Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 14:46
Behavioral task
behavioral1
Sample
2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe
Resource
win10v2004-20220812-en
General
-
Target
2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe
-
Size
108KB
-
MD5
537316f23cf07bdde46b86413229bebc
-
SHA1
17130f204141e5add79cfe6e628ff2c2012aaa7d
-
SHA256
2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097
-
SHA512
baf306dd5d73d7e69bfe22d45939ee20959340675e023c4150595547dbbcb94e9c517181a50b7d252ce5c67750a571182c536e1ecb19136fcfa44566b2795678
-
SSDEEP
3072:koy8j7VnNdrPHaSekwi+mW+2AMTQ6WW44Fout:U8jZ7rvaU3+mWrXM61xFoS
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/684-59-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 -
Processes:
resource yara_rule behavioral1/memory/684-55-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/684-59-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exepid process 684 2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe 684 2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe -
Processes:
2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exedescription pid process Token: SeDebugPrivilege 684 2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe Token: SeDebugPrivilege 684 2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exepid process 684 2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe 684 2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe"C:\Users\Admin\AppData\Local\Temp\2717b8b6a7ce1637c1ed3467ce3f6e3cfa321ca26e743fb5596cde7f8e403097.exe"1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\cmsetac.dllFilesize
33KB
MD5a7a9d1fae63a2f861c042e09b93ad5ab
SHA1ca442670b1f5609d6e387197056f6fc07d126c34
SHA2560a965d06baa117b825c102c6b86a02bd729c23ad8dd75eb94853c20dc936357a
SHA512e5088f4d4838ac7cd7679ff2c53c943fdf7935c63caa18e0bc7c5319bfb6dcb3c4125a229ef9f285a238041ee89a1164cb5435f32b292937bcd55eef277ca83c
-
\Users\Admin\AppData\Local\Temp\ntdtcstp.dllFilesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
memory/684-54-0x0000000075071000-0x0000000075073000-memory.dmpFilesize
8KB
-
memory/684-55-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/684-58-0x0000000001D20000-0x0000000001D2E000-memory.dmpFilesize
56KB
-
memory/684-59-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB