Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-12-2021 18:58
Static task
static1
Behavioral task
behavioral1
Sample
f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe
Resource
win10-en-20211208
General
-
Target
f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe
-
Size
1.1MB
-
MD5
7b98554d2ad0041be3a00121d8fcf9c3
-
SHA1
187a35c3e84d0b4afef32705987c840f6729e133
-
SHA256
f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61
-
SHA512
324abecfd87060a9dd7b7a151eb8502f72123c242dee4ac3387c6d6ba3c92f6a4a452a006e58bf897b1a8af803686c5975e58dfb29bb3bd45aebc810ed264cab
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3232-129-0x0000000000600000-0x000000000065A000-memory.dmp modiloader_stage1 behavioral1/memory/3232-133-0x0000000000600000-0x000000000065A000-memory.dmp modiloader_stage1 -
Executes dropped EXE 2 IoCs
Processes:
Ritornata.exe.comRitornata.exe.compid process 2956 Ritornata.exe.com 1908 Ritornata.exe.com -
Drops startup file 1 IoCs
Processes:
Ritornata.exe.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WjVcWskkmD.url Ritornata.exe.com -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
nslookup.exedescription ioc process File opened for modification \??\PhysicalDrive0 nslookup.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ritornata.exe.comdescription pid process target process PID 1908 set thread context of 3232 1908 Ritornata.exe.com nslookup.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Ritornata.exe.comRitornata.exe.compid process 2956 Ritornata.exe.com 2956 Ritornata.exe.com 2956 Ritornata.exe.com 1908 Ritornata.exe.com 1908 Ritornata.exe.com 1908 Ritornata.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Ritornata.exe.comRitornata.exe.compid process 2956 Ritornata.exe.com 2956 Ritornata.exe.com 2956 Ritornata.exe.com 1908 Ritornata.exe.com 1908 Ritornata.exe.com 1908 Ritornata.exe.com -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.execmd.execmd.exeRitornata.exe.comRitornata.exe.comdescription pid process target process PID 3048 wrote to memory of 1804 3048 f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe expand.exe PID 3048 wrote to memory of 1804 3048 f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe expand.exe PID 3048 wrote to memory of 1804 3048 f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe expand.exe PID 3048 wrote to memory of 2164 3048 f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe cmd.exe PID 3048 wrote to memory of 2164 3048 f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe cmd.exe PID 3048 wrote to memory of 2164 3048 f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe cmd.exe PID 2164 wrote to memory of 876 2164 cmd.exe cmd.exe PID 2164 wrote to memory of 876 2164 cmd.exe cmd.exe PID 2164 wrote to memory of 876 2164 cmd.exe cmd.exe PID 876 wrote to memory of 312 876 cmd.exe findstr.exe PID 876 wrote to memory of 312 876 cmd.exe findstr.exe PID 876 wrote to memory of 312 876 cmd.exe findstr.exe PID 876 wrote to memory of 2956 876 cmd.exe Ritornata.exe.com PID 876 wrote to memory of 2956 876 cmd.exe Ritornata.exe.com PID 876 wrote to memory of 2956 876 cmd.exe Ritornata.exe.com PID 2164 wrote to memory of 684 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 684 2164 cmd.exe PING.EXE PID 2164 wrote to memory of 684 2164 cmd.exe PING.EXE PID 2956 wrote to memory of 1908 2956 Ritornata.exe.com Ritornata.exe.com PID 2956 wrote to memory of 1908 2956 Ritornata.exe.com Ritornata.exe.com PID 2956 wrote to memory of 1908 2956 Ritornata.exe.com Ritornata.exe.com PID 1908 wrote to memory of 3232 1908 Ritornata.exe.com nslookup.exe PID 1908 wrote to memory of 3232 1908 Ritornata.exe.com nslookup.exe PID 1908 wrote to memory of 3232 1908 Ritornata.exe.com nslookup.exe PID 1908 wrote to memory of 3232 1908 Ritornata.exe.com nslookup.exe PID 1908 wrote to memory of 3232 1908 Ritornata.exe.com nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe"C:\Users\Admin\AppData\Local\Temp\f83ad7329b642727ff0e4b9f4b690ad55588f605000ecb6643ac959f1a8f0b61.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\expand.exeexpand2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Sua.swf & ping 127.0.0.1 -n 302⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^rMRqhEQoWQMXQgLMfHZtmEjotrVzghKKxWsooRyoMqguqYanogPNqINnAJVlIvUIywCTXCDbBRanduoyKblqnXJMpSInVVmf$" Obliare.swf4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.comRitornata.exe.com G4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.com G5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exeC:\Windows\SysWOW64\nslookup.exe6⤵
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 303⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dio.swfMD5
95c74f05449c333404f7950c69d3e33f
SHA1240e2f9e7618205c1f8ffbdd69fc52a5c91cbb91
SHA256b668e2177b7fa3d46043a44207727d3f34ade3ef705b79b9282baa9af95c2237
SHA512af09e16f506c3ef6abefcb8b498adc26b86d298b9f62326b267a79a8bcadcb50f262399218ab9f773c39e4b6e36806f6868929d75ae38ee44f97b4e2c579bfe8
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GMD5
95c74f05449c333404f7950c69d3e33f
SHA1240e2f9e7618205c1f8ffbdd69fc52a5c91cbb91
SHA256b668e2177b7fa3d46043a44207727d3f34ade3ef705b79b9282baa9af95c2237
SHA512af09e16f506c3ef6abefcb8b498adc26b86d298b9f62326b267a79a8bcadcb50f262399218ab9f773c39e4b6e36806f6868929d75ae38ee44f97b4e2c579bfe8
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Obliare.swfMD5
334523bbfc07a1b34a74818abca7c0f9
SHA14e907ef95f8688cc664f8a7c7bea8528326b5c13
SHA256e6eeee3a8b0e45f40a91009c7e9d88fead35488be479ea2e6c1551ea7e0b858d
SHA512f6201203ccff5e84a52bb2dd8b97424d8af2477b95eff050ccae9183c00d920b57a6f7f59676a9b4a3c5d41b4167af5881f187e858beaff2b277257e45cc0a44
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ritornata.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.swfMD5
2a32b7f3c1946406510c9e4ea9c7a596
SHA18f76d3378f55ed00db68d0d6436ce762bf2fbc3c
SHA25641713060860a2ee98e0179860cbec578256b1552199b7ad8b1bbfc1e464436f5
SHA51278982b49045b808375cadf600647b7610b41a120f17d45639471541805b011eaa61693cd20ba9841c494b6ee5e22ab05c94e4a63b3e8b77fa22b1a8603dbae43
-
memory/312-119-0x0000000000000000-mapping.dmp
-
memory/684-124-0x0000000000000000-mapping.dmp
-
memory/876-118-0x0000000000000000-mapping.dmp
-
memory/1804-115-0x0000000000000000-mapping.dmp
-
memory/1908-126-0x0000000000000000-mapping.dmp
-
memory/2164-116-0x0000000000000000-mapping.dmp
-
memory/2956-122-0x0000000000000000-mapping.dmp
-
memory/3232-129-0x0000000000600000-0x000000000065A000-memory.dmpFilesize
360KB
-
memory/3232-132-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/3232-131-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB
-
memory/3232-133-0x0000000000600000-0x000000000065A000-memory.dmpFilesize
360KB