Overview

overview

10

Static

static

10

94968b8b3f...44.exe

windows7-x64

10

94968b8b3f...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 16:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94968b8b3fb5df470908a62daf1caab26c30a868086eb412610c88d733d16744.exe

  • Size

    297KB

  • MD5

    4616cf19f415bcc7b8424b9dcaf619bd

  • SHA1

    14dec267c9c1ef3357b613e3288adecd504a2e14

  • SHA256

    94968b8b3fb5df470908a62daf1caab26c30a868086eb412610c88d733d16744

  • SHA512

    fa38706b3b5fe436851d82ea0a65e87aa2dfd513136d2368b3ed5ff7b60a542d217e564d251b4aaacb1857b1da54c0bcc20622c158d9524eef7242442f69bf9a

  • SSDEEP

    6144:LsWXEYOd9nWwfNEfKLZXhoPSgc+I8jd3zYfP7RAVMwcft6U3UxLA0:L17YpvNYK5huNU8jSsMww8UkxT

Score
10/10
modiloadertrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94968b8b3fb5df470908a62daf1caab26c30a868086eb412610c88d733d16744.exe
    "C:\Users\Admin\AppData\Local\Temp\94968b8b3fb5df470908a62daf1caab26c30a868086eb412610c88d733d16744.exe"
    1⤵
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:936
    • C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe
      "C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Windows\SysWOW64\calc.exe
        "C:\Windows\system32\calc.exe"
        3⤵
          PID:5028
        • C:\program files\internet explorer\IEXPLORE.EXE
          "C:\program files\internet explorer\IEXPLORE.EXE"
          3⤵
            PID:2736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""
          2⤵
            PID:5012

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Replication Through Removable Media

        1
        T1091

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        1
        T1082

        Lateral Movement

        Replication Through Removable Media

        1
        T1091

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat
          Filesize

          248B

          MD5

          1ac0db9db1d2c83fd9ab2e9c38520c0c

          SHA1

          538113f681de521c1a5663b6dee2f368730c73c9

          SHA256

          ce061b7dbcb9f9afca3fc5a9866185bda80de05cffb9f69355955d44e5fdbda0

          SHA512

          033cf26f2ac930e42e55300b4f6f8f151aa735277fb7bf61f507284d38e914b90a69c0342731dadf1630ebaecd4dbec55279e8cc0ee0d19e33638f9ff95cd452

          Download Submit
        • F:\system.exe
          Filesize

          297KB

          MD5

          4616cf19f415bcc7b8424b9dcaf619bd

          SHA1

          14dec267c9c1ef3357b613e3288adecd504a2e14

          SHA256

          94968b8b3fb5df470908a62daf1caab26c30a868086eb412610c88d733d16744

          SHA512

          fa38706b3b5fe436851d82ea0a65e87aa2dfd513136d2368b3ed5ff7b60a542d217e564d251b4aaacb1857b1da54c0bcc20622c158d9524eef7242442f69bf9a

          Download Submit
        • memory/936-0-0x0000000000400000-0x00000000004C6000-memory.dmp
          Filesize

          792KB

          Download
        • memory/936-11-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/936-24-0x0000000000400000-0x00000000004C6000-memory.dmp
          Filesize

          792KB

          Download
        • memory/2984-15-0x0000000000400000-0x00000000004C6000-memory.dmp
          Filesize

          792KB

          Download
        • memory/2984-18-0x00000000007B0000-0x00000000007B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2984-21-0x0000000000400000-0x00000000004C6000-memory.dmp
          Filesize

          792KB

          Download