Analysis
-
max time kernel
132s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
15-05-2024 02:21
General
-
Target
3cb0e7646266b60650aa554f75bd9c0b.exe
-
Size
1.0MB
-
MD5
3cb0e7646266b60650aa554f75bd9c0b
-
SHA1
c018d025eb56c4fe7fdd19b2e2169c85f7da55a8
-
SHA256
796faee4e99839d1dd11e7bc1205e67cd89fe31bb6fa6ab2743310868935f671
-
SHA512
f275b38d8e019ff79e4d42f91449ed14707dcd373f6c158ac61ae70d0038baf70680decc4656c3b7dd9e22fd9c6b9e2ed3ff4967c2a5a7948dfc49825c836fa7
-
SSDEEP
24576:rmoO8itEqfZgX7kwa6chgOr00MNFe32UkqD/XDuH+D:qvZ+a6BOKFe32UkC+O
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cb0e7646266b60650aa554f75bd9c0b.exe"C:\Users\Admin\AppData\Local\Temp\3cb0e7646266b60650aa554f75bd9c0b.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmayk.exe"C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmayk.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\TapiUnattend.exe"C:\Windows\System32\TapiUnattend.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pm.pngFilesize
570KB
MD52dea18e625b3b7e8b85b98e960b21559
SHA194031a8da09c20e63c4adc11a96758fcfa8369d9
SHA25634fd2c420ebffa1c3f54c5802c8f6f5705ef12e431bca9f1dcc518c395043a67
SHA512b4efb730b47dfe7e6324b58e17d62959d28ba78c57feb6314da94e014379476f0204ded0236d66260351a456de74fd46ed47af90ff400c89b60409c9025f23b1
-
C:\Users\Admin\AppData\Local\Temp\pm.pngc\pmayk.exeFilesize
886KB
MD57866de22baa38c927b53fc331fcde99e
SHA1ca899afd50fbb88da439ca8e492b2a992cebe948
SHA2560171e836f4a7ffbf66dea654f4bce360578ba8493032acd2a1b7c8d64cf4b79c
SHA512d3047dfab772a0c9db64d24aa1bc09e07056118e5b964fd09feacde040a7ad0d0c97299596b38b059271fa7ae71e3542ea02e2bfe41d88839ba400381b9b45c4
-
memory/2116-12-0x0000000002490000-0x0000000002491000-memory.dmpFilesize
4KB
-
memory/2116-22-0x0000000000400000-0x0000000000700000-memory.dmpFilesize
3.0MB
