Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 11:46
Behavioral task
behavioral1
Sample
cdm.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cdm.exe
Resource
win10v2004-20240419-en
General
-
Target
cdm.exe
-
Size
18KB
-
MD5
b68b24ef0d7c687eb7dfd5110064dcac
-
SHA1
5578bc11a5a48e25d2b9396e3bac80da706806a8
-
SHA256
fff48447b7310f9a0bbec5d2ca71ff3a1ea91fdfcda8d3cb0f87ec75593fd234
-
SHA512
ae7937ac2a0b143e16e1b4793720459c1a4f418250c7da989c6a82c17006685d834319cc2928920364cffcf0e02cb257079ab3a7283fedb593c404b39e26f58a
-
SSDEEP
384:NEw7wknHOYXQdhLGPvCaV4pLS7OGQ8xy1CzclRC0vqXne:NEw7wkHOYEGPvCaV4pLzb1fm0v
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3184-8-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3644-10-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cdm.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation cdm.exe -
Executes dropped EXE 1 IoCs
Processes:
AdobeART.exepid process 3644 AdobeART.exe -
Processes:
resource yara_rule behavioral2/memory/3184-0-0x0000000000400000-0x0000000000414000-memory.dmp upx C:\Users\Admin\AppData\Roaming\AdobeART.exe upx behavioral2/memory/3184-8-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3644-10-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AdobeART.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AdobeART = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeART.exe" AdobeART.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cdm.exedescription pid process target process PID 3184 wrote to memory of 3644 3184 cdm.exe AdobeART.exe PID 3184 wrote to memory of 3644 3184 cdm.exe AdobeART.exe PID 3184 wrote to memory of 3644 3184 cdm.exe AdobeART.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdm.exe"C:\Users\Admin\AppData\Local\Temp\cdm.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Users\Admin\AppData\Roaming\AdobeART.exe"C:\Users\Admin\AppData\Roaming\AdobeART.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5b68b24ef0d7c687eb7dfd5110064dcac
SHA15578bc11a5a48e25d2b9396e3bac80da706806a8
SHA256fff48447b7310f9a0bbec5d2ca71ff3a1ea91fdfcda8d3cb0f87ec75593fd234
SHA512ae7937ac2a0b143e16e1b4793720459c1a4f418250c7da989c6a82c17006685d834319cc2928920364cffcf0e02cb257079ab3a7283fedb593c404b39e26f58a