Analysis
-
max time kernel
207s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 03:22
Static task
static1
Behavioral task
behavioral1
Sample
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
Resource
win10v2004-20220812-en
General
-
Target
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe
-
Size
860KB
-
MD5
092b49f0c3b6f861931daa51dee4407f
-
SHA1
9babf781166b9e361bf42c0ab68da61851e31dc3
-
SHA256
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f
-
SHA512
fd72863c788e282c946ce94e8fa09985565e6e023ea9e0fb91d9ff2469a460ae43e95a61722410d00156e9e448603a494c4b0ad9bb503b72b6c18a52d3b35518
-
SSDEEP
12288:YLoHy90PuADQPt5tgo5y08XVFstOxfhquCaSX6eg0EkplAWL94IYtndeqgmk2Nm+:HygdMt+08KOhiCqlAWL9dWk+mj2jh
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 4724 svhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation svhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2792 4724 WerFault.exe svhost.exe 232 4724 WerFault.exe svhost.exe 4844 4724 WerFault.exe svhost.exe 4464 4724 WerFault.exe svhost.exe -
Modifies registry class 1 IoCs
Processes:
svhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings svhost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svhost.exepid process 4724 svhost.exe 4724 svhost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
svhost.exedescription pid process Token: SeIncreaseQuotaPrivilege 4724 svhost.exe Token: SeSecurityPrivilege 4724 svhost.exe Token: SeTakeOwnershipPrivilege 4724 svhost.exe Token: SeLoadDriverPrivilege 4724 svhost.exe Token: SeSystemProfilePrivilege 4724 svhost.exe Token: SeSystemtimePrivilege 4724 svhost.exe Token: SeProfSingleProcessPrivilege 4724 svhost.exe Token: SeIncBasePriorityPrivilege 4724 svhost.exe Token: SeCreatePagefilePrivilege 4724 svhost.exe Token: SeBackupPrivilege 4724 svhost.exe Token: SeRestorePrivilege 4724 svhost.exe Token: SeShutdownPrivilege 4724 svhost.exe Token: SeDebugPrivilege 4724 svhost.exe Token: SeSystemEnvironmentPrivilege 4724 svhost.exe Token: SeChangeNotifyPrivilege 4724 svhost.exe Token: SeRemoteShutdownPrivilege 4724 svhost.exe Token: SeUndockPrivilege 4724 svhost.exe Token: SeManageVolumePrivilege 4724 svhost.exe Token: SeImpersonatePrivilege 4724 svhost.exe Token: SeCreateGlobalPrivilege 4724 svhost.exe Token: 33 4724 svhost.exe Token: 34 4724 svhost.exe Token: 35 4724 svhost.exe Token: 36 4724 svhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svhost.exepid process 4724 svhost.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exesvhost.exedescription pid process target process PID 4012 wrote to memory of 4724 4012 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe svhost.exe PID 4012 wrote to memory of 4724 4012 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe svhost.exe PID 4012 wrote to memory of 4724 4012 5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe svhost.exe PID 4724 wrote to memory of 1584 4724 svhost.exe WScript.exe PID 4724 wrote to memory of 1584 4724 svhost.exe WScript.exe PID 4724 wrote to memory of 1584 4724 svhost.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe"C:\Users\Admin\AppData\Local\Temp\5ac684a305357e32fa73e0bfdbe4d5b1de32f5124349d6f3299ce34da34c844f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tmp3.vbs"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 14843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 14763⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 12203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 12483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 47241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4724 -ip 47241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4724 -ip 47241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4724 -ip 47241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exeFilesize
715KB
MD57e047d6b75ff28c0bfb5971ea11df4c8
SHA19bc13061ac2129117753781c7b31c67facae5d85
SHA25611d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3
SHA51213d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\svhost.exeFilesize
715KB
MD57e047d6b75ff28c0bfb5971ea11df4c8
SHA19bc13061ac2129117753781c7b31c67facae5d85
SHA25611d52898b03a6a7d89b849121cc4ae4cfc5ac8f68f70b6bcff7a70f2c58ce8e3
SHA51213d6777fa90c516a8d8f8e5c76e5e46192a82dc27470369fba2f2c538bc45609a1d089195578355061229761fddfb99add54817bdafd4850e22f3f41753ed224
-
C:\Users\Admin\AppData\Local\Temp\tmp3.vbsFilesize
351B
MD5cbb9d404e8923607d52f5b72f0e6b08a
SHA1e8823b0e7ec1665c6c80733c699f48c51a2b2c93
SHA256ac68650090db47c13402db9b9233a25ac7cfc035e8400a8c4d4e6701a483f347
SHA512f0ecc48bda1982dfc4dd2fc39ad7f5c0c1579f4babe76f30cf63e803601571a6fb4515f94d06bf935bb7a2c1fd17b9bf149d0a8925ec7caf20f5d8104a5117c7
-
memory/1584-135-0x0000000000000000-mapping.dmp
-
memory/4724-132-0x0000000000000000-mapping.dmp
-
memory/4724-137-0x0000000000400000-0x0000000000569C24-memory.dmpFilesize
1.4MB
-
memory/4724-138-0x0000000000400000-0x0000000000569C24-memory.dmpFilesize
1.4MB