Overview

overview

10

Static

static

3

d3712f81b1...18.exe

windows7-x64

10

d3712f81b1...18.exe

windows10-2004-x64

10

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$TEMP/vays...52.exe

windows7-x64

10

$TEMP/vays...52.exe

windows10-2004-x64

10

$TEMP/windll.dll

windows7-x64

10

$TEMP/windll.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2024 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/vaysoft-image-to-exe-converter-4.52.exe

  • Size

    1.8MB

  • MD5

    6ce9644cb6b649e61afaa8d79de40bf0

  • SHA1

    a8b1ea2c5dd283fd7f889a58fb0dc087e4e2736a

  • SHA256

    935225e6b0f68e3891f9d0f16f433a7673c5ecdc6a02fc8857bb1a6460492254

  • SHA512

    e1db0d224de89a5a06bfc6ffc81320f5b20b2bff32ad4a61c0d70f607a6baafeadb6c33690c0246a2c84c129cfa0f4f8e3d72f5234414ef48dc615a722bd33c2

  • SSDEEP

    49152:v2bno1q2wSvFPaBPpCiPRFbnPjTtwdxu5pUxHDp4ZW/VwbIaV:ubnoI29FIginHtExjhmM/Cb5

Score
10/10
modiloaderbootkitdiscoverypersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\vaysoft-image-to-exe-converter-4.52.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\vaysoft-image-to-exe-converter-4.52.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Users\Admin\AppData\Local\Temp\is-V5I3K.tmp\vaysoft-image-to-exe-converter-4.52.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-V5I3K.tmp\vaysoft-image-to-exe-converter-4.52.tmp" /SL5="$30144,1697600,53248,C:\Users\Admin\AppData\Local\Temp\$TEMP\vaysoft-image-to-exe-converter-4.52.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe
        "C:\Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe"
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2848

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe
    Filesize

    2.3MB

    MD5

    2a3e3d4612ee5253df73afe5483cd53d

    SHA1

    f52b0a65d2fce52d543705c62a063220a91c496c

    SHA256

    2c23689bddb2eb08efd94e7e319adafa58d5d9ec00b71e4a5519e7797ed41854

    SHA512

    b49b733183032769ae58c972b280a286457f6297b79a83078af586561110c1035af965f42418ee6287647afb9bf7e24ff58758b30f5b02f6bcd1d7e4621ca041

    Download Submit

  • \Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\unins000.exe
    Filesize

    679KB

    MD5

    980de92df387ddd01c71254edec672e4

    SHA1

    be513ab47d0896ede95506ed85352667445bf050

    SHA256

    8f2f0c3ffc0bb50652052e580f49a7bf647ae879caa4e308d30a74b81a1fe341

    SHA512

    2cd75c7679787cf7a1f7e012c8c961f0a22e6a91361c2b3d489fbcfaa9dfe4bec23035935ffadb8161a2f9839424a26c31486087c60c68bdba7ef8f544cd73c6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-HGF87.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-V5I3K.tmp\vaysoft-image-to-exe-converter-4.52.tmp
    Filesize

    669KB

    MD5

    52950ac9e2b481453082f096120e355a

    SHA1

    159c09db1abcee9114b4f792ffba255c78a6e6c3

    SHA256

    25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

    SHA512

    5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

    Download Submit

  • memory/340-2-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/340-17-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/340-0-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/340-58-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2388-12-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2388-18-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2388-20-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2388-45-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2388-57-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/2848-68-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download