Analysis
-
max time kernel
138s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 11:22
Behavioral task
behavioral1
Sample
wjj11.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
wjj11.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
使用说明.htm
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
使用说明.htm
Resource
win10v2004-20221111-en
Behavioral task
behavioral5
Sample
小游戏.htm
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
小游戏.htm
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
常用软件合集.htm
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
常用软件合集.htm
Resource
win10v2004-20221111-en
General
-
Target
wjj11.exe
-
Size
1.7MB
-
MD5
f37023c41ae712e20595650fcc5f06d2
-
SHA1
f1d0887b2d2c3788b73ba4aefcc0d060d6bfeedd
-
SHA256
7d5bd56ecfdac63df44fc80c9b5bc2fdf55d491d0ab20edbb3a2ad6825cce076
-
SHA512
8b27218a41f69e743f11630eb31e5d8af472c688598f438f057a3f65aa2c2644eacd39286aecb090c2343e94ed481a1a291382402b297a7a7b52949ff6c2e643
-
SSDEEP
24576:nZXBJxLVwqSdNLRlJMXVWxaC5wa1tqqdXE+86TZStU4gf2EW5A2DJr/kS4vGIk6O:FrxBHofJMXGnrvi+RTZh43Dp/wPHXW
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\EXE_temp1.exe modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\EXE_temp1.exe modiloader_stage2 -
Executes dropped EXE 4 IoCs
Processes:
EXE_temp0.exeEXE_temp1.exeEXE_temp2.exerecyclers-s-5-1-21.exepid process 816 EXE_temp0.exe 1704 EXE_temp1.exe 1156 EXE_temp2.exe 1632 recyclers-s-5-1-21.exe -
Loads dropped DLL 9 IoCs
Processes:
wjj11.exeWerFault.exerecyclers-s-5-1-21.exepid process 1340 wjj11.exe 1340 wjj11.exe 1340 wjj11.exe 1340 wjj11.exe 1340 wjj11.exe 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe 1632 recyclers-s-5-1-21.exe -
Drops file in System32 directory 1 IoCs
Processes:
recyclers-s-5-1-21.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat recyclers-s-5-1-21.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 960 816 WerFault.exe EXE_temp0.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
recyclers-s-5-1-21.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 recyclers-s-5-1-21.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E40D6DCF-AA0D-4639-B6A3-557E0A95356A}\WpadDecision = "0" recyclers-s-5-1-21.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-73-e8-57-79-14\WpadDecision = "0" recyclers-s-5-1-21.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix recyclers-s-5-1-21.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" recyclers-s-5-1-21.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad recyclers-s-5-1-21.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0017000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 recyclers-s-5-1-21.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E40D6DCF-AA0D-4639-B6A3-557E0A95356A}\WpadNetworkName = "Network 2" recyclers-s-5-1-21.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-73-e8-57-79-14 recyclers-s-5-1-21.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E40D6DCF-AA0D-4639-B6A3-557E0A95356A}\0a-73-e8-57-79-14 recyclers-s-5-1-21.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" recyclers-s-5-1-21.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" recyclers-s-5-1-21.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" recyclers-s-5-1-21.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings recyclers-s-5-1-21.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections recyclers-s-5-1-21.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 recyclers-s-5-1-21.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings recyclers-s-5-1-21.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" recyclers-s-5-1-21.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ recyclers-s-5-1-21.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E40D6DCF-AA0D-4639-B6A3-557E0A95356A} recyclers-s-5-1-21.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E40D6DCF-AA0D-4639-B6A3-557E0A95356A}\WpadDecisionReason = "1" recyclers-s-5-1-21.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E40D6DCF-AA0D-4639-B6A3-557E0A95356A}\WpadDecisionTime = 70363286ff02d901 recyclers-s-5-1-21.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-73-e8-57-79-14\WpadDecisionReason = "1" recyclers-s-5-1-21.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-73-e8-57-79-14\WpadDecisionTime = 70363286ff02d901 recyclers-s-5-1-21.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
