Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-02-2021 17:19
Static task
static1
Behavioral task
behavioral1
Sample
e51b30bf9b0c6ac4653a5e0e3d47e53e.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
e51b30bf9b0c6ac4653a5e0e3d47e53e.exe
Resource
win10v20201028
General
-
Target
e51b30bf9b0c6ac4653a5e0e3d47e53e.exe
-
Size
1.3MB
-
MD5
e51b30bf9b0c6ac4653a5e0e3d47e53e
-
SHA1
284bc580ff365a2c8ae9602e96d8e1a7cbff30b7
-
SHA256
2b9ab52795f34af8e45a80c88ebd53c725bcccdab49aee05a8b848566e8c3b28
-
SHA512
47617da1880ef2753d621b0639f1a868f88a945db5176fc2422165f181ec7613e175038c4d74067cd1447f44e3b26263e720a8f3bd302c957c2807cd77e43bce
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2748-17-0x0000000001600000-0x000000000165A000-memory.dmp modiloader_stage1 behavioral2/memory/2748-19-0x0000000001600000-0x000000000165A000-memory.dmp modiloader_stage1 -
Executes dropped EXE 3 IoCs
Processes:
Non.comNon.comNon.compid process 2608 Non.com 1304 Non.com 2748 Non.com -
Drops startup file 1 IoCs
Processes:
Non.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QEGjMUAwgB.url Non.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Non.comdescription ioc process File opened for modification \??\PhysicalDrive0 Non.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Non.comdescription pid process target process PID 1304 set thread context of 2748 1304 Non.com Non.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
e51b30bf9b0c6ac4653a5e0e3d47e53e.execmd.execmd.exeNon.comNon.comdescription pid process target process PID 636 wrote to memory of 3148 636 e51b30bf9b0c6ac4653a5e0e3d47e53e.exe cmd.exe PID 636 wrote to memory of 3148 636 e51b30bf9b0c6ac4653a5e0e3d47e53e.exe cmd.exe PID 636 wrote to memory of 3148 636 e51b30bf9b0c6ac4653a5e0e3d47e53e.exe cmd.exe PID 636 wrote to memory of 196 636 e51b30bf9b0c6ac4653a5e0e3d47e53e.exe cmd.exe PID 636 wrote to memory of 196 636 e51b30bf9b0c6ac4653a5e0e3d47e53e.exe cmd.exe PID 636 wrote to memory of 196 636 e51b30bf9b0c6ac4653a5e0e3d47e53e.exe cmd.exe PID 196 wrote to memory of 940 196 cmd.exe cmd.exe PID 196 wrote to memory of 940 196 cmd.exe cmd.exe PID 196 wrote to memory of 940 196 cmd.exe cmd.exe PID 940 wrote to memory of 2328 940 cmd.exe findstr.exe PID 940 wrote to memory of 2328 940 cmd.exe findstr.exe PID 940 wrote to memory of 2328 940 cmd.exe findstr.exe PID 940 wrote to memory of 2608 940 cmd.exe Non.com PID 940 wrote to memory of 2608 940 cmd.exe Non.com PID 940 wrote to memory of 2608 940 cmd.exe Non.com PID 940 wrote to memory of 3432 940 cmd.exe PING.EXE PID 940 wrote to memory of 3432 940 cmd.exe PING.EXE PID 940 wrote to memory of 3432 940 cmd.exe PING.EXE PID 2608 wrote to memory of 1304 2608 Non.com Non.com PID 2608 wrote to memory of 1304 2608 Non.com Non.com PID 2608 wrote to memory of 1304 2608 Non.com Non.com PID 1304 wrote to memory of 2748 1304 Non.com Non.com PID 1304 wrote to memory of 2748 1304 Non.com Non.com PID 1304 wrote to memory of 2748 1304 Non.com Non.com PID 1304 wrote to memory of 2748 1304 Non.com Non.com PID 1304 wrote to memory of 2748 1304 Non.com Non.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\e51b30bf9b0c6ac4653a5e0e3d47e53e.exe"C:\Users\Admin\AppData\Local\Temp\e51b30bf9b0c6ac4653a5e0e3d47e53e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo qyyLS2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sgomento.tif2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^QqBsvmtgayDPlBGoifNnIYcxnIYtBGVoHYzXYQxIMnLKaVHFkmOzaNxRFiTNBqNLlxijiJpdUyMlhKwDqzSe$" Pei.vss4⤵
-
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.comNon.com Alito.pdf4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.comC:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com Alito.pdf5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.comC:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.com6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Alito.pdfMD5
25c3460865886a2894a5dfd3307ae0ac
SHA118768d293fea70582967982e1cd9fb49460fae57
SHA2560476c8b596f00aacb06f65078c815c498e4ce04dc098d06a3fd19e04089fe6fc
SHA5126e70933663b115185ae3b70210388a74b86ac92d5da6295af9fb9c1cfde7154b9a5d6437597f5811f353bb4813c1e7a3c0262a6bccac1270caa2566529b24862
-
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Non.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Pei.vssMD5
0aad7d67f65e584ffae5213339cfd595
SHA1566e38274ca65b8d0f44f3d413e25d94c2ec113e
SHA256c5a8d3e633e55f2c64589c7c7f738959c41ed97000dcfaf145b11d1a6e460abb
SHA51244f548ddb0b5f931e1e2d5dbe598ca70f8922ec2a47250cbbe07246bbf64968c93795660f39e908cfb1f4ce7ce8a1abc71e45a8f22340abc2d1a1702401dfeab
-
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Perisce.vsdmMD5
9dab793d81f752ed646e201042925518
SHA1a699f67b61214f6e137fda99109c67047f0c9235
SHA25651c10c0a6d5d6a7a4279ba3718a0e6e70e3d8549446e71c9bdad242513dda3f1
SHA512ffd4c09e7175602b65411aa1b6696cb39f41e18ebcb2a6b4b5a967ed4cc321b86bed59942b7d1f35bf1ee3febf90a2cb34f9d4f495beee93fbb60e5c7c1106c4
-
C:\Users\Admin\AppData\Local\Temp\DnfEkxbYkuo\Sgomento.tifMD5
1bed7a45b2588ecc6b0eb7d228e57a5f
SHA12e10dd2734c6edff8b1a28774c8ec53ee73452df
SHA256a3df866e5e115e3c79235533712b1c87c7416915ff2248d5d1cc4fcc68d24874
SHA512e17771098eaf67e2575bd26516fab3dbb71d4d5de69975839755f0de047a7a7c920960ee2c8893796ed6e9bea8988d1ae96aafeb7629673a726cc145f5074626
-
memory/196-3-0x0000000000000000-mapping.dmp
-
memory/940-5-0x0000000000000000-mapping.dmp
-
memory/1304-16-0x00000000010F0000-0x00000000010F1000-memory.dmpFilesize
4KB
-
memory/1304-12-0x0000000000000000-mapping.dmp
-
memory/2328-6-0x0000000000000000-mapping.dmp
-
memory/2608-8-0x0000000000000000-mapping.dmp
-
memory/2748-17-0x0000000001600000-0x000000000165A000-memory.dmpFilesize
360KB
-
memory/2748-19-0x0000000001600000-0x000000000165A000-memory.dmpFilesize
360KB
-
memory/3148-2-0x0000000000000000-mapping.dmp
-
memory/3432-10-0x0000000000000000-mapping.dmp