Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-03-2021 17:33
Static task
static1
Behavioral task
behavioral1
Sample
2beadfcc5cc2f725fbaa08d7421d94a4.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
2beadfcc5cc2f725fbaa08d7421d94a4.exe
Resource
win10v20201028
General
-
Target
2beadfcc5cc2f725fbaa08d7421d94a4.exe
-
Size
1.3MB
-
MD5
2beadfcc5cc2f725fbaa08d7421d94a4
-
SHA1
86e79742e9a3b43682022331096dc7fce3ba8de6
-
SHA256
5d0b09993c8b1d6de2ab162c32f2c36fb250b5a8051fbde5d5bcf9e8142ef75d
-
SHA512
f007d49f1a274afaa87b601732f784eb62d438a367b17c24e959990aac61cf270e7d2b8bfd677a6cf00e603a12455e759e44d4ca9c635a9db8a446af2790a8f7
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3600-17-0x0000000000650000-0x00000000006AA000-memory.dmp modiloader_stage1 behavioral2/memory/3600-19-0x0000000000650000-0x00000000006AA000-memory.dmp modiloader_stage1 -
Executes dropped EXE 3 IoCs
Processes:
Com.comCom.comCom.compid process 992 Com.com 2288 Com.com 3600 Com.com -
Drops startup file 1 IoCs
Processes:
Com.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mbdCvEVAbP.url Com.com -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Com.comdescription ioc process File opened for modification \??\PhysicalDrive0 Com.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Com.comdescription pid process target process PID 2288 set thread context of 3600 2288 Com.com Com.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
2beadfcc5cc2f725fbaa08d7421d94a4.execmd.execmd.exeCom.comCom.comdescription pid process target process PID 8 wrote to memory of 3824 8 2beadfcc5cc2f725fbaa08d7421d94a4.exe cmd.exe PID 8 wrote to memory of 3824 8 2beadfcc5cc2f725fbaa08d7421d94a4.exe cmd.exe PID 8 wrote to memory of 3824 8 2beadfcc5cc2f725fbaa08d7421d94a4.exe cmd.exe PID 8 wrote to memory of 932 8 2beadfcc5cc2f725fbaa08d7421d94a4.exe cmd.exe PID 8 wrote to memory of 932 8 2beadfcc5cc2f725fbaa08d7421d94a4.exe cmd.exe PID 8 wrote to memory of 932 8 2beadfcc5cc2f725fbaa08d7421d94a4.exe cmd.exe PID 932 wrote to memory of 1380 932 cmd.exe cmd.exe PID 932 wrote to memory of 1380 932 cmd.exe cmd.exe PID 932 wrote to memory of 1380 932 cmd.exe cmd.exe PID 1380 wrote to memory of 3624 1380 cmd.exe findstr.exe PID 1380 wrote to memory of 3624 1380 cmd.exe findstr.exe PID 1380 wrote to memory of 3624 1380 cmd.exe findstr.exe PID 1380 wrote to memory of 992 1380 cmd.exe Com.com PID 1380 wrote to memory of 992 1380 cmd.exe Com.com PID 1380 wrote to memory of 992 1380 cmd.exe Com.com PID 1380 wrote to memory of 2136 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 2136 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 2136 1380 cmd.exe PING.EXE PID 992 wrote to memory of 2288 992 Com.com Com.com PID 992 wrote to memory of 2288 992 Com.com Com.com PID 992 wrote to memory of 2288 992 Com.com Com.com PID 2288 wrote to memory of 3600 2288 Com.com Com.com PID 2288 wrote to memory of 3600 2288 Com.com Com.com PID 2288 wrote to memory of 3600 2288 Com.com Com.com PID 2288 wrote to memory of 3600 2288 Com.com Com.com PID 2288 wrote to memory of 3600 2288 Com.com Com.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\2beadfcc5cc2f725fbaa08d7421d94a4.exe"C:\Users\Admin\AppData\Local\Temp\2beadfcc5cc2f725fbaa08d7421d94a4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo qmAzSiYcZ2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Appare.xlsx2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^NNBysubwvrLxaUtgPyscanjHImKOLfrklLrHmxtYnJkPBlLmAtZSCBEfATvRcJfuZmlHQbPxqaXJhbunOkhHdkJIuOiFXhCPxtPwZrIrgERpEVwrNYelcIQOQCBeflvNQifoHtmLCpzLzArlMr$" Battito.vob4⤵
-
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.comCom.com Scolpita.xlm4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.comC:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.com Scolpita.xlm5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.comC:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.com6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Appare.xlsxMD5
a13afe991cfa864cfa395d285d6d60ea
SHA147af6e056ceab5a46429a5d2353b0cc0e9a3abd4
SHA256b6a281e01d592211564c9c2990508b8c5f85b354f8b3f5cc33843e56b4b11f7f
SHA512ba93b9d86126ebebbea7e09cc9db686ad7f82581088e6ffae5f77a2914e2fba06a15fcdfb6f7f34d74d329dd6b9a20fc9557f04f528cd5895ae75c643e061c43
-
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Battito.vobMD5
0004b273a3cf1b1e75c61418cf9313a1
SHA184e37fbf2cf58540e9b2e693532ee1458e0dd5e2
SHA256f74e8a7529eefb2a080b2ccfaf88b6b611ccd50690735b705554288653184d9d
SHA5126301cb796dad87876a575bf68821ad32901f93bfa352f42bdc63ecc9f06425bd95da38b1edb92b996bbb45baa8d40c4e5bf5fec3bebb5dabb3f35e8f38acd1e1
-
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Com.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Scolpita.xlmMD5
6f2323120ea70a9789b6b2fe9aafd13d
SHA1a5f3337fa57b85550214dc3c48b0677c3cc89f17
SHA2561d1dd3cc8df171852c2cdceb0225b96993a6fecc37e123f64776190d5f4b7950
SHA512469ad5b7cad03d45cb0526c8afebf56a978d6d25e97d4525b73dc66a6831215d30b24de7fb22274e24714fba8b02c9b68d17aa415af4a6a9446e8c14d0a62a94
-
C:\Users\Admin\AppData\Local\Temp\XDTQkkPZNB\Solitario.rtfMD5
53187ea0178ac7111713ec0574f44d62
SHA11e8c1b2c250b311d778c5e41a31f1bc5e1a3af11
SHA25636283b3a0dd86d56793fb77c9e3cd802d9bb7e222c35aabd92ffa3dd2017dd94
SHA5120dc81e5d18526b67c3215d68d60cec17ae3310886f5c7470c0cb00c2170f1a0c751debee3e090c1159b2a004f26363659ccc3acefe916399b690c4c490b7f834
-
memory/932-3-0x0000000000000000-mapping.dmp
-
memory/992-8-0x0000000000000000-mapping.dmp
-
memory/1380-5-0x0000000000000000-mapping.dmp
-
memory/2136-10-0x0000000000000000-mapping.dmp
-
memory/2288-12-0x0000000000000000-mapping.dmp
-
memory/2288-16-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB
-
memory/3600-17-0x0000000000650000-0x00000000006AA000-memory.dmpFilesize
360KB
-
memory/3600-19-0x0000000000650000-0x00000000006AA000-memory.dmpFilesize
360KB
-
memory/3624-6-0x0000000000000000-mapping.dmp
-
memory/3824-2-0x0000000000000000-mapping.dmp