Overview

overview

10

Static

static

10

94968b8b3f...44.exe

windows7-x64

10

94968b8b3f...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 16:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94968b8b3fb5df470908a62daf1caab26c30a868086eb412610c88d733d16744.exe

  • Size

    297KB

  • MD5

    4616cf19f415bcc7b8424b9dcaf619bd

  • SHA1

    14dec267c9c1ef3357b613e3288adecd504a2e14

  • SHA256

    94968b8b3fb5df470908a62daf1caab26c30a868086eb412610c88d733d16744

  • SHA512

    fa38706b3b5fe436851d82ea0a65e87aa2dfd513136d2368b3ed5ff7b60a542d217e564d251b4aaacb1857b1da54c0bcc20622c158d9524eef7242442f69bf9a

  • SSDEEP

    6144:LsWXEYOd9nWwfNEfKLZXhoPSgc+I8jd3zYfP7RAVMwcft6U3UxLA0:L17YpvNYK5huNU8jSsMww8UkxT

Score
10/10
modiloadertrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94968b8b3fb5df470908a62daf1caab26c30a868086eb412610c88d733d16744.exe
    "C:\Users\Admin\AppData\Local\Temp\94968b8b3fb5df470908a62daf1caab26c30a868086eb412610c88d733d16744.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:2628
        • C:\program files\internet explorer\IEXPLORE.EXE
          "C:\program files\internet explorer\IEXPLORE.EXE"
          3⤵
            PID:2680
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
          2⤵
          • Deletes itself
          PID:2696

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Replication Through Removable Media

      1
      T1091

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Replication Through Removable Media

      1
      T1091

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.bat
        Filesize

        248B

        MD5

        1ac0db9db1d2c83fd9ab2e9c38520c0c

        SHA1

        538113f681de521c1a5663b6dee2f368730c73c9

        SHA256

        ce061b7dbcb9f9afca3fc5a9866185bda80de05cffb9f69355955d44e5fdbda0

        SHA512

        033cf26f2ac930e42e55300b4f6f8f151aa735277fb7bf61f507284d38e914b90a69c0342731dadf1630ebaecd4dbec55279e8cc0ee0d19e33638f9ff95cd452

        Download Submit
      • F:\system.exe
        Filesize

        297KB

        MD5

        4616cf19f415bcc7b8424b9dcaf619bd

        SHA1

        14dec267c9c1ef3357b613e3288adecd504a2e14

        SHA256

        94968b8b3fb5df470908a62daf1caab26c30a868086eb412610c88d733d16744

        SHA512

        fa38706b3b5fe436851d82ea0a65e87aa2dfd513136d2368b3ed5ff7b60a542d217e564d251b4aaacb1857b1da54c0bcc20622c158d9524eef7242442f69bf9a

        Download Submit
      • memory/2628-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2628-29-0x0000000000400000-0x00000000004C6000-memory.dmp
        Filesize

        792KB

        Download
      • memory/2908-0-0x0000000000400000-0x00000000004C6000-memory.dmp
        Filesize

        792KB

        Download
      • memory/2908-1-0x00000000003E0000-0x00000000003E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2908-18-0x0000000002EC0000-0x0000000002F86000-memory.dmp
        Filesize

        792KB

        Download
      • memory/2908-20-0x0000000002EC0000-0x0000000002F86000-memory.dmp
        Filesize

        792KB

        Download
      • memory/2908-41-0x0000000000400000-0x00000000004C6000-memory.dmp
        Filesize

        792KB

        Download
      • memory/2976-24-0x0000000000270000-0x0000000000271000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2976-39-0x0000000000400000-0x00000000004C6000-memory.dmp
        Filesize

        792KB

        Download