Analysis
-
max time kernel
146s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
23-11-2022 15:34
General
-
Target
199ce03479e486efa6a1e506aad5985cd11476f85add613795566abd397b97f7.exe
-
Size
482KB
-
MD5
9af8edf2029f46a846751f456ed19c4c
-
SHA1
44ac0e9da1eedc31a0fcb7feb25c66f7a1305a47
-
SHA256
199ce03479e486efa6a1e506aad5985cd11476f85add613795566abd397b97f7
-
SHA512
592cb88c02fe4fd27daa52bfa3c8f460f764e34e35fd693328dbad08a01f63a37e4d19fb6dc4c50b5ac3b4ca5a18866a6c4f640c5e958ffe0fc7f830f0c81e23
-
SSDEEP
12288:v6Wq4aaE6KwyF5L0Y2D1PqL4qWxZPYObm4S2BpRzn9lxZr:tthEVaPqL4qWxlNVZfzn9h
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 8 IoCs
-
Executes dropped EXE 2 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\199ce03479e486efa6a1e506aad5985cd11476f85add613795566abd397b97f7.exe"C:\Users\Admin\AppData\Local\Temp\199ce03479e486efa6a1e506aad5985cd11476f85add613795566abd397b97f7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\199ce03479e486efa6a1e506aad5985cd11476f85add613795566abd397b97f7.exeC:\Users\Admin\AppData\Local\Temp\199ce03479e486efa6a1e506aad5985cd11476f85add613795566abd397b97f7.exe2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ntdlr.exe"C:\Users\Admin\AppData\Roaming\ntdlr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ntdlr.exeC:\Users\Admin\AppData\Roaming\ntdlr.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD54d432796933fd2d895c167b7fb1510d3
SHA1561d62048035603195ab57ad9dffcf111e5491b9
SHA256c6ffb0880ed82d07dac964e536d40e2d4a6c1064537ea5a764d06d62cb3e5bed
SHA512be6ad602fafb714ad2ec77158b300753bfde387c036dda47cde40055a8067c36ae94d4711f23ca0677b84cf80bf46ef2b452bd140ac50f7c7ee5209afdd8fca3
-
Filesize
482KB
MD59af8edf2029f46a846751f456ed19c4c
SHA144ac0e9da1eedc31a0fcb7feb25c66f7a1305a47
SHA256199ce03479e486efa6a1e506aad5985cd11476f85add613795566abd397b97f7
SHA512592cb88c02fe4fd27daa52bfa3c8f460f764e34e35fd693328dbad08a01f63a37e4d19fb6dc4c50b5ac3b4ca5a18866a6c4f640c5e958ffe0fc7f830f0c81e23
-
Filesize
482KB
MD59af8edf2029f46a846751f456ed19c4c
SHA144ac0e9da1eedc31a0fcb7feb25c66f7a1305a47
SHA256199ce03479e486efa6a1e506aad5985cd11476f85add613795566abd397b97f7
SHA512592cb88c02fe4fd27daa52bfa3c8f460f764e34e35fd693328dbad08a01f63a37e4d19fb6dc4c50b5ac3b4ca5a18866a6c4f640c5e958ffe0fc7f830f0c81e23
-
Filesize
482KB
MD59af8edf2029f46a846751f456ed19c4c
SHA144ac0e9da1eedc31a0fcb7feb25c66f7a1305a47
SHA256199ce03479e486efa6a1e506aad5985cd11476f85add613795566abd397b97f7
SHA512592cb88c02fe4fd27daa52bfa3c8f460f764e34e35fd693328dbad08a01f63a37e4d19fb6dc4c50b5ac3b4ca5a18866a6c4f640c5e958ffe0fc7f830f0c81e23
-
Filesize
482KB
MD59af8edf2029f46a846751f456ed19c4c
SHA144ac0e9da1eedc31a0fcb7feb25c66f7a1305a47
SHA256199ce03479e486efa6a1e506aad5985cd11476f85add613795566abd397b97f7
SHA512592cb88c02fe4fd27daa52bfa3c8f460f764e34e35fd693328dbad08a01f63a37e4d19fb6dc4c50b5ac3b4ca5a18866a6c4f640c5e958ffe0fc7f830f0c81e23
-
Filesize
760KB
-
Filesize
8KB
-
Filesize
760KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
-
Filesize
68KB
-
Filesize
68KB
-
-
Filesize
760KB
-
-
Filesize
68KB
-
Filesize
68KB