Analysis
-
max time kernel
84s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2022 08:07
Static task
static1
Behavioral task
behavioral1
Sample
ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe
Resource
win10v2004-20220721-en
General
-
Target
ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe
-
Size
715KB
-
MD5
80ba0c92bd8bebfc4ead324e550e2797
-
SHA1
efd0a3f4bfbc2616356c8937bdefb2a8d916950a
-
SHA256
88502779764c4ceacff4b4a39a389bf13389b734f99e76160c865a2da6d21bee
-
SHA512
f426051a14767f3c446e6792ac76cd32e28955a2b48c03a7f050c04e8f91eb16695d7b0755ea5a45c9acb137269102277df990bd43432eaf07d8a33db8d6ef0b
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ehpaaqhhk = "C:\\Users\\Public\\Libraries\\khhqaaphE.url" ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 452 2052 WerFault.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exepid process 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exedescription pid process target process PID 4336 wrote to memory of 2052 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe cmd.exe PID 4336 wrote to memory of 2052 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe cmd.exe PID 4336 wrote to memory of 2052 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe cmd.exe PID 4336 wrote to memory of 2052 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe cmd.exe PID 4336 wrote to memory of 2052 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe cmd.exe PID 4336 wrote to memory of 2052 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe cmd.exe PID 4336 wrote to memory of 2052 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe cmd.exe PID 4336 wrote to memory of 2052 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe cmd.exe PID 4336 wrote to memory of 2052 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe cmd.exe PID 4336 wrote to memory of 2052 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe cmd.exe PID 4336 wrote to memory of 2052 4336 ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe"C:\Users\Admin\AppData\Local\Temp\ASLF1SR00116 40HC 21T05 DALIAN TO GENOVA..exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 3363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2052 -ip 20521⤵