EXE_temp2.exerecyclers-s-5-1-21.exedescription pid process Token: SeDebugPrivilege 1156 EXE_temp2.exe Token: SeDebugPrivilege 1632 recyclers-s-5-1-21.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
recyclers-s-5-1-21.exepid process 1632 recyclers-s-5-1-21.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
recyclers-s-5-1-21.exepid process 1632 recyclers-s-5-1-21.exe 1632 recyclers-s-5-1-21.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
wjj11.exeEXE_temp0.exeEXE_temp1.exerecyclers-s-5-1-21.exedescription pid process target process PID 1340 wrote to memory of 816 1340 wjj11.exe EXE_temp0.exe PID 1340 wrote to memory of 816 1340 wjj11.exe EXE_temp0.exe PID 1340 wrote to memory of 816 1340 wjj11.exe EXE_temp0.exe PID 1340 wrote to memory of 816 1340 wjj11.exe EXE_temp0.exe PID 1340 wrote to memory of 1704 1340 wjj11.exe EXE_temp1.exe PID 1340 wrote to memory of 1704 1340 wjj11.exe EXE_temp1.exe PID 1340 wrote to memory of 1704 1340 wjj11.exe EXE_temp1.exe PID 1340 wrote to memory of 1704 1340 wjj11.exe EXE_temp1.exe PID 1340 wrote to memory of 1156 1340 wjj11.exe EXE_temp2.exe PID 1340 wrote to memory of 1156 1340 wjj11.exe EXE_temp2.exe PID 1340 wrote to memory of 1156 1340 wjj11.exe EXE_temp2.exe PID 1340 wrote to memory of 1156 1340 wjj11.exe EXE_temp2.exe PID 816 wrote to memory of 960 816 EXE_temp0.exe WerFault.exe PID 816 wrote to memory of 960 816 EXE_temp0.exe WerFault.exe PID 816 wrote to memory of 960 816 EXE_temp0.exe WerFault.exe PID 816 wrote to memory of 960 816 EXE_temp0.exe WerFault.exe PID 1704 wrote to memory of 1008 1704 EXE_temp1.exe IEXPLORE.EXE PID 1704 wrote to memory of 1008 1704 EXE_temp1.exe IEXPLORE.EXE PID 1704 wrote to memory of 1008 1704 EXE_temp1.exe IEXPLORE.EXE PID 1704 wrote to memory of 1008 1704 EXE_temp1.exe IEXPLORE.EXE PID 1632 wrote to memory of 1624 1632 recyclers-s-5-1-21.exe IEXPLORE.EXE PID 1632 wrote to memory of 1624 1632 recyclers-s-5-1-21.exe IEXPLORE.EXE PID 1632 wrote to memory of 1624 1632 recyclers-s-5-1-21.exe IEXPLORE.EXE PID 1632 wrote to memory of 1624 1632 recyclers-s-5-1-21.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\wjj11.exe"C:\Users\Admin\AppData\Local\Temp\wjj11.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EXE_temp0.exe"C:\Users\Admin\AppData\Local\Temp\EXE_temp0.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1763⤵
- Loads dropped DLL
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\EXE_temp1.exe"C:\Users\Admin\AppData\Local\Temp\EXE_temp1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"3⤵
-
C:\Users\Admin\AppData\Local\Temp\EXE_temp2.exe"C:\Users\Admin\AppData\Local\Temp\EXE_temp2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\RECYCLER\recyclers-s-5-1-21.exeC:\RECYCLER\recyclers-s-5-1-21.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\RECYCLER\YCSDVO.DATFilesize
51KB
MD5aefafdd5c9b62db20fd28e0f935263e8
SHA13df1cb906cc6180776143b3cc8dd77d2d6956d59
SHA2569550cb7dcb5aae17c30239da490f44b782c0be45f626073a83cfafd45c9e8d3e
SHA512e3e953bcede18dbd183defe2e60c1ba654cec65eaa7a8d483f262b77d76cdbba1a13a9adfd8804f586ccf6ae69f3053f8963d9d4c1193df17a5209fa06c53d40
-
C:\RECYCLER\recyclers-s-5-1-21.exeFilesize
795KB
MD56d4c27a39686689f98a83de90383ebc8
SHA113c37e67230033dc729c99c83da593f1af634908
SHA25660b79787052c00e26c733a04facb040c4d7f81b10b9b3b4ae423930b640c0d43
SHA512d29e2f043e1b6c71620658e5e3b510fde14407b28089bbbbdb12015ba7d0d21b290f6985e28b359fe9763066c4326f8734c066b427e0f0c05fb439a85a1f5748
-
C:\RECYCLER\recyclers-s-5-1-21.exeFilesize
795KB
MD56d4c27a39686689f98a83de90383ebc8
SHA113c37e67230033dc729c99c83da593f1af634908
