Overview

overview

10

Static

static

3

7f0fe0f164...58.exe

windows7-x64

10

7f0fe0f164...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2024, 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe

  • Size

    348KB

  • MD5

    03527c142799c1d689556b147c3437b2

  • SHA1

    5f324fd0cd5f95356e24da4ab4a90b71196113c5

  • SHA256

    7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058

  • SHA512

    3258cda3283f9a9b7186be67ae393bd26c12586f538f2b9b729247745fc969a49a4e02e84065d936fee190882d574b2a1f11bac0bbb80b98ab5c92c2d53b1a65

  • SSDEEP

    6144:VFjL41SWW+Yta+ySQ+GyoCZUdzlEOVciyGCE+riGDAGxZKcJv6Msx/BGbFt:VFjs1SWpY/ySBVoCmdzlEqciy+yiGhZ5

Score
10/10
modiloaderdiscoverypersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 7 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe
    "C:\Users\Admin\AppData\Local\Temp\7f0fe0f164eb1473d719006b2b09c40b0e05aa0732331d90f9fd24dcab3a7058.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\fff2.exe
      "C:\fff2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1692
    • C:\J3qbFH8P8.exe
      "C:\J3qbFH8P8.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:356
      • C:\J3qbFH8P8.exe
        "C:\J3qbFH8P8.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:824
        • C:\Windows\server.exe
          "C:\Windows\server.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Windows\server.exe
            "C:\Windows\server.exe"
            5⤵
            • Modifies WinLogon for persistence
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1300
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              6⤵
                PID:2480
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c \melt.bat
              5⤵
              • System Location Discovery: System Language Discovery
              PID:524
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c \melt.bat
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3936
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c \melt.bat
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\J3qbFH8P8.exe
      Filesize

      220KB

      MD5

      144dec755361311d15dce9b03d368d01

      SHA1

      4d331cb6d916d997ee0d14faa1ae8dded71b02c8

      SHA256

      98e284e33c2b8aaa654fe78b5586dbfd10c45b694415c9fe7718feeab4f4ca25

      SHA512

      d2fa423ca1dd8c6dac906ba640812686d6260120870b5878dcce00ef0d67229872eb6104d1e8caf043d9d8a38d28699c2b491d271f1d16839d631f9102130993

      Download Submit

    • C:\fff2.exe
      Filesize

      54KB

      MD5

      116d27fdf50ebecaada14096812dbf90

      SHA1

      5af91f4129b2e38f8decd50c8b0cc5d09c042bf1

      SHA256

      3ed5f41bad3acaf3eb8507d61b70c75c84e18febe06ebd482f3c366edcec394c

      SHA512

      e98eb844f4ddf74cccab1a14ea1a03accc3c2e0daa02aeb32d4718dbbb547ba80dbcd0d8469aed4d0f4fbb6949ddfe5e70fff099651d69d9fe8d2047b54b7c2a

      Download Submit

    • C:\melt.bat
      Filesize

      285B

      MD5

      85c3f59f17f0819c45bdc2d0193bc696

      SHA1

      77c709b2033b1f0f1f610519e24c6819117cf8b0

      SHA256

      c2d2d4476ab1364d9b7279f0083800d19484c9c66a0ffbc5da53412746603bfb

      SHA512

      e7c8fcab7f8c9ca567893921cf61f2f91d43000ec92720a067e7fffc34051dcbf6194d4275430d2d4e650b573d28506b6e9d7477abb2103c94556c10fbf2a159

      Download Submit

    • C:\melt.bat
      Filesize

      285B

      MD5

      4c3c12d14617f79a9d00776dd554804c

      SHA1

      63db6c3db46ab22cad450c104165b005b6ba8c2c

      SHA256

      a3e84610342e17029856b94f294cc95ccdb77e392c7c70e228fda1c88397964c

      SHA512

      b957c3b1a8f444c30b8b9b40511f3e9f88226b36426367e99480dac470e01d553c067570bfadf2ab0fc8a09e0bbe5279fc6cd9fe8d360299dadd789949809f9a

      Download Submit

    • memory/824-36-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/824-34-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/824-35-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/824-29-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/824-47-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1300-59-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1300-60-0x0000000010410000-0x0000000010455000-memory.dmp

      Filesize

      276KB

      Download

    • memory/1300-61-0x0000000010410000-0x0000000010455000-memory.dmp

      Filesize

      276KB

      Download

    • memory/1300-67-0x0000000000400000-0x000000000042C000-memory.dmp

      Filesize

      176KB

      Download

    • memory/1692-16-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

      Download

    • memory/1692-70-0x0000000000400000-0x0000000000439000-memory.dmp

      Filesize

      228KB

      Download