Resubmissions
20-12-2024 19:52
241220-ylsg1atjhk 1020-12-2024 19:25
241220-x47h7sspgr 1020-12-2024 19:25
241220-x4y7tsspgp 120-12-2024 19:14
241220-xxpd2ssjdy 10Analysis
-
max time kernel
442s -
max time network
344s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 19:14
Static task
static1
Behavioral task
behavioral1
Sample
f6142cf78b009b118166332df150bcdbc0428bdaf2542e250af299431dd27268.gz
Resource
win7-20241010-en
General
-
Target
f6142cf78b009b118166332df150bcdbc0428bdaf2542e250af299431dd27268.gz
-
Size
836KB
-
MD5
1b4d02ca1abe23f1948225d0846cf882
-
SHA1
becd7b6a9a665c16ef18b01772e2419e9b9bf8b9
-
SHA256
f6142cf78b009b118166332df150bcdbc0428bdaf2542e250af299431dd27268
-
SHA512
b89965b74105f7ffa6c8a2092116dadb9c6f6bb696ca34c9d4ccc7f902f92005c8803d2d9a90d74ab904119b36e5bf01c9ea157693f879001abebd23a6d23cfb
-
SSDEEP
24576:bMzscMk7UyOoZChSyco5AXYLIOfj3G4zTJsMmgbZX0oOA3OXxmS:bs0kyoISyco5AXYLIO7jpig1aA+XL
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 61 IoCs
resource yara_rule behavioral1/memory/1996-15-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-41-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-44-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-29-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-56-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-23-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-18-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-65-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-34-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-78-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-36-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-89-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-95-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-19-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-20-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-99-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-42-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-21-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-45-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-47-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-49-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-30-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-52-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-22-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-54-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-31-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-57-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-59-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-61-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-32-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-63-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-68-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-70-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-73-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-75-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-76-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-24-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-79-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-82-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-37-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-85-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-92-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-90-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-87-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-93-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-25-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-26-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-50-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-48-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-53-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-60-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-66-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-62-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-58-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-55-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-46-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-28-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-27-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-43-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-40-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 behavioral1/memory/1996-97-0x0000000003090000-0x0000000004090000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
pid Process 1996 x.exe 1372 x.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings rundll32.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 2344 7zFM.exe Token: 35 2344 7zFM.exe Token: SeSecurityPrivilege 2344 7zFM.exe Token: 33 2792 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2792 AUDIODG.EXE Token: 33 2792 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2792 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2344 7zFM.exe 2344 7zFM.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1980 wrote to memory of 1996 1980 WScript.exe 36 PID 1980 wrote to memory of 1996 1980 WScript.exe 36 PID 1980 wrote to memory of 1996 1980 WScript.exe 36 PID 1980 wrote to memory of 1996 1980 WScript.exe 36 PID 2808 wrote to memory of 1376 2808 rundll32.exe 44 PID 2808 wrote to memory of 1376 2808 rundll32.exe 44 PID 2808 wrote to memory of 1376 2808 rundll32.exe 44
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\f6142cf78b009b118166332df150bcdbc0428bdaf2542e250af299431dd27268.gz"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2344
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1144
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5841⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO_S23K.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1996
-
-
C:\Windows\System32\CScript.exe"C:\Windows\System32\CScript.exe" "C:\Users\Admin\AppData\Local\Temp\PO_S23K.vbs"1⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1372
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\______________________1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\______________________2⤵PID:1376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.6MB
MD59e1689409fdcb7ba5265907bc0164a98
SHA187388a6758b0659c56b97da2370a97721ed383ef
SHA256988f06de5e206681e74d9a8ba01f63069eaa7043b39784cfbddbe4845723b1b4
SHA51218d389197556b6f543b7a0d5a559763164b61a3e6c56783931dbfc0b46a5c45994e106dea948f90db089d4078a411e76d82f463d65969b2e0a7cf975814988f5
-
Filesize
6B
MD5325a6c5ca994f3718f1cef2c6324e004
SHA1d5e9edab4432f2e149a09b93d8e2928ff0fb619f
SHA2565f73a85ee6609ee50d42f67783499d356da92795e9d117f3e2b2a4a4934b6211
SHA5124a9234cff2dc455fc6d877439f61d283bd01531e752cd26290633c538a91634bae0da1c5b50a4fe21a3f74ef32db1dfd6d56b99d11a04aed7792e9891b570c7a
-
Filesize
1.2MB
MD5385a5e0136bd0aa68cde4ba38756b086
SHA1a73948144ee59a7805f81dd6a73291ca40625ac1
SHA25693739039ca89805f9934e13d66bf446d302447801e96ee6b9e654cff0d39e20d
SHA51292d38b855d990c8b6e839bdfa6215039e671cac184ec75bd2653a0865b160a2d35715179e3518aa2550825ae06340641ed09d3dd685910584698dc60215f7e90