Overview

overview

10

Static

static

CNY-Paymen...07.exe

windows7-x64

1

CNY-Paymen...07.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220721-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2022 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CNY-Payment Receipt-XXXXX2822_HRUGL1_R1110163-020820221620071907.exe

  • Size

    996KB

  • MD5

    e889cd39da3e9f962667476c76d6bae1

  • SHA1

    4c5cb7af82e2898b881476b011bab031404ee48b

  • SHA256

    92d256d51b6838c1a79f0b092c962c54587f6e8e0879676d9f8e225557c1ef9b

  • SHA512

    f1862abad077d0fc19100ac664f7f90852303f5c76a570eb72e1c92daf8b6b0c6dbbcb7ac5a497bbe377cbee0be2f466a5e473de367ecedf423572c65942a05f

Score
10/10
modiloaderpersistencetrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 61 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\CNY-Payment Receipt-XXXXX2822_HRUGL1_R1110163-020820221620071907.exe
      "C:\Users\Admin\AppData\Local\Temp\CNY-Payment Receipt-XXXXX2822_HRUGL1_R1110163-020820221620071907.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4948
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4064
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:4144
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4752
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1592

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2480-255-0x0000000007BA0000-0x0000000007D1F000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2480-257-0x0000000007BA0000-0x0000000007D1F000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2480-238-0x00000000028A0000-0x0000000002A42000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4064-205-0x0000000000000000-mapping.dmp
        Download
      • memory/4064-234-0x00000000019B0000-0x0000000001CFA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4064-236-0x0000000001920000-0x0000000001931000-memory.dmp
        Filesize

        68KB

        Download
      • memory/4064-250-0x0000000050410000-0x000000005043D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4752-256-0x0000000001100000-0x000000000112D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4752-254-0x0000000001A90000-0x0000000001B20000-memory.dmp
        Filesize

        576KB

        Download
      • memory/4752-253-0x0000000001100000-0x000000000112D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4752-252-0x0000000001C60000-0x0000000001FAA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4752-251-0x00000000011F0000-0x000000000120E000-memory.dmp
        Filesize

        120KB

        Download
      • memory/4752-249-0x0000000000000000-mapping.dmp
        Download
      • memory/4948-191-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-200-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-170-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-171-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-172-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-173-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-174-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-175-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-176-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-177-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-178-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-179-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-180-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-181-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-182-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-183-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-184-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-185-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-186-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-187-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-188-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-189-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-190-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-168-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-192-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-193-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-194-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-195-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-197-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-196-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-198-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-169-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-199-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-201-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-202-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-203-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-204-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-207-0x0000000050410000-0x000000005043D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4948-208-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-209-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-210-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-211-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-212-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-213-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-214-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-215-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-216-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-217-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-218-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-219-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-167-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-166-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-165-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-164-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-163-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-162-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-161-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-145-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-220-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-221-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-222-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download
      • memory/4948-223-0x00000000039D0000-0x0000000003A6D000-memory.dmp
        Filesize

        628KB

        Download