Analysis
-
max time kernel
109s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
01-08-2022 15:54
Static task
static1
Behavioral task
behavioral1
Sample
5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe
Resource
win10v2004-20220721-en
General
-
Target
5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe
-
Size
308KB
-
MD5
70dde31cdfe3210e787904ac2c1f2b1c
-
SHA1
eb05031c78188563cbf86e0081c30ddb7737bcf4
-
SHA256
5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e
-
SHA512
7353d75f3762e7fc0da20ed1317e27106e609ef715d478fabeeae147d6e0cdf066958689981bdcce6bc2802a68661feddebdb41187c3888053abd2a059d648c4
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
mshta.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 1736 mshta.exe -
ModiLoader Second Stage 9 IoCs
Processes:
resource yara_rule behavioral1/memory/952-57-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/952-58-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/952-59-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/952-62-0x0000000000402E54-mapping.dmp modiloader_stage2 behavioral1/memory/952-61-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/952-64-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/952-66-0x0000000000400000-0x000000000043A000-memory.dmp modiloader_stage2 behavioral1/memory/952-67-0x0000000001C70000-0x0000000001D46000-memory.dmp modiloader_stage2 behavioral1/memory/952-71-0x0000000001C70000-0x0000000001D46000-memory.dmp modiloader_stage2 -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exedescription pid process target process PID 888 set thread context of 952 888 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1224 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1224 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exemshta.exepowershell.exedescription pid process target process PID 888 wrote to memory of 952 888 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe PID 888 wrote to memory of 952 888 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe PID 888 wrote to memory of 952 888 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe PID 888 wrote to memory of 952 888 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe PID 888 wrote to memory of 952 888 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe PID 888 wrote to memory of 952 888 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe PID 888 wrote to memory of 952 888 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe PID 888 wrote to memory of 952 888 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe PID 888 wrote to memory of 952 888 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe 5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe PID 796 wrote to memory of 1224 796 mshta.exe powershell.exe PID 796 wrote to memory of 1224 796 mshta.exe powershell.exe PID 796 wrote to memory of 1224 796 mshta.exe powershell.exe PID 796 wrote to memory of 1224 796 mshta.exe powershell.exe PID 1224 wrote to memory of 1964 1224 powershell.exe dw20.exe PID 1224 wrote to memory of 1964 1224 powershell.exe dw20.exe PID 1224 wrote to memory of 1964 1224 powershell.exe dw20.exe PID 1224 wrote to memory of 1964 1224 powershell.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe"C:\Users\Admin\AppData\Local\Temp\5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exeC:\Users\Admin\AppData\Local\Temp\5c0524cad9409eef5a89f9f82b9dd281249c88fe8d8b502ff8fabd5f37dd242e.exe2⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:jDM6U2BK="8b0zC29";b87Q=new%20ActiveXObject("WScript.Shell");cX2n6IZYu="yJJChx";q84daO=b87Q.RegRead("HKLM\\software\\Wow6432Node\\Ut6h1jKBk\\XOckfL9Z");bT4oMjQ9Q="D4J675";eval(q84daO);mu2jwknr="Lyf";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:zmsh2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 4643⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/952-65-0x0000000075DC1000-0x0000000075DC3000-memory.dmpFilesize
8KB
-
memory/952-61-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/952-57-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/952-58-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/952-54-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/952-62-0x0000000000402E54-mapping.dmp
-
memory/952-55-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/952-64-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/952-59-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/952-66-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/952-67-0x0000000001C70000-0x0000000001D46000-memory.dmpFilesize
856KB
-
memory/952-71-0x0000000001C70000-0x0000000001D46000-memory.dmpFilesize
856KB
-
memory/1224-70-0x0000000073BE0000-0x000000007418B000-memory.dmpFilesize
5.7MB
-
memory/1224-68-0x0000000000000000-mapping.dmp
-
memory/1224-72-0x0000000073BE0000-0x000000007418B000-memory.dmpFilesize
5.7MB
-
memory/1964-73-0x0000000000000000-mapping.dmp