service

    1
    T1543.003

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    5
    T1112

    Credential Access

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Process Discovery

    1
    T1057

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\932A7\7C9E.32A
      Filesize

      600B

      MD5

      7a5aa74bc2daff414090626f7c44eaba

      SHA1

      69d442f9f49be19fdbc42377f6873adb2cb83c02

      SHA256

      4b54c6a797ee51e7e3e3ac8f833d84fdc63495a5d680758cc812303199cc3e89

      SHA512

      733eab33fbe7543ab9c5ac6272d2c1f2f322008a2972e6b7f81298bef2061b31952edcdf6c66bb0937888df8d0e804a5ae74ef0bbc9be49188d27ec7879ddcd0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\932A7\7C9E.32A
      Filesize

      1KB

      MD5

      147f81ea39ad3572b4415557138de86f

      SHA1

      5304fd45257c77f20b2dec194db7fed43449394e

      SHA256

      decdf577a3ec87c2f57f2c0bbd6a1ec55d8407d4cf36a56033c18b2a3e91286f

      SHA512

      4d5dce6abe82a7fa03797f3301e494bcc642ee8225dfaf47c662e6a74b61bd4d8879347c7f1cd721f50428595be68d7ddf092e4d569114c19ed20f0a8a46f7f2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\932A7\7C9E.32A
      Filesize

      1KB

      MD5

      ab8eae15e93c31d6fb596669534ae477

      SHA1

      869bc75f995fe5526ee32c90833cf418934d8bd1

      SHA256

      2687127dc1f1ab18ab6f9b027b7dc71961e5b819345a2c3e9ac3b0b60e5f7b41

      SHA512

      dd8728bab6b75ad2e397a8ce494614ba382085517f62931406b3aa81f2ec2579246e0a4a280c32d84b1956d81fbd4f31cee62323ddac9254c8bc49aecdfeb783

      Download Submit

    • \Users\Admin\DV245F.exe
      Filesize

      216KB

      MD5

      00b1af88e176b5fdb1b82a38cfdce35b

      SHA1

      c0f77262df92698911e0ac2f7774e93fc6b06280

      SHA256

      50f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59

      SHA512

      9e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f

      Download Submit

    • \Users\Admin\aohost.exe
      Filesize

      152KB

      MD5

      4401958b004eb197d4f0c0aaccee9a18

      SHA1

      50e600f7c5c918145c5a270b472b114faa72a971

      SHA256

      4c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b

      SHA512

      f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6

      Download Submit

    • \Users\Admin\bohost.exe
      Filesize

      173KB

      MD5

      0578a41258df62b7b4320ceaafedde53

      SHA1

      50e7c0b00f8f1e5355423893f10ae8ee844d70f4

      SHA256

      18941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf

      SHA512

      5870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09

      Download Submit

    • \Users\Admin\dohost.exe
      Filesize

      24KB

      MD5

      d7390e209a42ea46d9cbfc5177b8324e

      SHA1

      eff57330de49be19d2514dd08e614afc97b061d2

      SHA256

      d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5

      SHA512

      de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d

      Download Submit

    • \Users\Admin\viiox.exe
      Filesize

      216KB

      MD5

      5f20c10fe71c105dfa8e28f6bb7ae89f

      SHA1

      5b571f652aa4f1f62c6f73b213e50fcd41b585bb

      SHA256

      533354265711d1c64e250666365d900e86e96b745b1dac8b2639c92c21d34ff5

      SHA512

      251565569e36a5d124418d7828ecb17b80269624d149aaa6aae60d8741383bdbbe363b852843b38666d93fe6dcd69fb7f9a2d7334808dd96958ae562b6791188

      Download Submit

    • memory/460-12-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/460-3-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/460-13-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/460-0-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/460-11-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/460-50-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/460-2-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/460-5-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/460-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/460-299-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/1036-109-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1036-261-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1036-108-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1036-110-0x0000000000510000-0x0000000000610000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1344-186-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1344-185-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1344-187-0x0000000000600000-0x0000000000700000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1580-301-0x0000000004450000-0x0000000004451000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1580-305-0x0000000004450000-0x0000000004451000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2144-9-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2476-190-0x0000000000550000-0x0000000000650000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2476-83-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2476-84-0x0000000000550000-0x0000000000650000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2476-112-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2476-304-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2476-189-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2476-298-0x0000000000400000-0x0000000000452000-memory.dmp

      Filesize

      328KB

      Download

    • memory/2544-42-0x00000000034B0000-0x0000000003F6A000-memory.dmp

      Filesize

      10.7MB

      Download

    • memory/2600-65-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2600-51-0x0000000000400000-0x000000000041E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2816-72-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2816-71-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2816-69-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2816-68-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2816-60-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2816-57-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2816-55-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2816-53-0x0000000000400000-0x0000000000427000-memory.dmp

      Filesize

      156KB

      Download