Analysis
-
max time kernel
26s -
max time network
15s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-es -
resource tags
arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
23-12-2024 05:56
Static task
static1
Behavioral task
behavioral1
Sample
PO-S23K[infected].zip
Resource
win7-20240729-es
Behavioral task
behavioral2
Sample
PO-S23K[infected].zip
Resource
win10v2004-20241007-es
General
-
Target
PO-S23K[infected].zip
-
Size
1.5MB
-
MD5
959b51c99485bf5f0f4b6c97363fda21
-
SHA1
3691f8f198782bad191c57d4835661ebbfc4e4c1
-
SHA256
88f0b7bdee74f85c01deed17a4f1c09292aa27c2c04dd549c7bec758c6a43f19
-
SHA512
d0b41a730ca80500bb29af8e0e0e237460fbf9420c74c2f2e2f4d4aa10d8673af69fc3eea52fe9e9fee9ffe68da21b4fac4e309620e58f6f6bbbc3915a808007
-
SSDEEP
24576:4WPlVmatpOZDR0pGe5/PO7UcS0YoOjr1/wPE5DvHTpOLl5CJrFig+tLpqc8q:zPlVmHxGIe5OO9j5MEN1y0DXeN4q
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 61 IoCs
resource yara_rule behavioral2/memory/3996-14-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-17-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-24-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-18-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-22-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-33-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-46-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-44-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-64-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-63-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-42-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-69-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-78-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-76-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-75-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-74-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-73-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-71-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-70-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-68-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-67-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-66-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-65-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-62-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-58-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-53-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-52-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-77-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-50-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-48-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-72-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-61-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-41-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-60-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-40-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-59-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-57-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-39-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-56-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-55-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-54-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-51-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-36-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-49-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-35-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-47-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-32-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-45-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-43-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-30-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-38-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-37-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-27-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-34-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-26-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-25-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-31-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-29-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-28-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-20-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 behavioral2/memory/3996-19-0x0000000002B70000-0x0000000003B70000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 3996 x.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5116 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeRestorePrivilege 5116 7zFM.exe Token: 35 5116 7zFM.exe Token: SeSecurityPrivilege 5116 7zFM.exe Token: SeSecurityPrivilege 5116 7zFM.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 5116 7zFM.exe 5116 7zFM.exe 5116 7zFM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5116 wrote to memory of 3996 5116 7zFM.exe 90 PID 5116 wrote to memory of 3996 5116 7zFM.exe 90 PID 5116 wrote to memory of 3996 5116 7zFM.exe 90
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PO-S23K[infected].zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\7zOCF3BE4F7\x.exe"C:\Users\Admin\AppData\Local\Temp\7zOCF3BE4F7\x.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5385a5e0136bd0aa68cde4ba38756b086
SHA1a73948144ee59a7805f81dd6a73291ca40625ac1
SHA25693739039ca89805f9934e13d66bf446d302447801e96ee6b9e654cff0d39e20d
SHA51292d38b855d990c8b6e839bdfa6215039e671cac184ec75bd2653a0865b160a2d35715179e3518aa2550825ae06340641ed09d3dd685910584698dc60215f7e90