3ea6f7524f8931299f6321074e53b931417dedfc90ab9112f33ed45f5da76858

Resubmissions

19/03/2025, 21:22

250319-z8a2xatshv 10

13/03/2025, 20:01

250313-yrvjjs1ydx 10

13/03/2025, 19:41

250313-yd3m1a1vbt 10

13/03/2025, 06:53

250313-hnlt8sytht 10

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/03/2025, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

S1ModLoader.exe
Size

87.5MB
MD5

51d993521dfe63cc06813bedcbd6afc9
SHA1

bd3946664fadd9da36a51d39d7443efcce06cb34
SHA256

3ea6f7524f8931299f6321074e53b931417dedfc90ab9112f33ed45f5da76858
SHA512

178dc4f6949500bc8544bbb6662663091e3a8744695abc2e75fe7fe508324e096fde0efbf547d2c5f7c00eeda49ef846562ff8aa0f17354086fda83b8efad52c
SSDEEP

1572864:xNK+4lqWLqP0OkiqOv8im2A4lE7flPLiYgj+h58sMwGe3CpcJ5AS:xP4MdMOknOv8i3LeJF5qe3DA

Score

7^/10

upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
828	S1ModLoader.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000020a77-1264.dat	upx
behavioral1/memory/828-1266-0x000007FEF5FD0000-0x000007FEF65B9000-memory.dmp	upx

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2932	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2932	AUDIODG.EXE
Token: 33	2932	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2932	AUDIODG.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 828	1908	S1ModLoader.exe	30
PID 1908 wrote to memory of 828	1908	S1ModLoader.exe	30
PID 1908 wrote to memory of 828	1908	S1ModLoader.exe	30

C:\Users\Admin\AppData\Local\Temp\S1ModLoader.exe
"C:\Users\Admin\AppData\Local\Temp\S1ModLoader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\S1ModLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\S1ModLoader.exe"
  2⤵
  - Loads dropped DLL
  PID:828

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI19082\python311.dll

Filesize
1.6MB

MD5
546cc5fe76abc35fdbf92f682124e23d

SHA1
5c1030752d32aa067b49125194befee7b3ee985a

SHA256
43bff2416ddd123dfb15d23dc3e99585646e8df95633333c56d85545029d1e76

SHA512
cb75334f2f36812f3a5efd500b2ad97c21033a7a7054220e58550e95c3408db122997fee70a319aef8db6189781a9f2c00a9c19713a89356038b87b036456720

Download Submit
memory/828-1266-0x000007FEF5FD0000-0x000007FEF65B9000-memory.dmp

Filesize
5.9MB

Download