Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
01-08-2022 06:46
General
-
Target
SecuriteInfo.com.Variant.Zusy.434746.7045.exe
-
Size
797KB
-
MD5
2dcd18054977a85a30fb329b710e981d
-
SHA1
530a090ae3c4b382b141e7609bd0ea1d08cc9f3c
-
SHA256
cba6785969467c94bedde7b14cfe32911fe3f1beb4cfda7abcad657477076562
-
SHA512
c1d631eb4462f20867c66ff28369fab866de023b2680fd83a95aa3e35ab156ddcdcdbe955336a8711d35cb4d5dd31bc0235726656d18c23f234c126e8c60bb40
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 61 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.434746.7045.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.434746.7045.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Encbbbt.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\EncbbbO.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet session5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 session6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cleanmgr.exe"C:\Windows\System32\cleanmgr.exe"3⤵
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\Cdex.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
C:\Users\Public\Libraries\EncbbbO.batFilesize
1KB
MD5df48c09f243ebcc8a165f77a1c2bf889
SHA1455f7db0adcc2a58d006f1630fb0bd55cd868c07
SHA2564ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca
SHA512735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc
-
C:\Users\Public\Libraries\Encbbbt.batFilesize
55B
MD5f48272a1226b1c61776990037f92db33
SHA1a51c08cd09d18478ba5191d14ad66f2768d256c8
SHA256221ebeebded52cee8eb2615f3b4a4de1c2f3d0120fa57f2cc1e39016bfa47a0a
SHA5125cc6d80b56bf59f55d34b179e868a38c708e7644dcb7a51752fc31bdae4dd8f0b34b8fdc8df45341908525530ef48d90c517ebdd9720565140028e6a7a318a77
-
memory/788-201-0x0000000000000000-mapping.dmp
-
memory/1364-265-0x0000000050480000-0x00000000504AD000-memory.dmpFilesize
180KB
-
memory/1364-229-0x0000000000000000-mapping.dmp
-
memory/1364-244-0x00000000054C0000-0x000000000580A000-memory.dmpFilesize
3.3MB
-
memory/1364-262-0x0000000005400000-0x0000000005411000-memory.dmpFilesize
68KB
-
memory/2008-268-0x00000000002B0000-0x00000000002DD000-memory.dmpFilesize
180KB
-
memory/2008-264-0x0000000000000000-mapping.dmp
-
memory/2008-266-0x0000000000210000-0x0000000000216000-memory.dmpFilesize
24KB
-
memory/2008-267-0x0000000002400000-0x000000000274A000-memory.dmpFilesize
3.3MB
-
memory/2008-269-0x0000000002230000-0x00000000022C0000-memory.dmpFilesize
576KB
-
memory/2008-271-0x00000000002B0000-0x00000000002DD000-memory.dmpFilesize
180KB
-
memory/2208-220-0x00000000075D0000-0x00000000075DE000-memory.dmpFilesize
56KB
-
memory/2208-213-0x0000000006640000-0x0000000006672000-memory.dmpFilesize
200KB
-
memory/2208-222-0x00000000076C0000-0x00000000076C8000-memory.dmpFilesize
32KB
-
memory/2208-219-0x0000000007610000-0x00000000076A6000-memory.dmpFilesize
600KB
-
memory/2208-218-0x0000000007410000-0x000000000741A000-memory.dmpFilesize
40KB
-
memory/2208-217-0x00000000072D0000-0x00000000072EA000-memory.dmpFilesize
104KB
-
memory/2208-216-0x0000000007A50000-0x00000000080CA000-memory.dmpFilesize
6.5MB
-
memory/2208-215-0x0000000006620000-0x000000000663E000-memory.dmpFilesize
120KB
-
memory/2208-214-0x000000006F950000-0x000000006F99C000-memory.dmpFilesize
304KB
-
memory/2208-221-0x00000000076E0000-0x00000000076FA000-memory.dmpFilesize
104KB
-
memory/2208-212-0x00000000060A0000-0x00000000060BE000-memory.dmpFilesize
120KB
-
memory/2208-211-0x0000000005A80000-0x0000000005AE6000-memory.dmpFilesize
408KB
-
memory/2208-210-0x00000000059A0000-0x0000000005A06000-memory.dmpFilesize
408KB
-
memory/2208-209-0x00000000051F0000-0x0000000005212000-memory.dmpFilesize
136KB
-
memory/2208-208-0x00000000052C0000-0x00000000058E8000-memory.dmpFilesize
6.2MB
-
memory/2208-207-0x0000000004BE0000-0x0000000004C16000-memory.dmpFilesize
216KB
-
memory/2208-206-0x0000000000000000-mapping.dmp
-
memory/2308-263-0x0000000009260000-0x0000000009365000-memory.dmpFilesize
1.0MB
-
memory/2308-270-0x0000000008C10000-0x0000000008D08000-memory.dmpFilesize
992KB
-
memory/2308-272-0x0000000008C10000-0x0000000008D08000-memory.dmpFilesize
992KB
-
memory/2648-184-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-228-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-196-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-197-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-198-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-161-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-194-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-193-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-192-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-162-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-163-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-191-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-190-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-189-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-188-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-187-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-186-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-185-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-145-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-183-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-182-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-181-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-180-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-179-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-178-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-177-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-176-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-175-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-174-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-224-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-223-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-225-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-226-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-195-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-227-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-173-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-231-0x0000000050480000-0x00000000504AD000-memory.dmpFilesize
180KB
-
memory/2648-232-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-233-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-234-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-235-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-236-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-237-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-238-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-239-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-240-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-241-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-242-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-243-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-172-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-245-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-246-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-248-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-249-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-171-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-170-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-169-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-168-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-167-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-166-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-165-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2648-164-0x0000000004B70000-0x0000000004C0C000-memory.dmpFilesize
624KB
-
memory/2860-204-0x0000000000000000-mapping.dmp
-
memory/3056-203-0x0000000000000000-mapping.dmp
-
memory/4116-199-0x0000000000000000-mapping.dmp