Analysis
-
max time kernel
3s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
19-12-2024 21:41
Static task
static1
Behavioral task
behavioral1
Sample
f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe
Resource
win10v2004-20241007-en
General
-
Target
f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe
-
Size
112KB
-
MD5
c2dae78e004c3e7019bde7f98c6e1520
-
SHA1
593e15d18f4c14b16dc7a58183227bb9589f9d63
-
SHA256
f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aa
-
SHA512
62154218506789ac9f9745608925b4e9d62ae17711dc3c6f5b202d64a9263175d3e412afbe9ee99aadaabdd2e7142ed076f96cc58a70d5e6a0518ecaf17076c0
-
SSDEEP
1536:t2ovIa47CqIf2f3w41p7sDcX7juR/JSJw8EeNshUDGXJ:tVIr7zI+fAceoGxSKKo5
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/880-294-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2524 set thread context of 2224 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 30 PID 2524 set thread context of 2452 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 31 -
resource yara_rule behavioral1/memory/2452-128-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2452-112-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/880-283-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/1384-282-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/2452-289-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/1384-291-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral1/memory/880-294-0x0000000000400000-0x0000000000414000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe 2224 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 2224 svchost.exe 2452 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2224 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 30 PID 2524 wrote to memory of 2224 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 30 PID 2524 wrote to memory of 2224 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 30 PID 2524 wrote to memory of 2224 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 30 PID 2524 wrote to memory of 2224 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 30 PID 2524 wrote to memory of 2224 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 30 PID 2524 wrote to memory of 2224 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 30 PID 2524 wrote to memory of 2224 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 30 PID 2524 wrote to memory of 2224 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 30 PID 2524 wrote to memory of 2224 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 30 PID 2524 wrote to memory of 2452 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 31 PID 2524 wrote to memory of 2452 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 31 PID 2524 wrote to memory of 2452 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 31 PID 2524 wrote to memory of 2452 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 31 PID 2524 wrote to memory of 2452 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 31 PID 2524 wrote to memory of 2452 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 31 PID 2524 wrote to memory of 2452 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 31 PID 2524 wrote to memory of 2452 2524 f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe"C:\Users\Admin\AppData\Local\Temp\f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
C:\Users\Admin\AppData\Local\Temp\f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe"C:\Users\Admin\AppData\Local\Temp\f56245deb0fe2c43fe88e5e271d464cc8d2c76c6a692238dca69d1ff9e2629aaN.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2452 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\GKYHH.bat" "3⤵PID:944
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows WA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe" /f4⤵PID:2480
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"3⤵PID:1108
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵PID:2692
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵PID:1384
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵PID:880
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD53a4614705555abb049c3298e61170b7f
SHA1c8686410756f346d9551256a5b878b04770950ba
SHA256cff0663c8cfadf83b80583a871c313ffc5d950cb503809cb4a482f400c5d846b
SHA51265ce6fec00e6934f21635e7ccd74757f31ed4b0ddb52bd80d3ea9abeba56340128d23151ef7d9f5daacb5d61e4a4cca50dbb3a43132e350522311ee06e829007
-
Filesize
112KB
MD5ce13770392ca6ed2163d69f6ef05c3d7
SHA19a6bf383fafa495844bd808b359a29daaaf2adf5
SHA2560764c193070876ef83c2e2bacf20a6800e45b220d0cb9928662b895bd307df16
SHA512ff0980aea5adb3f4ff3dfff1d26ee7fff0d5541641595a2a9b01d26f9516cf18ff917d7b42dd45b96b7c6ab47f25432aeb43fbfcc2ca702926d0b40af08f88b8