Overview

overview

10

Static

static

3

dff1be24e7...31.exe

windows7-x64

10

dff1be24e7...31.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    145s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26/03/2024, 19:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dff1be24e79ca88d0015556ca63e9531.exe

  • Size

    866KB

  • MD5

    dff1be24e79ca88d0015556ca63e9531

  • SHA1

    81e7c9edea8a1c30932fc09f7a3b6079877a5961

  • SHA256

    d61866514e2dd4fe6bbd8c5483145b1f4ea54f49f52f5365c4c3c7c33c8ef6aa

  • SHA512

    7eabe1655dcf909cb6b572e3715b690c0fdd3c3034891cb258df414f75f274f0ec4ffb5c7aa2e43f09ef5e1145e1519d96bc707cb853c7b727c4b6535dfc5adb

  • SSDEEP

    12288:Hmmo7YNQzGnBaWnBsPDqWOFqetuiaSwXb0lvIfU+5wOAjgctw3+syodhw3a2:GvwQyBaWnBCqyaaNCM2OAjguDqhwq2

Score
10/10
modiloaderevasionpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • ModiLoader Second Stage 24 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\dff1be24e79ca88d0015556ca63e9531.exe
    "C:\Users\Admin\AppData\Local\Temp\dff1be24e79ca88d0015556ca63e9531.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Users\Admin\AppData\Local\Temp\dff1be24e79ca88d0015556ca63e9531.exe
      C:\Users\Admin\AppData\Local\Temp\dff1be24e79ca88d0015556ca63e9531.exe
      2⤵
      • Checks whether UAC is enabled
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Windows\svchost.exe
        "C:\Windows\svchost.exe" \melt "C:\Users\Admin\AppData\Local\Temp\dff1be24e79ca88d0015556ca63e9531.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\svchost.exe
          C:\Windows\svchost.exe
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • System policy modification
          PID:1696
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\svchost.exe
    Filesize

    866KB

    MD5

    dff1be24e79ca88d0015556ca63e9531

    SHA1

    81e7c9edea8a1c30932fc09f7a3b6079877a5961

    SHA256

    d61866514e2dd4fe6bbd8c5483145b1f4ea54f49f52f5365c4c3c7c33c8ef6aa

    SHA512

    7eabe1655dcf909cb6b572e3715b690c0fdd3c3034891cb258df414f75f274f0ec4ffb5c7aa2e43f09ef5e1145e1519d96bc707cb853c7b727c4b6535dfc5adb

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    574KB

    MD5

    402ca3771d0ff9c641b744d5ed3e9709

    SHA1

    6b7d2cdc2a83769d2866dc30f0c629633bf0bb62

    SHA256

    5f7c9792d9971595c4022856a0d2f6299933cca3352896588c1d4b4561e6fccc

    SHA512

    12d2fea0708cefb9db7d1c8cf9403653319c2d4e2051aef11d99e2ababeb59f4b76ab63775094ffb01a80711e96386ded422a9cc2370ed825c7808d4f219d313

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\8A3B1BA7
    Filesize

    14B

    MD5

    62ad976fd63fd4fa5fc7a65aca92df8c

    SHA1

    a5ffd74556582059fb7baef46415d75576bdc185

    SHA256

    cd8a34f414da61da3eb95683d9132433534b0af5c700d2fa1a22157940f98e3c

    SHA512

    8c5c965ebc1d583709cd0feb9174c479910b680147c0874c950b826b1dd852c34df16f8df8a42b659aed24c5162580d9653335157e40442bf43c794e83ccd0c6

    Download Submit

  • memory/1540-7-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1540-44-0x00000000035B0000-0x0000000003959000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1540-8-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1540-9-0x0000000000340000-0x0000000000341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1540-10-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1540-14-0x00000000028B0000-0x00000000028C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1540-20-0x00000000035B0000-0x0000000003959000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1540-19-0x0000000000700000-0x0000000000881000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1540-5-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1540-4-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1540-25-0x00000000035B0000-0x0000000003959000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1540-24-0x00000000028B0000-0x00000000028BD000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1540-22-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-36-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-45-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-35-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-58-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-57-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-37-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-40-0x0000000010000000-0x000000001000E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1696-41-0x00000000002C0000-0x00000000002C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1696-42-0x0000000000310000-0x0000000000311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1696-43-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-56-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-55-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-46-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-47-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-48-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-50-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-51-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-52-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-53-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/1696-54-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/2216-6-0x0000000000400000-0x00000000007A9000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2216-0-0x0000000000400000-0x00000000007A9000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2676-23-0x0000000000400000-0x00000000007A9000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2676-34-0x0000000000400000-0x00000000007A9000-memory.dmp

    Filesize

    3.7MB

    Download