Overview

overview

10

Static

static

7

111871a523...87.exe

windows7-x64

7

111871a523...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2024 18:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    111871a523352ec471437504532b3767849d38dfd1f31d6d0c3b61bf34bdd387.exe

  • Size

    130KB

  • MD5

    4621a89d086b89bda54dd026914789a4

  • SHA1

    6cf8ac639ddbb40430a7bc20e66f480543f829d8

  • SHA256

    111871a523352ec471437504532b3767849d38dfd1f31d6d0c3b61bf34bdd387

  • SHA512

    ad7ad9c7bc7f280008e552a9abac1402d7d6fb700c313408e9277b9f8f9c549151044b288a4780307ffb44eb435cfd465a226461eb5e9945331946c843922c6b

  • SSDEEP

    1536:mH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5UROXTmNJ:6KQJcinxphkG5Q6GdpIOkJHhKRyOXK

Score
10/10
modiloaderdiscoverypersistencetrojanupx

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\111871a523352ec471437504532b3767849d38dfd1f31d6d0c3b61bf34bdd387.exe
    "C:\Users\Admin\AppData\Local\Temp\111871a523352ec471437504532b3767849d38dfd1f31d6d0c3b61bf34bdd387.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Users\Admin\AppData\Local\Temp\111871a523352ec471437504532b3767849d38dfd1f31d6d0c3b61bf34bdd387.exe
      "C:\Users\Admin\AppData\Local\Temp\111871a523352ec471437504532b3767849d38dfd1f31d6d0c3b61bf34bdd387.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3432
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSKIT.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:712
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2528
      • C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
        "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3528
        • C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
          "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2196
        • C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
          "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CSKIT.txt
    Filesize

    145B

    MD5

    da0cbe87b720a79b294147ed6a4b98be

    SHA1

    ebf0dc9efd7a12cb192e355cda87546acb4ab360

    SHA256

    7ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed

    SHA512

    f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe
    Filesize

    130KB

    MD5

    cfaaacda12d219f182eb8adfdd50968d

    SHA1

    54845b7d42ea33e3f5e9a55bcd2658c58b6fd466

    SHA256

    ab781aa70fb7f98d5148adade794572b348e2e0dae8c92258917aec8ccc757db

    SHA512

    904f6cdd152b545f70f257a69cd39e3154cf75790641dca8b5941cc45743a4375fa4dcfd9d3a49ee8b90fe626a980cfebb0bbbcf2ef523b5dde9b792f9250fb1

    Download Submit

  • memory/840-54-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/840-67-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/840-61-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/840-50-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/840-59-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/840-57-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2196-65-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3432-13-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3432-16-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3432-63-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3432-45-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3432-11-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3528-47-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3528-40-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3528-58-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3528-44-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/3528-46-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/4812-7-0x0000000002C80000-0x0000000002C81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4812-5-0x0000000002C10000-0x0000000002C11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4812-0-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/4812-9-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4812-17-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/4812-8-0x0000000002C90000-0x0000000002C91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4812-6-0x0000000000400000-0x0000000000423000-memory.dmp

    Filesize

    140KB

    Download

  • memory/4812-4-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4812-3-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4812-15-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

    Filesize

    4KB

    Download