Analysis
-
max time kernel
135s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
11-03-2021 07:13
Static task
static1
Behavioral task
behavioral1
Sample
0d0dc130f51749ea3e0efad156203217.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
0d0dc130f51749ea3e0efad156203217.exe
Resource
win10v20201028
General
-
Target
0d0dc130f51749ea3e0efad156203217.exe
-
Size
1.3MB
-
MD5
0d0dc130f51749ea3e0efad156203217
-
SHA1
2028c197c019c51e6ee10630dd45414319a677e6
-
SHA256
620afc2abbee35a3927169681326c1f1800030fd02c77eef6a49550978a41257
-
SHA512
718910fd0aa7182d6dd49a63c5d8428fc789b9141a9675cbc2f156c02dc85b00d859f4d49698d9ab1b034ddf40ee68a9aa5a2a254f1eb87d3748b30500557fce
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1056-21-0x0000000000080000-0x00000000000DA000-memory.dmp modiloader_stage1 behavioral1/memory/1056-23-0x0000000000080000-0x00000000000DA000-memory.dmp modiloader_stage1 -
Executes dropped EXE 3 IoCs
Processes:
Animatrici.comAnimatrici.comAnimatrici.compid process 1640 Animatrici.com 1164 Animatrici.com 1056 Animatrici.com -
Drops startup file 1 IoCs
Processes:
Animatrici.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HWXgmjrFLp.url Animatrici.com -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1120 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Animatrici.comdescription ioc process File opened for modification \??\PhysicalDrive0 Animatrici.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Animatrici.comdescription pid process target process PID 1164 set thread context of 1056 1164 Animatrici.com Animatrici.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
0d0dc130f51749ea3e0efad156203217.execmd.execmd.exeAnimatrici.comAnimatrici.comdescription pid process target process PID 1616 wrote to memory of 2032 1616 0d0dc130f51749ea3e0efad156203217.exe cmd.exe PID 1616 wrote to memory of 2032 1616 0d0dc130f51749ea3e0efad156203217.exe cmd.exe PID 1616 wrote to memory of 2032 1616 0d0dc130f51749ea3e0efad156203217.exe cmd.exe PID 1616 wrote to memory of 2032 1616 0d0dc130f51749ea3e0efad156203217.exe cmd.exe PID 1616 wrote to memory of 464 1616 0d0dc130f51749ea3e0efad156203217.exe cmd.exe PID 1616 wrote to memory of 464 1616 0d0dc130f51749ea3e0efad156203217.exe cmd.exe PID 1616 wrote to memory of 464 1616 0d0dc130f51749ea3e0efad156203217.exe cmd.exe PID 1616 wrote to memory of 464 1616 0d0dc130f51749ea3e0efad156203217.exe cmd.exe PID 464 wrote to memory of 1120 464 cmd.exe cmd.exe PID 464 wrote to memory of 1120 464 cmd.exe cmd.exe PID 464 wrote to memory of 1120 464 cmd.exe cmd.exe PID 464 wrote to memory of 1120 464 cmd.exe cmd.exe PID 1120 wrote to memory of 1632 1120 cmd.exe findstr.exe PID 1120 wrote to memory of 1632 1120 cmd.exe findstr.exe PID 1120 wrote to memory of 1632 1120 cmd.exe findstr.exe PID 1120 wrote to memory of 1632 1120 cmd.exe findstr.exe PID 1120 wrote to memory of 1640 1120 cmd.exe Animatrici.com PID 1120 wrote to memory of 1640 1120 cmd.exe Animatrici.com PID 1120 wrote to memory of 1640 1120 cmd.exe Animatrici.com PID 1120 wrote to memory of 1640 1120 cmd.exe Animatrici.com PID 1120 wrote to memory of 1692 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 1692 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 1692 1120 cmd.exe PING.EXE PID 1120 wrote to memory of 1692 1120 cmd.exe PING.EXE PID 1640 wrote to memory of 1164 1640 Animatrici.com Animatrici.com PID 1640 wrote to memory of 1164 1640 Animatrici.com Animatrici.com PID 1640 wrote to memory of 1164 1640 Animatrici.com Animatrici.com PID 1640 wrote to memory of 1164 1640 Animatrici.com Animatrici.com PID 1164 wrote to memory of 1056 1164 Animatrici.com Animatrici.com PID 1164 wrote to memory of 1056 1164 Animatrici.com Animatrici.com PID 1164 wrote to memory of 1056 1164 Animatrici.com Animatrici.com PID 1164 wrote to memory of 1056 1164 Animatrici.com Animatrici.com PID 1164 wrote to memory of 1056 1164 Animatrici.com Animatrici.com PID 1164 wrote to memory of 1056 1164 Animatrici.com Animatrici.