Overview

overview

10

Static

static

3

相片.exe

windows7-x64

10

相片.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 08:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    相片.exe

  • Size

    524KB

  • MD5

    d6166c827c4aa5ce21a4582b59e7f052

  • SHA1

    2506d7594acbbd5cc97a1920d340c72af4785341

  • SHA256

    e507ae41376d6907c5fd3ef83faa70bd8c633321c8270e5ae136c0f8ec1cffba

  • SHA512

    78bfb086babcb5e82425d0ee6eb5796f1d245c39e75d1ffc1cd87432c56c41619cb100319e35dab2505921ab7e928db679e22f55c1dcc4278fba3ba991a16fda

  • SSDEEP

    12288:vJiH3Q0Ir0PHDenmJ9eNIkNj3Q9FVKE1wLlC:vQQPw/qnmiRKBAC

Score
10/10
modiloaderdiscoverypersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\相片.exe
    "C:\Users\Admin\AppData\Local\Temp\相片.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:272
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\side.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\side.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:864
      • C:\Windows\windos.exe
        C:\Windows\windos.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\mmc.exe
          "C:\Windows\system32\mmc.exe"
          4⤵
            PID:2936
          • C:\program files\internet explorer\IEXPLORE.EXE
            "C:\program files\internet explorer\IEXPLORE.EXE"
            4⤵
              PID:2756
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\Windows\SxDel.bat
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2664

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\SxDel.bat
        Filesize

        150B

        MD5

        96f115aa2b01c8016439f842fb24562b

        SHA1

        ac3ff35c137d084ef35711318b27ace25e4bca83

        SHA256

        2bcdd38bd1de8ad3306df9d293d4d54f32c5b46825216ff75b984805eb2a470b

        SHA512

        1679ce60311e7b877a684cc8da84b1382833c2318ab880c9d24cfc3d7360ea4a9873297f153fa97e55060ac388545c7bb118e864c1dfc891f2537b5253a78f08

        Download Submit

      • \Users\Admin\AppData\Local\Temp\IXP000.TMP\side.exe
        Filesize

        491KB

        MD5

        b8dfe74dacee4bac05741690407f6b3c

        SHA1

        86453c79737807d938f482ce03f035c81a14873c

        SHA256

        85b1581ffb8f1d4ac52d55f136b02837b296f9c07716c2b759bf4c6c89366d03

        SHA512

        11a5b4b784d4636cc233d0fd69cca761c01fb0678092e6a2343ad68f1e7b3a512fb67f06eeb0f5986b7143ddf06f4bb338ea85e9ddb0136b0fa3a4b8585e175b

        Download Submit

      • memory/272-8-0x0000000002490000-0x000000000256E000-memory.dmp

        Filesize

        888KB

        Download

      • memory/272-9-0x0000000002490000-0x000000000256E000-memory.dmp

        Filesize

        888KB

        Download

      • memory/864-14-0x00000000004DD000-0x00000000004DE000-memory.dmp

        Filesize

        4KB

        Download

      • memory/864-13-0x0000000000400000-0x00000000004DDDBC-memory.dmp

        Filesize

        887KB

        Download

      • memory/864-25-0x00000000004E0000-0x00000000005BE000-memory.dmp

        Filesize

        888KB

        Download

      • memory/864-31-0x0000000003000000-0x00000000030DE000-memory.dmp

        Filesize

        888KB

        Download

      • memory/864-53-0x0000000000400000-0x00000000004DDDBC-memory.dmp

        Filesize

        887KB

        Download

      • memory/2740-32-0x0000000000400000-0x00000000004DDDBC-memory.dmp

        Filesize

        887KB

        Download

      • memory/2740-36-0x0000000000400000-0x00000000004DDDBC-memory.dmp

        Filesize

        887KB

        Download

      • memory/2740-51-0x0000000000400000-0x00000000004DDDBC-memory.dmp

        Filesize

        887KB

        Download

      • memory/2936-41-0x0000000000400000-0x00000000004DE000-memory.dmp

        Filesize

        888KB

        Download

      • memory/2936-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download