Analysis
-
max time kernel
149s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 04:11
Static task
static1
Behavioral task
behavioral1
Sample
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
Resource
win10v2004-20221111-en
General
-
Target
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe
-
Size
83KB
-
MD5
5b23b21551bdcb29c5d1614c4c20e854
-
SHA1
fdc762c0dc24f959bba97a1d111052dc16155c0e
-
SHA256
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952
-
SHA512
f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992
-
SSDEEP
1536:h4UHxpN/MUXsLTvCj0DBXJaO3mddWa144+Wa4OvQ5mTGgoGsXxRFzOn5e:h4URpNUUX6z/DBXJf34dWiqvQ5mTFoGQ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2008-65-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral1/memory/2008-69-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral1/memory/1644-85-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral1/memory/1644-86-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
cissv.execissv.exepid process 624 cissv.exe 1644 cissv.exe -
Processes:
resource yara_rule behavioral1/memory/2008-59-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/2008-57-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/2008-60-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/2008-64-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/2008-65-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/2008-69-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/1644-84-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/1644-85-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/1644-86-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exec619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.execissv.exepid process 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe 2008 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe 624 cissv.exe 624 cissv.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cissv.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cissv = "C:\\Users\\Admin\\AppData\\Roaming\\cissv.exe" cissv.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.execissv.exedescription pid process target process PID 1648 set thread context of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 624 set thread context of 1644 624 cissv.exe cissv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\cissv.exe nsis_installer_1 \Users\Admin\AppData\Roaming\cissv.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\cissv.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\cissv.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\cissv.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\cissv.exe nsis_installer_2 \Users\Admin\AppData\Roaming\cissv.exe nsis_installer_1 \Users\Admin\AppData\Roaming\cissv.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\cissv.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\cissv.exe nsis_installer_2 -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exec619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.execissv.exedescription pid process target process PID 1648 wrote to memory of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 1648 wrote to memory of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 1648 wrote to memory of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 1648 wrote to memory of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 1648 wrote to memory of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 1648 wrote to memory of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 1648 wrote to memory of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 1648 wrote to memory of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 1648 wrote to memory of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 1648 wrote to memory of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 1648 wrote to memory of 2008 1648 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe PID 2008 wrote to memory of 624 2008 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe cissv.exe PID 2008 wrote to memory of 624 2008 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe cissv.exe PID 2008 wrote to memory of 624 2008 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe cissv.exe PID 2008 wrote to memory of 624 2008 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe cissv.exe PID 2008 wrote to memory of 624 2008 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe cissv.exe PID 2008 wrote to memory of 624 2008 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe cissv.exe PID 2008 wrote to memory of 624 2008 c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe cissv.exe PID 624 wrote to memory of 1644 624 cissv.exe cissv.exe PID 624 wrote to memory of 1644 624 cissv.exe cissv.exe PID 624 wrote to memory of 1644 624 cissv.exe cissv.exe PID 624 wrote to memory of 1644 624 cissv.exe cissv.exe PID 624 wrote to memory of 1644 624 cissv.exe cissv.exe PID 624 wrote to memory of 1644 624 cissv.exe cissv.exe PID 624 wrote to memory of 1644 624 cissv.exe cissv.exe PID 624 wrote to memory of 1644 624 cissv.exe cissv.exe PID 624 wrote to memory of 1644 624 cissv.exe cissv.exe PID 624 wrote to memory of 1644 624 cissv.exe cissv.exe PID 624 wrote to memory of 1644 624 cissv.exe cissv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe"C:\Users\Admin\AppData\Local\Temp\c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe"C:\Users\Admin\AppData\Local\Temp\c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cissv.exe"C:\Users\Admin\AppData\Roaming\cissv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cissv.exe"C:\Users\Admin\AppData\Roaming\cissv.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\origination\archon.ljFilesize
18KB
MD58f6801e7740d10e011d7dd557f3611c4
SHA11717f6ba597b6507faf1c2c291a5f774afb0d3c9
SHA2563b525b5569d22039202171d1846370fed6a957f30bdf64722106b5f6975aad89
SHA512e64b1b39aa01fd434620ea4c9b877944cc9de9732ab2c0201ade806ba2401673a325bbd5335fb778d1855262daf8f3ca0b5852a8688bc34694cab006b2fd7a41
-
C:\Users\Admin\AppData\Roaming\cissv.exeFilesize
83KB
MD55b23b21551bdcb29c5d1614c4c20e854
SHA1fdc762c0dc24f959bba97a1d111052dc16155c0e
SHA256c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952
SHA512f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992
-
C:\Users\Admin\AppData\Roaming\cissv.exeFilesize
83KB
MD55b23b21551bdcb29c5d1614c4c20e854
SHA1fdc762c0dc24f959bba97a1d111052dc16155c0e
SHA256c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952
SHA512f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992
-
C:\Users\Admin\AppData\Roaming\cissv.exeFilesize
83KB
MD55b23b21551bdcb29c5d1614c4c20e854
SHA1fdc762c0dc24f959bba97a1d111052dc16155c0e
SHA256c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952
SHA512f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992
-
\Users\Admin\AppData\Local\Temp\nsd1602.tmp\archon.dllFilesize
34KB
MD510692017651aaf01881c7a31a9ef5515
SHA1b7f78dc3a3a81e646ad92fa7a2ef5fe675d9d9e1
SHA2560fd14e6c5962242d15fba61bd0e1e8d7ce754ea6dd8c56c51719c10830f3902f
SHA512c4bf7a408b1436b435519b7601e3f063b5f8599c86e536bcca9be4fdb4ef1ba588cedd151121ad3e2a8ef9f8b39a61c8fa373405aa55dfd013c02b77ccc5ba4b
-
\Users\Admin\AppData\Local\Temp\nsoE07.tmp\archon.dllFilesize
34KB
MD510692017651aaf01881c7a31a9ef5515
SHA1b7f78dc3a3a81e646ad92fa7a2ef5fe675d9d9e1
SHA2560fd14e6c5962242d15fba61bd0e1e8d7ce754ea6dd8c56c51719c10830f3902f
SHA512c4bf7a408b1436b435519b7601e3f063b5f8599c86e536bcca9be4fdb4ef1ba588cedd151121ad3e2a8ef9f8b39a61c8fa373405aa55dfd013c02b77ccc5ba4b
-
\Users\Admin\AppData\Roaming\cissv.exeFilesize
83KB
MD55b23b21551bdcb29c5d1614c4c20e854
SHA1fdc762c0dc24f959bba97a1d111052dc16155c0e
SHA256c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952
SHA512f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992
-
\Users\Admin\AppData\Roaming\cissv.exeFilesize
83KB
MD55b23b21551bdcb29c5d1614c4c20e854
SHA1fdc762c0dc24f959bba97a1d111052dc16155c0e
SHA256c619969391ad813f1c745e7182bc02d37108626ecdd99b6909bbe07eca70c952
SHA512f67511ec191a9d13a12ab174aae2f824bcfed9f8bb03d32dd3012dfe4a3bf98c693d5c351bf025ad4d607f16d89f540eadabeb0cf54c02355f3216b8335fa992
-
memory/624-67-0x0000000000000000-mapping.dmp
-
memory/1644-85-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1644-80-0x0000000000412D10-mapping.dmp
-
memory/1644-84-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1644-86-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1648-54-0x0000000075811000-0x0000000075813000-memory.dmpFilesize
8KB
-
memory/2008-61-0x0000000000412D10-mapping.dmp
-
memory/2008-69-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2008-65-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2008-64-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2008-60-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2008-56-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2008-57-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2008-59-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB