Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 10:06
Static task
static1
Behavioral task
behavioral1
Sample
dee67ad2022a50c9a850345f9f3039ad.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
dee67ad2022a50c9a850345f9f3039ad.exe
Resource
win10v2004-20240226-en
General
-
Target
dee67ad2022a50c9a850345f9f3039ad.exe
-
Size
701KB
-
MD5
dee67ad2022a50c9a850345f9f3039ad
-
SHA1
3e4c82e2ad7dbf797c2d1af1c41939c7147233ac
-
SHA256
797912761cf52fc44dda12c6fa8a0027c92ab06c9c17eb63130d0b6934b7c3f9
-
SHA512
06533c800facb33e67ecc99fad16fe7176705e7efde64c7edd0f4aa9c3c5c5c10d302989dc14cae992be23bdd5ea3e45de6048bd6658a0be8ac51abbede0e90a
-
SSDEEP
12288:Y25vFB7a36YOZ0BHNpFhZ+ylXjDuNKTh41c2obY7N3PocPj:DxX86HMHNpF3HuNKlqochfocPj
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral1/memory/2536-46-0x0000000000400000-0x0000000000521000-memory.dmp modiloader_stage2 behavioral1/memory/2240-51-0x0000000000400000-0x0000000000521000-memory.dmp modiloader_stage2 behavioral1/memory/2536-53-0x0000000000400000-0x0000000000521000-memory.dmp modiloader_stage2 behavioral1/memory/2240-56-0x0000000000400000-0x0000000000521000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 2240 8_LHEX~1.EXE 2536 srever.exe -
Loads dropped DLL 7 IoCs
pid Process 1376 dee67ad2022a50c9a850345f9f3039ad.exe 1376 dee67ad2022a50c9a850345f9f3039ad.exe 2240 8_LHEX~1.EXE 2240 8_LHEX~1.EXE 2664 WerFault.exe 2664 WerFault.exe 2664 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" dee67ad2022a50c9a850345f9f3039ad.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\srever.exe 8_LHEX~1.EXE File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\srever.exe 8_LHEX~1.EXE -
Program crash 1 IoCs
pid pid_target Process procid_target 2664 2536 WerFault.exe 29 -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1376 wrote to memory of 2240 1376 dee67ad2022a50c9a850345f9f3039ad.exe 28 PID 1376 wrote to memory of 2240 1376 dee67ad2022a50c9a850345f9f3039ad.exe 28 PID 1376 wrote to memory of 2240 1376 dee67ad2022a50c9a850345f9f3039ad.exe 28 PID 1376 wrote to memory of 2240 1376 dee67ad2022a50c9a850345f9f3039ad.exe 28 PID 2240 wrote to memory of 2536 2240 8_LHEX~1.EXE 29 PID 2240 wrote to memory of 2536 2240 8_LHEX~1.EXE 29 PID 2240 wrote to memory of 2536 2240 8_LHEX~1.EXE 29 PID 2240 wrote to memory of 2536 2240 8_LHEX~1.EXE 29 PID 2536 wrote to memory of 2664 2536 srever.exe 30 PID 2536 wrote to memory of 2664 2536 srever.exe 30 PID 2536 wrote to memory of 2664 2536 srever.exe 30 PID 2536 wrote to memory of 2664 2536 srever.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\dee67ad2022a50c9a850345f9f3039ad.exe"C:\Users\Admin\AppData\Local\Temp\dee67ad2022a50c9a850345f9f3039ad.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\8_LHEX~1.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\8_LHEX~1.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Program Files\Common Files\Microsoft Shared\MSINFO\srever.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\srever.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2536 -s 2924⤵
- Loads dropped DLL
- Program crash
PID:2664
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD5339c098612d9d5e191ff1ed1cf79e407
SHA14100a767a69410dc46e0cedf9271b19fd77daba5
SHA25693c876b2084c1f27fd1a23e54e3199c4a180303a5648c90d234d86a3f19f8522
SHA5127801e6a24a9a349293d254a3a4bffa62765cb7bf5749a4743a20854adf501acf33ef746a92fc410aad056d3398367607b142a2ab141d09517aa182670776261e