Analysis
-
max time kernel
48s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
10-01-2025 11:19
General
-
Target
https://github.com/danswtf/xddos/releases/download/123/7zip.exe
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/danswtf/xddos/releases/download/123/7zip.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/danswtf/xddos/releases/download/123/7zip.exe2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2820.0.884436712\162194928" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {40795dab-16a8-439b-9914-490488e5c291} 2820 "\\.\pipe\gecko-crash-server-pipe.2820" 1284 117cc158 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2820.1.1495975302\229020448" -parentBuildID 20221007134813 -prefsHandle 1488 -prefMapHandle 1484 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e53df1a-c5cd-429c-938f-1a3dfe8492f1} 2820 "\\.\pipe\gecko-crash-server-pipe.2820" 1500 e70458 socket3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2820.2.293188723\1127504368" -childID 1 -isForBrowser -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 764 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a88b730a-f6b1-45cc-8480-12f4ba488bee} 2820 "\\.\pipe\gecko-crash-server-pipe.2820" 2116 1aadc258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2820.3.369652286\1943807500" -childID 2 -isForBrowser -prefsHandle 2924 -prefMapHandle 2868 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 764 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48252a23-1be6-420e-8698-14bde39cedce} 2820 "\\.\pipe\gecko-crash-server-pipe.2820" 2936 1d886258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2820.4.2140225328\1912761516" -childID 3 -isForBrowser -prefsHandle 3680 -prefMapHandle 3656 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 764 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41d9ab10-7a86-4735-9a30-fa61b5748da2} 2820 "\\.\pipe\gecko-crash-server-pipe.2820" 3684 203f8558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2820.5.988155233\1654658573" -childID 4 -isForBrowser -prefsHandle 3812 -prefMapHandle 3816 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 764 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08252183-5b1b-4c45-9d78-34394bfa4279} 2820 "\\.\pipe\gecko-crash-server-pipe.2820" 3800 203fa658 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2820.6.400686902\857873957" -childID 5 -isForBrowser -prefsHandle 3684 -prefMapHandle 3728 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 764 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f69839e1-2094-49e2-a12f-440b1862069b} 2820 "\\.\pipe\gecko-crash-server-pipe.2820" 3900 203faf58 tab3⤵
-
-
C:\Users\Admin\Downloads\7zip.exe"C:\Users\Admin\Downloads\7zip.exe"3⤵
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Impair Defenses
1Safe Mode Boot
1Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD56865869f01cfbde4a97965b80bbefaae
SHA1da01aacf24e7668ed0acd8bc26a9a80b344b1492
SHA256a14816733bde60b3a3cd199ac89d7f43270318d849033084a8ad252398a3e521
SHA5127e908650e61d71360d3c6f413c0b6686c7ddc98b72860b5dd2f53c60f33341f553160b06e8915e1b6a0b39b197cd55054d203f64690f5be9754e21173f03bc6f
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
2KB
MD510645b93b49279f21878777ec4664852
SHA13a94cf37c0ca59570a4660e3aba81e0b247b8772
SHA256e72225ac6f3b889028fadd71b225c15ef43792d32e67fe49dc6be46bd185e776
SHA5124d29b0a3b4bd32f759f03fa773554a01171dedcd14273dd35b3372de883577af939836991d32aa71d1b5d87927098c2ed35fe6140d705b05f5b661f736f0cb0b
-
Filesize
10KB
MD511d32cd63aee53bc939db518762287fc
SHA11da9e3895343cb04c81cb7b070c9715fdbceef9a
SHA256449d695117ff4e2d59c1ebc3c522d6418ecbb174aebe736bdb2c4e8cbfb467f0
SHA5126cdb51a66181d35f4a935e875b105fa104168efac2441a69c2f0e042a36c1569eb11fdb5d376ff8189f86703059d32a8f8d0bb71f61a2e129b9ae3c1e26190fe
-
Filesize
745B
MD5388127dc0b33c5160b0bf85cb0ae1b0a
SHA15dafdb150a17aefd05cbe577588dee3ceee092d9
SHA256a9da1232e2bb5b15c448b2a3953aeddcffd7f24ae0b6103d97aab912d2871a9f
SHA512d15ea46bd12fef57688ebde7d978f057a76794575fda31e178dcd8863efa358fd6216e4be47ba5231e45b7fc2a01fd7d68bea83df4d6399707b851a66d848274
-
Filesize
6KB
MD536c19b9f0de15d620dec25cd0f661554
SHA1c38d1d7b57dd8f96d20a09a94333ced98a1df1a2
SHA256c485f871948ddb316a18b211fbe6e5ed80ba908fa5369f501e067160862c2686
SHA512274c03b3250c480b4445c4c747ba43b5ff4ebcafa43a8c2179986b72650b1c413b31756b817e6d8d0c547d1612ec56c4cf5cbc58a4918cd334755c2566ae2e55
-
Filesize
6KB
MD5051dcaf2dfb4d7b34824d599d8c2932e
SHA12a76a0259ef178ff97e679f8cfb3400a21b5bd5a
SHA256bbaa46743d230ab818034a75f59e6a6b6079bc8e0b2e178d2fa57f2f50d23bbd
SHA5127a2a1646e553bedc6b28aae50615cd9bc5a6a90314ec782283e2a465188489524f902c9cdb9abc54f57000982cfaa5b69d0022bbfd61322bda3d99f53184d595
-
Filesize
939B
MD50835f24144481c36ad9ac728ebf04e4c
SHA18e0f3829f94a372aee19d534562a702557670007
SHA25683a951444c179ee8ca05f9cd5180c1df9f85a03efc07b929576ca27a535d324a
SHA512db7681f68f20351db8cef736c911828c9a162c930d60b0a64ee7cded44f24f304bef36564150d4b93ef81513f46bef7447693a6e72ea50791a3347032cb44058
-
Filesize
397KB
MD5f17e965a5d6bf57f39af778a2ddc924d
SHA149b5cb5858fc05d55efd0e3ff1ea25efc9578f68
SHA256250c630e237e5f44e929ef1d6eac0c2b4f8b97c76f086a26b3e3d2efd36da8fa
SHA512299d20f0ffd16358308076311fe5daf0636abe0e6c5a0841446ae686f60017acca6c3cd09898867d92d132a9a7e0ffe5e95b8e36aaa63c8dd9aa0a873324a60d
-
Filesize
19KB
MD56fe7de8b5522cfcc3b50bd6103b31310
SHA16c94ce9c84fccd37f8d96757c15becdc8460781f
SHA25670ffbaf2425b229bbfd6043f98348afbcd0d420b1d0889a8ca665a56fb524de6
SHA512093a71de7c4399d2342201e1a04ffbb34a8110dc037e36154e4f278f095b1193755401abbfeb805b7328e9ddabdd546f5b709b8b71a76487761f658b94bd382f
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
424KB
-
Filesize
424KB