Analysis
-
max time kernel
119s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
25/11/2024, 15:31
General
-
Target
153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe
-
Size
912KB
-
MD5
0564ba769d20df8f127c1f491e6a5540
-
SHA1
f4c47f8fd8a402bdd5c05aff882b1dace1633186
-
SHA256
153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309fe
-
SHA512
e6b3a837db38293ed6a4cca20af53a2cb0387af61945e9fdcf78da3ba2a8ffa47172ddff1fcf262d23812dc72205bd32156c46215d46a88525986f1afa317fee
-
SSDEEP
24576:ETzSqlFYcq/ZgmvTZ06L5+JYmm2gackH:ELTCvvt0g4JYNazH
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 11 IoCs
-
Adds policy Run key to start application 2 TTPs 4 IoCs
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 16 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe"C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\INVOICE.docx" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe"C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe"C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exeC:\Users\Admin\AppData\Local\Temp\153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309feN.exe4⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\Adobe\svchost.exe"C:\Windows\Adobe\svchost.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Adobe\svchost.exe"C:\Windows\Adobe\svchost.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Adobe\svchost.exe"C:\Windows\Adobe\svchost.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Adobe\svchost.exeC:\Windows\Adobe\svchost.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\Adobe\svchost.exesvchost.exe10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89B
MD55db300542d67468d5362caaba3e887a4
SHA1dd26088995617c09b7a48c91ea84737cbcb50889
SHA256e7e8a0cd2133818cab542a9df627471c009d785666040b0ac1357e761d3a3bc2
SHA512fcfd747cd7e1d6265f0da6848a96f6b958b9547d322f258e3598beed08ea8b9d6b11b20deb3eecaa88aa3bd1619b42b53f14aa917f9da130a1c7ae878f676c3e
-
Filesize
694B
MD5aafda12798a7703d2a1a61f592ffff6e
SHA1efa16292a65d420e93176162c0408db6e33f7ec5
SHA256162d48b7dd4e28f6dc80a0c05383b39a711fa802cc1a13e277052b0e56f0c90b
SHA51272d8eca2b6db9b1a8dc4a3fde1b2b3b5db21dffa98adbcb4939df4e570f99ab742b8d0ff8908e34fbd116faf1f1e5d3b307bff3e6963fcde892eef37b39d798d
-
Filesize
9B
MD534774b4c926da65296934442c9c9e32d
SHA1f64b84f5ce198d50acb2f9d440d8fd773ae9a758
SHA256c51c019e2c00633207e6b6a54a17916b1ba8eaa8fd8dc7fea8782186fd339768
SHA512c29ec70db4e0fb26393ef171ff9757b8ab4b55c371b319d3c4938c3ee0ba7b564cab1708adb96b7296dc39c4da46a517c3cfabaa9c85608ea5e42d71fad09906
-
Filesize
596KB
MD58dd40693b14faf29c94793b24721e68e
SHA1597f1379d4ace22ef5c91049215776623b9d1da0
SHA2562612e472301d97777bdf9f86f017005001ab11499d5c9dc758d2cf92357309ae
SHA51218b56800ec9cddc9b67f4a7ca3ab1489306c2e98bdc2943c2bcfeabe4a2baf3917d80716d72b8d285628a33e45b53f0360387c6fe166f8d911f92f2c2e1f771e
-
Filesize
184B
MD599af0bb5007d16a365e2ae40cb70741c
SHA18c042874e61ffe0c9f3babba4ef53d75d5fe3ec7
SHA256ea0019a171c0f43a055a629fbc525d674487b28db2ada272c4f2fda675a58a15
SHA51252d1dcd5575a4df5a5ad1c2777719e116c5d06fe1425704283af4bb1e65f497a8570fc4536c5426411d8b85544ff447d04ee3ce1068a18cf57cb5ab56b252947
-
Filesize
156B
MD524108b3fbb26e3fa9e62b8cb348f5120
SHA1fb1e93331cda0b7655d6613adf0a4d2d6ae0e452
SHA25618a8a374f62dd36f13fc3450f3df919591f5b02f76ac61a54fff9129b2a6b847
SHA512ad729618683b00d43e50275392f715305f8cf547747e30b669661e2e9a5bcf16c766519f0a4dd8344ae8840142f5fc786d12ec86e8764368a90d0cdd2088e570
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
Filesize
204KB
MD5e7c5eebf4b962720cbe57cda5504dd41
SHA116d3d39ec88e38a512ca8f6a48436363e40bcb8c
SHA25630c5ace906db145b107a96a41bdd8c61ab0031b51a8399601b3a0736590d2382
SHA51273517498dccd1ead189a0bd32dd76cd1974f5f73efd861fd9eef97f254038fadce9a0e6e7f14277d1f823a60c8d95100c3575b3edcf850b37d717f39644891c6
-
Filesize
2KB
MD524f69cb7565971f43053c8b79e0e02aa
SHA1cd7982dfba274bb125a75a54b8186b4809fbb491
SHA25671667d29f7ad356e10bf3ef0d534152c41166fec71aa29515121a67349a328b5
SHA5124cba95b83538c70729d1d847bbefc6ad5e56df0a200e1c182eb38faa6fbdae35fd24c5611b425016c2a8aeb0d486ad8f931314a21c096808aa3de9fe3c7831e0
-
Filesize
912KB
MD50564ba769d20df8f127c1f491e6a5540
SHA1f4c47f8fd8a402bdd5c05aff882b1dace1633186
SHA256153df0b62b32abea05a68d9f9bdb1d0ceadd5fe04dd1334b7d6053afb67309fe
SHA512e6b3a837db38293ed6a4cca20af53a2cb0387af61945e9fdcf78da3ba2a8ffa47172ddff1fcf262d23812dc72205bd32156c46215d46a88525986f1afa317fee
-
Filesize
688KB
-
Filesize
688KB
-
Filesize
688KB
-
Filesize
688KB
-
Filesize
688KB
-
Filesize
688KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
2.0MB
-
Filesize
688KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
252KB
-
Filesize
2.0MB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
2.0MB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
252KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB