Overview

overview

10

Static

static

3

2d3506a814...57.exe

windows7-x64

10

2d3506a814...57.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    11s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d3506a8147a445e8776c902691068defbe367b9cb379a97a705c7e296cd9e57.exe

  • Size

    112KB

  • MD5

    07cf6a4b31862dd6aac546641df9cba0

  • SHA1

    e5dd54c4aaf25ac07c0f904f22a07000bead69ca

  • SHA256

    2d3506a8147a445e8776c902691068defbe367b9cb379a97a705c7e296cd9e57

  • SHA512

    4d3a4a3e9777aa00dab835126d9b5ce3b66bcdf79461a6b3d572c4b47149d3e241a4c2e0024793f4130c9c3e1951dbfb2f705297e2f8484f2c400c20fd665aab

  • SSDEEP

    1536:t2ovIa47CqIf2f3w41p7sDcX7juR/JSJw8EeNshUDGXJ:tVIr7zI+fAceoGxSKKo5

Score
10/10
modiloaderpersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d3506a8147a445e8776c902691068defbe367b9cb379a97a705c7e296cd9e57.exe
    "C:\Users\Admin\AppData\Local\Temp\2d3506a8147a445e8776c902691068defbe367b9cb379a97a705c7e296cd9e57.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:1728
    • C:\Users\Admin\AppData\Local\Temp\2d3506a8147a445e8776c902691068defbe367b9cb379a97a705c7e296cd9e57.exe
      "C:\Users\Admin\AppData\Local\Temp\2d3506a8147a445e8776c902691068defbe367b9cb379a97a705c7e296cd9e57.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3144
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CXUTX.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows WA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe" /f
          4⤵
          • Adds Run key to start application
          PID:5100
      • C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          4⤵
          • Suspicious use of SetWindowsHookEx
          PID:3136
        • C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:748
        • C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
          4⤵
          • Executes dropped EXE
          PID:5048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CXUTX.bat
    Filesize

    148B

    MD5

    3a4614705555abb049c3298e61170b7f

    SHA1

    c8686410756f346d9551256a5b878b04770950ba

    SHA256

    cff0663c8cfadf83b80583a871c313ffc5d950cb503809cb4a482f400c5d846b

    SHA512

    65ce6fec00e6934f21635e7ccd74757f31ed4b0ddb52bd80d3ea9abeba56340128d23151ef7d9f5daacb5d61e4a4cca50dbb3a43132e350522311ee06e829007

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
    Filesize

    112KB

    MD5

    b1bce436e0805fb672874bd31b2419a2

    SHA1

    809fd22f12dc297d61c7d9873f8adec76edabb87

    SHA256

    0821b838e7f65202c4ccee1894bfdd40ccd28f93066220c756b2dc6ab9b76657

    SHA512

    03ea0a2fb400571ae650cd846c74ead6c1a6cba1a4eaeb22ae5444da5a22cb811198ba43bf1013811684b70708d03b1e4ef631ebd33735454b0d4a2dc2f39200

    Download Submit
  • memory/748-72-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1728-13-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1728-74-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1728-6-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1728-15-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2720-47-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2720-45-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2720-46-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2720-68-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/2720-44-0x0000000000400000-0x000000000041F000-memory.dmp
    Filesize

    124KB

    Download
  • memory/3136-48-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3136-56-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3136-50-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3136-81-0x0000000000400000-0x000000000040C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3144-16-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3144-14-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3144-71-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3144-10-0x0000000000400000-0x000000000040B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/4316-9-0x00000000029C0000-0x00000000029C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4316-3-0x0000000002170000-0x0000000002172000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4316-7-0x00000000021D0000-0x00000000021D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4316-8-0x0000000002200000-0x0000000002202000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4316-5-0x00000000021C0000-0x00000000021C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4316-4-0x00000000021A0000-0x00000000021A2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4316-2-0x0000000002160000-0x0000000002162000-memory.dmp
    Filesize

    8KB

    Download
  • memory/5048-62-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/5048-66-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/5048-65-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/5048-67-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download
  • memory/5048-73-0x0000000000400000-0x0000000000414000-memory.dmp
    Filesize

    80KB

    Download