Overview

overview

10

Static

static

3

Quotation.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quotation.txz.rar

  • Size

    1.1MB

  • Sample

    250401-meastszlz4

  • MD5

    b6978d2cc6dc7b3d3cec11d0856a4ec5

  • SHA1

    5e940ac852ef71f9e0eae9f30ec619ae01569614

  • SHA256

    069e9e3e196571672f6a0c4a3e69be3bc6ef4876e1b384500c79d708c548350c

  • SHA512

    5230dee7c259b1064002a7af2397e7784e9d95ada56a6004c2ce425e1da05b9c114a873663837df7936cc5e3e1bd961a567db38778df78718841c4a2c6bc2fdb

  • SSDEEP

    24576:IsK0sK4O3LjoNCHW15TKxma86gjKfxLGLFim+arGHzDlGV8Z:IvPFO3XHCl4maxgjK5LGLr+ay/uW

Score
10/10
modiloadercollectiondefense_evasiondiscoverytrojan

Malware Config

Targets

    • Target

      Quotation.exe

    • Size

      1.6MB

    • MD5

      d245c0efade78fbe55c9d537732dc8fb

    • SHA1

      339657894338cfa9ee994e440443d4fc7ef75368

    • SHA256

      860bb4fd3607ebdb177d9732653f9baeff86192cdf7874c5824ab37b9b61013d

    • SHA512

      562e31c22abf83d57785a5506025847e18a652765f4086ebc1c199b751eeb184a85e9d0ec08289fea1b6beeda0b94e2195a46702aa643ba4f3558a4023af2268

    • SSDEEP

      24576:OkCIwKMTJndSh1pBOjgqDx/u09mNfRWqERWsyI7RHc+Ow57pca5eBZq7W71p0Z3a:OkCzgEHDafT2bW+OwcMeTq72LU

    Score
    10/10
    modiloadercollectiondefense_evasiondiscoverytrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • UAC bypass

      defense_evasiontrojan

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks