Overview

overview

10

Static

static

3

d3712f81b1...18.exe

windows7-x64

10

d3712f81b1...18.exe

windows10-2004-x64

10

$PLUGINSDI...dl.dll

windows7-x64

3

$PLUGINSDI...dl.dll

windows10-2004-x64

3

$TEMP/vays...52.exe

windows7-x64

10

$TEMP/vays...52.exe

windows10-2004-x64

10

$TEMP/windll.dll

windows7-x64

10

$TEMP/windll.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $TEMP/vaysoft-image-to-exe-converter-4.52.exe

  • Size

    1.8MB

  • MD5

    6ce9644cb6b649e61afaa8d79de40bf0

  • SHA1

    a8b1ea2c5dd283fd7f889a58fb0dc087e4e2736a

  • SHA256

    935225e6b0f68e3891f9d0f16f433a7673c5ecdc6a02fc8857bb1a6460492254

  • SHA512

    e1db0d224de89a5a06bfc6ffc81320f5b20b2bff32ad4a61c0d70f607a6baafeadb6c33690c0246a2c84c129cfa0f4f8e3d72f5234414ef48dc615a722bd33c2

  • SSDEEP

    49152:v2bno1q2wSvFPaBPpCiPRFbnPjTtwdxu5pUxHDp4ZW/VwbIaV:ubnoI29FIginHtExjhmM/Cb5

Score
10/10
modiloaderbootkitdiscoverypersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\vaysoft-image-to-exe-converter-4.52.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\vaysoft-image-to-exe-converter-4.52.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Users\Admin\AppData\Local\Temp\is-I0MOH.tmp\vaysoft-image-to-exe-converter-4.52.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-I0MOH.tmp\vaysoft-image-to-exe-converter-4.52.tmp" /SL5="$5028C,1697600,53248,C:\Users\Admin\AppData\Local\Temp\$TEMP\vaysoft-image-to-exe-converter-4.52.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4368
      • C:\Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe
        "C:\Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe"
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1660

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\VaySoft\VaySoft Image to EXE Converter\imagetoexe.exe
    Filesize

    2.3MB

    MD5

    2a3e3d4612ee5253df73afe5483cd53d

    SHA1

    f52b0a65d2fce52d543705c62a063220a91c496c

    SHA256

    2c23689bddb2eb08efd94e7e319adafa58d5d9ec00b71e4a5519e7797ed41854

    SHA512

    b49b733183032769ae58c972b280a286457f6297b79a83078af586561110c1035af965f42418ee6287647afb9bf7e24ff58758b30f5b02f6bcd1d7e4621ca041

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-I0MOH.tmp\vaysoft-image-to-exe-converter-4.52.tmp
    Filesize

    669KB

    MD5

    52950ac9e2b481453082f096120e355a

    SHA1

    159c09db1abcee9114b4f792ffba255c78a6e6c3

    SHA256

    25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

    SHA512

    5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

    Download Submit

  • memory/1560-0-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1560-13-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1560-2-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1560-49-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1660-61-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/1660-50-0x0000000000400000-0x0000000000648000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4368-17-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4368-48-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4368-40-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4368-15-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download

  • memory/4368-12-0x0000000000400000-0x00000000004B6000-memory.dmp

    Filesize

    728KB

    Download