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d0dc130f51749ea3e0efad156203217.exe"C:\Users\Admin\AppData\Local\Temp\0d0dc130f51749ea3e0efad156203217.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo NVyGeu2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\system32\cmd.exe < Vertigine.aspx2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^CiOOtpWUMhrxPPgbyQviZQOMazreGAXRAXKmntwbRsqQaiPSdzTfUGVMawcKuThkdjUStPZqOZfIPYxkElMhHHWTwYuvJssYtPmujWNAzTAVdhXxHlyViqEIfqQyIDsbHsEZnhYIvkTOuwC$" Ricordarti.dot4⤵
-
C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.comAnimatrici.com Piramide.xlam4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.comC:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.com Piramide.xlam5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.comC:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.com6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Accostarmi.wksMD5
2adab0cae9405b5ce8b471a47d2db583
SHA18e5d3c144a1a825c0cbefaa4b847b59ccf4b2324
SHA256fccbd5f2d8048c8adad21c24e47e6352f7fae3d849e54a7d49f14d81671bcb89
SHA5128c5010955b306ce299084ac28cb4642117b74ce74c9da818ee0cf2eba4c93c3929e7f5be5ed90f5b109737be3f697962ca5d5782518574f0f44bcacc6494485a
-
C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Piramide.xlamMD5
08c5319c5b5592ec89aeca130ffb5d1c
SHA1dad9bd329aeecf8e2d6d35630cc4cb9b0903959c
SHA25615d9ad9baf9068349940865dda8a4457d5e474d45ec3ada172d13ad7860fce3f
SHA5122a5bdb03d3c275877017bbc79f26bf3a9600a8af7d2b4e6649c072ae6e349d88dacc41ce8e4506b9e0f374f41e83d645b4e9635e39ac4742c857fdd6f5dc26c2
-
C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Ricordarti.dotMD5
b8a0e30ebffbcbc2fa56af1cb85b0c93
SHA1f531e920d4a2896ff2b842859a57750173d78ea3
SHA256cbd34a5ef54d0eb45a426be0110ba5ec4adef34da295a20129a60431b97f1fb8
SHA512f1c9c5718735d62e3f8661bc4a8c42182bf6e14ebaa2c02c9cef7e7588dcb63d6433f0d4591fdf8285a188d9bd8bd759f14f918fcce38b3770ef11fa0a0f942f
-
C:\Users\Admin\AppData\Roaming\nBPAKLcgFX\Vertigine.aspxMD5
961bb3367e4e04cde3939fd34d9143c7
SHA1bdddbabf55902a19aee7669c97f1822aec52a08e
SHA2568266e80ee1e8c4a0329727e53c3cb79928bd1228b475fe431c9c8a111721bc45
SHA512b97b06a941a5f6a3881bb1e0f1a2e7bae28cbbbae7a2ec64edc71ddef3f015ebfb29c103e3c6861bec0375eb5fbf8fb7577ca0665da70e3c3af2fc59520423df
-
\Users\Admin\AppData\Roaming\nBPAKLcgFX\Animatrici.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
memory/464-4-0x0000000000000000-mapping.dmp
-
memory/1056-23-0x0000000000080000-0x00000000000DA000-memory.dmpFilesize
360KB
-
memory/1056-21-0x0000000000080000-0x00000000000DA000-memory.dmpFilesize
360KB
-
memory/1120-6-0x0000000000000000-mapping.dmp
-
memory/1164-15-0x0000000000000000-mapping.dmp
-
memory/1164-20-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/1616-2-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/1632-7-0x0000000000000000-mapping.dmp
-
memory/1640-10-0x0000000000000000-mapping.dmp
-
memory/1692-12-0x0000000000000000-mapping.dmp
-
memory/2032-3-0x0000000000000000-mapping.dmp