Analysis
-
max time kernel
175s -
max time network
208s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2022 03:21
Static task
static1
Behavioral task
behavioral1
Sample
5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe
Resource
win10v2004-20220721-en
General
-
Target
5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe
-
Size
319KB
-
MD5
021626dac75e75b8e9606154d9b2f7b2
-
SHA1
4247e44945d5738c2e814ccbb11b1173f7d0135f
-
SHA256
5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd
-
SHA512
a7c13227bf1d436f0ddbb075a20bfb8e7345f3011bcfe577fba043f34433d38876bbea0da0c151706f3f3d074b08ca5846950f5de5d790f6f2a32872e60429b6
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 4008 mshta.exe -
ModiLoader Second Stage 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1156-132-0x0000000000000000-mapping.dmp modiloader_stage2 behavioral2/memory/1156-133-0x0000000000400000-0x0000000000436000-memory.dmp modiloader_stage2 behavioral2/memory/1156-135-0x0000000000400000-0x0000000000436000-memory.dmp modiloader_stage2 behavioral2/memory/1156-136-0x0000000000400000-0x0000000000436000-memory.dmp modiloader_stage2 behavioral2/memory/1156-137-0x0000000000990000-0x0000000000A52000-memory.dmp modiloader_stage2 behavioral2/memory/1156-139-0x0000000000990000-0x0000000000A52000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
mshta.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation mshta.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exedescription pid process target process PID 5024 set thread context of 1156 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 228 powershell.exe 228 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 228 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exepid process 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exemshta.exedescription pid process target process PID 5024 wrote to memory of 1156 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe PID 5024 wrote to memory of 1156 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe PID 5024 wrote to memory of 1156 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe PID 5024 wrote to memory of 1156 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe PID 5024 wrote to memory of 1156 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe PID 5024 wrote to memory of 1156 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe PID 5024 wrote to memory of 1156 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe PID 5024 wrote to memory of 1156 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe PID 5024 wrote to memory of 1156 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe PID 5024 wrote to memory of 1156 5024 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe 5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe PID 1116 wrote to memory of 228 1116 mshta.exe powershell.exe PID 1116 wrote to memory of 228 1116 mshta.exe powershell.exe PID 1116 wrote to memory of 228 1116 mshta.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe"C:\Users\Admin\AppData\Local\Temp\5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe"C:\Users\Admin\AppData\Local\Temp\5d12a6d494f23294c4ea14493d1564a5d1fec5e561251a1283584de0101d51dd.exe"2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:u8nobAWZV="E4mQy";ik67=new%20ActiveXObject("WScript.Shell");h0GSVOMP="RuT";Iu88xO=ik67.RegRead("HKLM\\software\\Wow6432Node\\IWDIKc107\\wnBmqCi9");QSLvC7JXM="CkT";eval(Iu88xO);Zyg3D3rzvf="Tkb7";1⤵
- Process spawned unexpected child process
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:qxtkqgn2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/228-143-0x0000000005C00000-0x0000000005C22000-memory.dmpFilesize
136KB
-
memory/228-144-0x0000000006310000-0x0000000006376000-memory.dmpFilesize
408KB
-
memory/228-148-0x0000000006EC0000-0x0000000006EDA000-memory.dmpFilesize
104KB
-
memory/228-147-0x0000000008220000-0x000000000889A000-memory.dmpFilesize
6.5MB
-
memory/228-146-0x0000000006960000-0x000000000697E000-memory.dmpFilesize
120KB
-
memory/228-145-0x0000000006380000-0x00000000063E6000-memory.dmpFilesize
408KB
-
memory/228-141-0x0000000005600000-0x0000000005636000-memory.dmpFilesize
216KB
-
memory/228-142-0x0000000005C70000-0x0000000006298000-memory.dmpFilesize
6.2MB
-
memory/228-140-0x0000000000000000-mapping.dmp
-
memory/1156-132-0x0000000000000000-mapping.dmp
-
memory/1156-133-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1156-139-0x0000000000990000-0x0000000000A52000-memory.dmpFilesize
776KB
-
memory/1156-137-0x0000000000990000-0x0000000000A52000-memory.dmpFilesize
776KB
-
memory/1156-136-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/1156-135-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB