Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 11:46
Behavioral task
behavioral1
Sample
cdm.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cdm.exe
Resource
win10v2004-20240419-en
General
-
Target
cdm.exe
-
Size
18KB
-
MD5
b68b24ef0d7c687eb7dfd5110064dcac
-
SHA1
5578bc11a5a48e25d2b9396e3bac80da706806a8
-
SHA256
fff48447b7310f9a0bbec5d2ca71ff3a1ea91fdfcda8d3cb0f87ec75593fd234
-
SHA512
ae7937ac2a0b143e16e1b4793720459c1a4f418250c7da989c6a82c17006685d834319cc2928920364cffcf0e02cb257079ab3a7283fedb593c404b39e26f58a
-
SSDEEP
384:NEw7wknHOYXQdhLGPvCaV4pLS7OGQ8xy1CzclRC0vqXne:NEw7wkHOYEGPvCaV4pLzb1fm0v
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2492-11-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral1/memory/2844-14-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
AdobeART.exepid process 2844 AdobeART.exe -
Loads dropped DLL 2 IoCs
Processes:
cdm.exepid process 2492 cdm.exe 2492 cdm.exe -
Processes:
resource yara_rule behavioral1/memory/2492-0-0x0000000000400000-0x0000000000414000-memory.dmp upx \Users\Admin\AppData\Roaming\AdobeART.exe upx behavioral1/memory/2492-5-0x0000000002580000-0x0000000002594000-memory.dmp upx behavioral1/memory/2844-13-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/2492-11-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/2844-14-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AdobeART.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe" AdobeART.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cdm.exedescription pid process target process PID 2492 wrote to memory of 2844 2492 cdm.exe AdobeART.exe PID 2492 wrote to memory of 2844 2492 cdm.exe AdobeART.exe PID 2492 wrote to memory of 2844 2492 cdm.exe AdobeART.exe PID 2492 wrote to memory of 2844 2492 cdm.exe AdobeART.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdm.exe"C:\Users\Admin\AppData\Local\Temp\cdm.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Roaming\AdobeART.exe"C:\Users\Admin\AppData\Roaming\AdobeART.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5b68b24ef0d7c687eb7dfd5110064dcac
SHA15578bc11a5a48e25d2b9396e3bac80da706806a8
SHA256fff48447b7310f9a0bbec5d2ca71ff3a1ea91fdfcda8d3cb0f87ec75593fd234
SHA512ae7937ac2a0b143e16e1b4793720459c1a4f418250c7da989c6a82c17006685d834319cc2928920364cffcf0e02cb257079ab3a7283fedb593c404b39e26f58a