Overview

overview

10

Static

static

1

78326473_PDF.cmd

windows7-x64

10

78326473_PDF.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2024, 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    78326473_PDF.cmd

  • Size

    6.8MB

  • MD5

    2152288a44df543c12a71a50df1ed7b6

  • SHA1

    3d9f4c31f2366d2e75b5d6de5eb790da8bf07f1e

  • SHA256

    08eff0bb7bf2a683834cba1a3602e59ab3e803ce18e2998bd944ad06ec0e2736

  • SHA512

    32558f9fb65ca2adbbd572024f79fee514241b3b5bc35a09e62d0f622955da0f64ab7dd1697621cfa6492095711113408c0b5b619d3beb9fa960746b3ec07b6a

  • SSDEEP

    49152:NL4RD6gKgoYnqvkzd7uTu1DfSYr6EuG+1y3OgKVUGVpxRTw:Y

Score
10/10
modiloaderdiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 8 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\78326473_PDF.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Windows\System32\extrac32.exe
      C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
      2⤵
        PID:2764
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:5032
        • C:\Windows\system32\extrac32.exe
          extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          3⤵
            PID:4484
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\78326473_PDF.cmd" "C:\\Users\\Public\\Host.GIF" 3
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4360
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\78326473_PDF.cmd" "C:\\Users\\Public\\Host.GIF" 3
            3⤵
            • Executes dropped EXE
            PID:1432
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Host.GIF" "C:\\Users\\Public\\Libraries\\Host.COM" 10
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2960
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Host.GIF" "C:\\Users\\Public\\Libraries\\Host.COM" 10
            3⤵
            • Executes dropped EXE
            PID:1332
        • C:\Users\Public\Libraries\Host.COM
          C:\Users\Public\Libraries\Host.COM
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4176
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
          2⤵
          • Executes dropped EXE
          PID:4416
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Host.GIF" / A / F / Q / S
          2⤵
          • Executes dropped EXE
          PID:1292

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Public\Host.GIF
        Filesize

        4.7MB

        MD5

        9dcdd6e703f63872450a29843cc225d8

        SHA1

        deada0c9b2a7059b01958f0cbd173a77182bd03a

        SHA256

        a36432dc3dfe90959dc37fc8124bd6d292391569e071c2b3be67a53531a2aace

        SHA512

        e53354a5f917abc8c36f43e79ddec53e2b8d6ee8f1a38b7c5f777751c8f34eb8e53f03c633b20fca6993031b78bab5d454faaccdf8bcb5782c77876d8f08ad50

        Download Submit

      • C:\Users\Public\Libraries\Host.COM
        Filesize

        1.3MB

        MD5

        7614ce01178ed3b6e66eccbb0300fcf8

        SHA1

        3774cf5b5a3060f1a02946de4c192778d4256852

        SHA256

        f2acf58a7b9bb7e4621a7187a6db9f294a3ee0106c3a00d8cf6d55107dd19ae1

        SHA512

        e20e8ccaa3e16e1d573eb741fc4e7d27de128d83dd9a504516c5fbea23538b3ed5d02466898af3762ee2837f9b4839454045a3ff6fa1fd0cb464da0377e886a4

        Download Submit

      • C:\Users\Public\alpha.exe
        Filesize

        283KB

        MD5

        8a2122e8162dbef04694b9c3e0b6cdee

        SHA1

        f1efb0fddc156e4c61c5f78a54700e4e7984d55d

        SHA256

        b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

        SHA512

        99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

        Download Submit

      • C:\Users\Public\kn.exe
        Filesize

        1.6MB

        MD5

        bd8d9943a9b1def98eb83e0fa48796c2

        SHA1

        70e89852f023ab7cde0173eda1208dbb580f1e4f

        SHA256

        8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2

        SHA512

        95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

        Download Submit

      • memory/4176-28-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/4176-29-0x0000000002BB0000-0x0000000003BB0000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/4176-32-0x0000000000400000-0x0000000000564000-memory.dmp

        Filesize

        1.4MB

        Download