Analysis
-
max time kernel
153s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 03:22
Static task
static1
Behavioral task
behavioral1
Sample
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
Resource
win10v2004-20220812-en
General
-
Target
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
-
Size
860KB
-
MD5
092b49f0c3b6f861931daa51dee4407f
-
SHA1
9babf781166b9e361bf42c0ab68da61851e31dc3
-
SHA256
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f
-
SHA512
fd72863c788e282c946ce94e8fa09985565e6e023ea9e0fb91d9ff2469a460ae43e95a61722410d00156e9e448603a494c4b0ad9bb503b72b6c18a52d3b35518
-
SSDEEP
12288:YLoHy90PuADQPt5tgo5y08XVFstOxfhquCaSX6eg0EkplAWL94IYtndeqgmk2Nm+:HygdMt+08KOhiCqlAWL9dWk+mj2jh
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe modiloader_stage2 \Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe modiloader_stage2 \Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 1960 svhost.exe -
Loads dropped DLL 3 IoCs
Processes:
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exesvhost.exepid process 1968 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe 1968 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe 1960 svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
svhost.exepid process 1960 svhost.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
svhost.exedescription pid process Token: SeIncreaseQuotaPrivilege 1960 svhost.exe Token: SeSecurityPrivilege 1960 svhost.exe Token: SeTakeOwnershipPrivilege 1960 svhost.exe Token: SeLoadDriverPrivilege 1960 svhost.exe Token: SeSystemProfilePrivilege 1960 svhost.exe Token: SeSystemtimePrivilege 1960 svhost.exe Token: SeProfSingleProcessPrivilege 1960 svhost.exe Token: SeIncBasePriorityPrivilege 1960 svhost.exe Token: SeCreatePagefilePrivilege 1960 svhost.exe Token: SeBackupPrivilege 1960 svhost.exe Token: SeRestorePrivilege 1960 svhost.exe Token: SeShutdownPrivilege 1960 svhost.exe Token: SeDebugPrivilege 1960 svhost.exe Token: SeSystemEnvironmentPrivilege 1960 svhost.exe Token: SeChangeNotifyPrivilege 1960 svhost.exe Token: SeRemoteShutdownPrivilege 1960 svhost.exe Token: SeUndockPrivilege 1960 svhost.exe Token: SeManageVolumePrivilege 1960 svhost.exe Token: SeImpersonatePrivilege 1960 svhost.exe Token: SeCreateGlobalPrivilege 1960 svhost.exe Token: 33 1960 svhost.exe Token: 34 1960 svhost.exe Token: 35 1960 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svhost.exepid process 1960 svhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
svhost.exepid process 1960 svhost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exesvhost.exedescription pid process target process PID 1968 wrote to memory of 1960 1968 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe svhost.exe PID 1968 wrote to memory of 1960 1968 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe svhost.exe PID 1968 wrote to memory of 1960 1968 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe svhost.exe PID 1968 wrote to memory of 1960 1968 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe svhost.exe PID 1968 wrote to memory of 1960 1968 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe svhost.exe PID 1968 wrote to memory of 1960 1968 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe svhost.exe PID 1968 wrote to memory of 1960 1968 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe svhost.exe PID 1960 wrote to memory of 1108 1960 svhost.exe WScript.exe PID 1960 wrote to memory of 1108 1960 svhost.exe WScript.exe PID 1960 wrote to memory of 1108 1960 svhost.exe WScript.exe PID 1960 wrote to memory of 1108 1960 svhost.exe WScript.exe PID 1960 wrote to memory of 1108 1960 svhost.exe WScript.exe PID 1960 wrote to memory of 1108 1960 svhost.exe WScript.exe PID 1960 wrote to memory of 1108 1960 svhost.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe"C:\Users\Admin\AppData\Local\Temp\5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp3.vbs"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exeFilesize
715KB
MD57e047d6b75ff28c0bfb5971ea11df4c8
SHA19bc13061ac2129117753781c7b31c67facae5d85
SHA25611d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3
SHA51213d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exeFilesize
715KB
MD57e047d6b75ff28c0bfb5971ea11df4c8
SHA19bc13061ac2129117753781c7b31c67facae5d85
SHA25611d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3
SHA51213d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224
-
C:\Users\Admin\AppData\Local\Temp\tmp3.vbsFilesize
351B
MD5cbb9d404e8923607d52f5b72f0e6b08a
SHA1e8823b0e7ec1665c6c80733c699f48c51a2b2c93
SHA256ac68650090db47c13402db9b9233a25ac7cfc035e8400a8c4d4e6701a483f347
SHA512f0ecc48bda1982dfc4dd2fc39ad7f5c0c1579f4babe76f30cf63e803601571a6fb4515f94d06bf935bb7a2c1fd17b9bf149d0a8925ec7caf20f5d8104a5117c7
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exeFilesize
715KB
MD57e047d6b75ff28c0bfb5971ea11df4c8
SHA19bc13061ac2129117753781c7b31c67facae5d85
SHA25611d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3
SHA51213d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exeFilesize
715KB
MD57e047d6b75ff28c0bfb5971ea11df4c8
SHA19bc13061ac2129117753781c7b31c67facae5d85
SHA25611d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3
SHA51213d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224
-
\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exeFilesize
715KB
MD57e047d6b75ff28c0bfb5971ea11df4c8
SHA19bc13061ac2129117753781c7b31c67facae5d85
SHA25611d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3
SHA51213d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224
-
memory/1108-62-0x0000000000000000-mapping.dmp
-
memory/1960-57-0x0000000000000000-mapping.dmp
-
memory/1960-65-0x0000000000400000-0x0000000000569C24-memory.dmpFilesize
1.4MB
-
memory/1960-66-0x0000000000400000-0x0000000000569C24-memory.dmpFilesize
1.4MB
-
memory/1968-54-0x00000000756B1000-0x00000000756B3000-memory.dmpFilesize
8KB