Analysis
-
max time kernel
146s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 02:22
Behavioral task
behavioral1
Sample
432e63d7004f7ea486780b4db1cf19b4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
432e63d7004f7ea486780b4db1cf19b4.exe
Resource
win10v2004-20240426-en
General
-
Target
432e63d7004f7ea486780b4db1cf19b4.exe
-
Size
40KB
-
MD5
432e63d7004f7ea486780b4db1cf19b4
-
SHA1
1ee43f61b077894d55d7845985a2233a6789054f
-
SHA256
62b0051b6b1143036381a84cb3ed5827bdf32525a42c94dad86cdf0b98e3364b
-
SHA512
727449dca8e04d6c3778d4e6b77a1a3d0cac545b4b6b1e175e6c270eb134ff67f987c483be372113c9ded4285ed9e8625b5d4569c1b11ff3fe7b032076cc3a6d
-
SSDEEP
384:uERUycqc7QWq0byp5RkQAjZvRJXSUL1IHCj6Hqr+IOaT09X41LzjWcH1koTY6RvG:uBycquQyb2sZvFUK0eLzjJyWM02pP8
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windefender.exe modiloader_stage2 behavioral1/memory/1368-8-0x0000000000400000-0x0000000000410000-memory.dmp modiloader_stage2 behavioral1/memory/3004-10-0x0000000000400000-0x0000000000410000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
Windefender.exepid process 3004 Windefender.exe -
Loads dropped DLL 2 IoCs
Processes:
432e63d7004f7ea486780b4db1cf19b4.exepid process 1368 432e63d7004f7ea486780b4db1cf19b4.exe 1368 432e63d7004f7ea486780b4db1cf19b4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windefender.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windefender = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windefender.exe\"" Windefender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
432e63d7004f7ea486780b4db1cf19b4.exedescription pid process target process PID 1368 wrote to memory of 3004 1368 432e63d7004f7ea486780b4db1cf19b4.exe Windefender.exe PID 1368 wrote to memory of 3004 1368 432e63d7004f7ea486780b4db1cf19b4.exe Windefender.exe PID 1368 wrote to memory of 3004 1368 432e63d7004f7ea486780b4db1cf19b4.exe Windefender.exe PID 1368 wrote to memory of 3004 1368 432e63d7004f7ea486780b4db1cf19b4.exe Windefender.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\432e63d7004f7ea486780b4db1cf19b4.exe"C:\Users\Admin\AppData\Local\Temp\432e63d7004f7ea486780b4db1cf19b4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windefender.exe"C:\Users\Admin\AppData\Roaming\Windefender.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Roaming\Windefender.exeFilesize
40KB
MD5432e63d7004f7ea486780b4db1cf19b4
SHA11ee43f61b077894d55d7845985a2233a6789054f
SHA25662b0051b6b1143036381a84cb3ed5827bdf32525a42c94dad86cdf0b98e3364b
SHA512727449dca8e04d6c3778d4e6b77a1a3d0cac545b4b6b1e175e6c270eb134ff67f987c483be372113c9ded4285ed9e8625b5d4569c1b11ff3fe7b032076cc3a6d
-
memory/1368-8-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/3004-10-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB