Overview

overview

10

Static

static

3

Quotation.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/04/2025, 07:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.exe

  • Size

    1.6MB

  • MD5

    d245c0efade78fbe55c9d537732dc8fb

  • SHA1

    339657894338cfa9ee994e440443d4fc7ef75368

  • SHA256

    860bb4fd3607ebdb177d9732653f9baeff86192cdf7874c5824ab37b9b61013d

  • SHA512

    562e31c22abf83d57785a5506025847e18a652765f4086ebc1c199b751eeb184a85e9d0ec08289fea1b6beeda0b94e2195a46702aa643ba4f3558a4023af2268

  • SSDEEP

    24576:OkCIwKMTJndSh1pBOjgqDx/u09mNfRWqERWsyI7RHc+Ow57pca5eBZq7W71p0Z3a:OkCzgEHDafT2bW+OwcMeTq72LU

Score
10/10
modiloadercollectiondiscoverytrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Modiloader family
    modiloader
  • ModiLoader Second Stage 61 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5188
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\\ProgramData\\9603.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\SysWOW64\esentutl.exe
        C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
        3⤵
          PID:5528
        • C:\Users\Public\alpha.pif
          C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:544
        • C:\Users\Public\alpha.pif
          C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2028
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\\ProgramData\\6065.cmd
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5076
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 10
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3224
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\\ProgramData\\238.cmd
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4740
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Djauszke" /tr C:\\ProgramData\\Djauszke.url"
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1948
      • C:\Windows\SysWOW64\recover.exe
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\roxm"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:704
      • C:\Windows\SysWOW64\recover.exe
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\bilesyz"
        2⤵
        • Accesses Microsoft Outlook accounts
        • System Location Discovery: System Language Discovery
        PID:5904
      • C:\Windows\SysWOW64\recover.exe
        C:\Windows\SysWOW64\recover.exe /stext "C:\Users\Admin\AppData\Local\Temp\ekqptqjrqo"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4388
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe "C:\Windows\System32\ieframe.dll",OpenURL C:\\ProgramData\\Djauszke.url
      1⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Users\Admin\Links\Djauszke.PIF
        "C:\Users\Admin\Links\Djauszke.PIF"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4728
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1288
          3⤵
          • Program crash
          PID:4216
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4728 -ip 4728
      1⤵
        PID:5064

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\238.cmd
        Filesize

        83B

        MD5

        40dcdc4a568ca38fd76ed517d58895dd

        SHA1

        a61427cc65116b4f452c75d8270d5316aa52087f

        SHA256

        5337e647cbe97c1108b0c690bccf5327291051fd0b80a7c51a8f06ca4c32b987

        SHA512

        2e32e0bec4ec95af7f1d5fa7a26e69d00a0d50afedeefeb50a809eb52a44d9c00036ccaaf47773035e21925fcc0425a3726d5676013189d0845a31c93dfa0cb1

        Download Submit

      • C:\ProgramData\6065.cmd
        Filesize

        2KB

        MD5

        9a020804eba1ffac2928d7c795144bbf

        SHA1

        61fdc4135afdc99e106912aeafeac9c8a967becc

        SHA256

        a86c6c7a2bf9e12c45275a5e7ebebd5e6d2ba302fe0a12600b7c9fdf283d9e63

        SHA512

        42f6d754f1bdbeb6e4cc7aeb57ff4c4d126944f950d260a0839911e576ad16002c16122f81c1d39fa529432dca0a48c9acfbb18804ca9044425c8e424a5518be

        Download Submit

      • C:\ProgramData\9603.cmd
        Filesize

        19KB

        MD5

        1df650cca01129127d30063634ab5c03

        SHA1

        bc7172dec0b12b05f2247bd5e17751eb33474d4e

        SHA256

        edd4094e7a82a6ff8be65d6b075e9513bd15a6b74f8032b5c10ce18f7191fa60

        SHA512

        0bddf9ecaaedb0c30103a1fbfb644d6d4f7608bd596403307ed89b2390568c3a29e2cf55d10e2eadbfc407ede52eaf9a4f2321ba5f37e358a1039f73c7688fbd

        Download Submit

      • C:\ProgramData\Djauszke.url
        Filesize

        98B

        MD5

        2eafed4a4e6db61546dfdb1d8a1b03dd

        SHA1

        fd2394ec958630390dcd648d3a66d2ff6184ce7b

        SHA256

        7b8020cc6cbddb0b7f2cde47a4704941b08be505e4d7e6f6d300bebbd3369a8c

        SHA512

        bde206bd513f1d4ec68ca80e1a4d5a4327d430322e622802397447810c21ecc3cb7855b58cbccdf484f0a3ca97598496ebf4ba0605c55efcb54865446498742c

        Download Submit

      • C:\ProgramData\remcos\logs.dat
        Filesize

        144B

        MD5

        12c355cebd8eea0d77df444eb4e8b385

        SHA1

        6518d04680f03cc833dc6501d336b1b93c71d8c1

        SHA256

        2f867e0c4360cfc89bc7bd04b0f594e1627d8d18cef91e97180017255ac9c732

        SHA512

        2c2364b53f6516b16cb1f62e281d01ab0538266a9d47e2d4ad4b52e690d3917d854e7f2e4710f542883e76c7ed20957f182b2af1f9834f6dba156cb71be67390

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\roxm
        Filesize

        4KB

        MD5

        464a2b4d146c111b6f9d38d15973a64a

        SHA1

        efb2905ba6f5ce2f70d016a956e6858a315236df

        SHA256

        7d8d3453dac5f9630b1e11bbf62ffcf8a42e84bf76ba341bb9a3f8951bd0ebdd

        SHA512

        4fdf608b018150abdafe01ed309e134abec621ef2836d07beb57c2304cd37a8bcf58067d34ce3bc37c57040c1aca3db7b2153aaafb33fcbb040637bb8d39306d

        Download Submit

      • C:\Users\Admin\Links\Djauszke.PIF
        Filesize

        1.6MB

        MD5

        d245c0efade78fbe55c9d537732dc8fb

        SHA1

        339657894338cfa9ee994e440443d4fc7ef75368

        SHA256

        860bb4fd3607ebdb177d9732653f9baeff86192cdf7874c5824ab37b9b61013d

        SHA512

        562e31c22abf83d57785a5506025847e18a652765f4086ebc1c199b751eeb184a85e9d0ec08289fea1b6beeda0b94e2195a46702aa643ba4f3558a4023af2268

        Download Submit

      • C:\Users\Public\alpha.pif
        Filesize

        231KB

        MD5

        d0fce3afa6aa1d58ce9fa336cc2b675b

        SHA1

        4048488de6ba4bfef9edf103755519f1f762668f

        SHA256

        4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

        SHA512

        80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

        Download Submit

      • memory/5188-29-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-27-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-6-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-10-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-24-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-45-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-65-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-63-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-64-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-62-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-60-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-58-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-57-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-55-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-50-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-42-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-41-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-40-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-38-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-37-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-36-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-61-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-33-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-59-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-32-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-31-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-56-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-30-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-5-0x0000000000760000-0x0000000000761000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5188-54-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-28-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-53-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-4-0x0000000000400000-0x00000000005A3000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/5188-51-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-52-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-26-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-49-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-25-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-48-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-47-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-46-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-23-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-44-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-22-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-43-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-21-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-20-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-19-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-39-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-18-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-17-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-35-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-16-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-34-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-15-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-14-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-13-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-12-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-11-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-9-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-2-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-1-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-0-0x0000000000760000-0x0000000000761000-memory.dmp

        Filesize

        4KB

        Download

      • memory/5188-7-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/5188-8-0x0000000002870000-0x0000000003870000-memory.dmp

        Filesize

        16.0MB

        Download