Overview

overview

10

Static

static

10

2960e092eb...e2.exe

windows7-x64

10

2960e092eb...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    26-12-2024 07:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2960e092ebea34f381a2c1c432539fa70a90b98e139cf5f5447199695c39d3e2.exe

  • Size

    572KB

  • MD5

    6a30964871471e3774a54dbca5e0f7b4

  • SHA1

    6ace0f8c9010455e2cd5f0f12e09bfb86af5c9ff

  • SHA256

    2960e092ebea34f381a2c1c432539fa70a90b98e139cf5f5447199695c39d3e2

  • SHA512

    67c1485c6d1ffd3ad02b64ed86d9afcc75c3d99cbe52cb28c6f12f0f5d9624d576731b2d0807bb5d0d00b8f75710d3aa6734bec0621aac9e99676e54b50c41f5

  • SSDEEP

    12288:us2w8hvkR2OWhNlGIZ0igJTtCThXP68d+FRCZtR8WHxh7bBIr0i:T2wC88OWhDDsJTtoNgDKrphWgi

Score
10/10
modiloaderdiscoveryspywarestealertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 7 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1396
      • C:\Users\Admin\AppData\Local\Temp\2960e092ebea34f381a2c1c432539fa70a90b98e139cf5f5447199695c39d3e2.exe
        "C:\Users\Admin\AppData\Local\Temp\2960e092ebea34f381a2c1c432539fa70a90b98e139cf5f5447199695c39d3e2.exe"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Users\Admin\AppData\Local\Temp\ßáíä.exe
          "C:\Users\Admin\AppData\Local\Temp\ßáíä.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Users\Admin\AppData\Local\Temp\ßáíä.exe
            C:\Users\Admin\AppData\Local\Temp\ßáíä.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2392
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3D Wallpapers Collection 27.jpg
      Filesize

      495KB

      MD5

      c5a27cd076ba0c97d261674c3a30234d

      SHA1

      5e00601aed5769978366fbbad502e43212041c6c

      SHA256

      9367ccc0dfcc1c920451e78766c9c1b5592be64e9b50c3d4350cbf09db86ba92

      SHA512

      64c6c08c41583dda07f5a1ef49d4711d83533bcd77e96480c53db10d8d3c77452d5a075b78d7eb26bce58cab69063ec192bf729bb1ac409cea5be72f7c7942f6

      Download Submit

    • \Users\Admin\AppData\Local\Temp\ßáíä.exe
      Filesize

      66KB

      MD5

      1ac0da80e149e476bc101f584d50bf85

      SHA1

      295af024da94c7bff9af72a0c8ce6656fcf48d23

      SHA256

      df662e9284f3da2a5b66d52920d832a796cf9ce7c944e1cf84f7cbf431be1c5a

      SHA512

      2854fa55fead865e640576e91b652dd2ebdf536d1790031ac9c850bfeac7c8b67cdb5a15b00fdd29356452a93b2d36731aec13a062e83d1e696709efc5706172

      Download Submit

    • memory/1396-32-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1396-29-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/2300-25-0x00000000025D0000-0x00000000025D2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2300-27-0x0000000000400000-0x0000000000496000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2392-16-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2392-18-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2392-24-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2392-14-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2392-12-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2392-41-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2944-26-0x0000000000170000-0x0000000000172000-memory.dmp

      Filesize

      8KB

      Download