Analysis
-
max time kernel
154s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
24-11-2022 00:57
General
-
Target
TSDPL for GSTR3b.exe
-
Size
813KB
-
MD5
96687cb64b98418c573ee65753a72e33
-
SHA1
d20ada54342596cd29bf7f66bc86d4503c4cfea4
-
SHA256
c410af32a481222f15dd9babe626182317e7d76d603d2eb001cccd213a258873
-
SHA512
b9f4e51985e839ece1f1bfb74ce1c0ffa232f848cdbef5a1c65ed3e703096074b779b509c1369060a96e924d4eae7e80049639e886923271b4d576ca725746b9
-
SSDEEP
12288:vOrAkZrlpZxc3NKqgw9ONuRJooNN5dHVqTdTB2O4rwSMpxwhxjgV:vs3hp4c6/n5q5oOqLM2x0V
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1Dbjqv3kYu9z-oWAyCtOblfNRuOjXFyFa
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\TSDPL for GSTR3b.exe"C:\Users\Admin\AppData\Local\Temp\TSDPL for GSTR3b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\png.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\png.batFilesize
100B
MD5c385a71887d828b1df961942e68ecfe8
SHA13f539a56267af3db91be9ac9ea2fd5d803a53279
SHA256bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3
SHA51283d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848
-
C:\Users\Public\Libraries\png.ps1Filesize
213B
MD5534e8fec8b4f4a679ebf8d2cd052cb94
SHA1a75d3f06cee2bb7e78f0fcb4aa97cbc90a7a16b6
SHA256a87f610f71c4c972fad2cc8a7501f2cb6c762075a97e2194f3596d2c15d6414c
SHA51291ef8408df7a9050a09415eac37cbd1bc2853fadd9c0b38a6207b35240037826e11200a42292a69c74154f64338cc3dddf63a45b0bba1d9dc7378d6f93a35200
-
memory/1696-139-0x0000000004BE0000-0x0000000004C02000-memory.dmpFilesize
136KB
-
memory/1696-136-0x0000000000000000-mapping.dmp
-
memory/1696-137-0x0000000000E40000-0x0000000000E76000-memory.dmpFilesize
216KB
-
memory/1696-138-0x0000000004D50000-0x0000000005378000-memory.dmpFilesize
6.2MB
-
memory/1696-140-0x00000000053F0000-0x0000000005456000-memory.dmpFilesize
408KB
-
memory/1696-141-0x0000000005460000-0x00000000054C6000-memory.dmpFilesize
408KB
-
memory/1696-142-0x0000000005850000-0x000000000586E000-memory.dmpFilesize
120KB
-
memory/1696-144-0x0000000007180000-0x00000000077FA000-memory.dmpFilesize
6.5MB
-
memory/1696-145-0x00000000060F0000-0x000000000610A000-memory.dmpFilesize
104KB
-
memory/3488-134-0x0000000000000000-mapping.dmp
-
memory/5116-132-0x00000000023C0000-0x00000000023EC000-memory.dmpFilesize
176KB