SHA25660b79787052c00e26c733a04facb040c4d7f81b10b9b3b4ae423930b640c0d43
SHA512d29e2f043e1b6c71620658e5e3b510fde14407b28089bbbbdb12015ba7d0d21b290f6985e28b359fe9763066c4326f8734c066b427e0f0c05fb439a85a1f5748
-
C:\Users\Admin\AppData\Local\Temp\EXE_temp0.exeFilesize
250KB
MD5eec13aa4885914e23037b5d69f982cd5
SHA1feccd45713f84c5e3729b0660fdb054cb816df34
SHA256bf4739756d5282358b208bb75f0dd1af879cbfb3e9ff92cb670b98ba7b7c6ea9
SHA51242ddb099c48b17aab6a53004cdc62bb96695ead2bcbde055749ad30a9c56f04733b7e47d227120a1000eb97ece33b077a1076d37a2735102600b4fdc2829cd11
-
C:\Users\Admin\AppData\Local\Temp\EXE_temp1.exeFilesize
681KB
MD5b8d8384b8ff97032e7230dd020763ebd
SHA121b53995c976ac5e9d749ce090ee7494beeca44d
SHA25643d33251a3ccfa19c940d875d1861a9f1606eaa3afdecc2c30118e2dd9a5a0d7
SHA5127a04e45417b8571cf0722fbcbd40f693da9c6a9bbca72e1577ae3b6024dd3df88cb07b87efc300f584a16e2dd4d64834841939d2bef3365e39e0b362f5cda13e
-
C:\Users\Admin\AppData\Local\Temp\EXE_temp2.exeFilesize
795KB
MD56d4c27a39686689f98a83de90383ebc8
SHA113c37e67230033dc729c99c83da593f1af634908
SHA25660b79787052c00e26c733a04facb040c4d7f81b10b9b3b4ae423930b640c0d43
SHA512d29e2f043e1b6c71620658e5e3b510fde14407b28089bbbbdb12015ba7d0d21b290f6985e28b359fe9763066c4326f8734c066b427e0f0c05fb439a85a1f5748
-
\RECYCLER\YCSDVO.DATFilesize
51KB
MD5aefafdd5c9b62db20fd28e0f935263e8
SHA13df1cb906cc6180776143b3cc8dd77d2d6956d59
SHA2569550cb7dcb5aae17c30239da490f44b782c0be45f626073a83cfafd45c9e8d3e
SHA512e3e953bcede18dbd183defe2e60c1ba654cec65eaa7a8d483f262b77d76cdbba1a13a9adfd8804f586ccf6ae69f3053f8963d9d4c1193df17a5209fa06c53d40
-
\Users\Admin\AppData\Local\Temp\EXE_temp0.exeFilesize
250KB
MD5eec13aa4885914e23037b5d69f982cd5
SHA1feccd45713f84c5e3729b0660fdb054cb816df34
SHA256bf4739756d5282358b208bb75f0dd1af879cbfb3e9ff92cb670b98ba7b7c6ea9
SHA51242ddb099c48b17aab6a53004cdc62bb96695ead2bcbde055749ad30a9c56f04733b7e47d227120a1000eb97ece33b077a1076d37a2735102600b4fdc2829cd11
-
\Users\Admin\AppData\Local\Temp\EXE_temp0.exeFilesize
250KB
MD5eec13aa4885914e23037b5d69f982cd5
SHA1feccd45713f84c5e3729b0660fdb054cb816df34
SHA256bf4739756d5282358b208bb75f0dd1af879cbfb3e9ff92cb670b98ba7b7c6ea9
SHA51242ddb099c48b17aab6a53004cdc62bb96695ead2bcbde055749ad30a9c56f04733b7e47d227120a1000eb97ece33b077a1076d37a2735102600b4fdc2829cd11
-
\Users\Admin\AppData\Local\Temp\EXE_temp0.exeFilesize
250KB
MD5eec13aa4885914e23037b5d69f982cd5
SHA1feccd45713f84c5e3729b0660fdb054cb816df34
SHA256bf4739756d5282358b208bb75f0dd1af879cbfb3e9ff92cb670b98ba7b7c6ea9
SHA51242ddb099c48b17aab6a53004cdc62bb96695ead2bcbde055749ad30a9c56f04733b7e47d227120a1000eb97ece33b077a1076d37a2735102600b4fdc2829cd11
-
\Users\Admin\AppData\Local\Temp\EXE_temp0.exeFilesize
250KB
MD5eec13aa4885914e23037b5d69f982cd5
SHA1feccd45713f84c5e3729b0660fdb054cb816df34
SHA256bf4739756d5282358b208bb75f0dd1af879cbfb3e9ff92cb670b98ba7b7c6ea9
SHA51242ddb099c48b17aab6a53004cdc62bb96695ead2bcbde055749ad30a9c56f04733b7e47d227120a1000eb97ece33b077a1076d37a2735102600b4fdc2829cd11
-
\Users\Admin\AppData\Local\Temp\EXE_temp0.exeFilesize
250KB
MD5eec13aa4885914e23037b5d69f982cd5
SHA1feccd45713f84c5e3729b0660fdb054cb816df34
SHA256bf4739756d5282358b208bb75f0dd1af879cbfb3e9ff92cb670b98ba7b7c6ea9
SHA51242ddb099c48b17aab6a53004cdc62bb96695ead2bcbde055749ad30a9c56f04733b7e47d227120a1000eb97ece33b077a1076d37a2735102600b4fdc2829cd11
-
\Users\Admin\AppData\Local\Temp\EXE_temp1.exeFilesize
681KB
MD5b8d8384b8ff97032e7230dd020763ebd
SHA121b53995c976ac5e9d749ce090ee7494beeca44d
SHA25643d33251a3ccfa19c940d875d1861a9f1606eaa3afdecc2c30118e2dd9a5a0d7
SHA5127a04e45417b8571cf0722fbcbd40f693da9c6a9bbca72e1577ae3b6024dd3df88cb07b87efc300f584a16e2dd4d64834841939d2bef3365e39e0b362f5cda13e
-
\Users\Admin\AppData\Local\Temp\EXE_temp2.exeFilesize
795KB
MD56d4c27a39686689f98a83de90383ebc8
SHA113c37e67230033dc729c99c83da593f1af634908
SHA25660b79787052c00e26c733a04facb040c4d7f81b10b9b3b4ae423930b640c0d43
SHA512d29e2f043e1b6c71620658e5e3b510fde14407b28089bbbbdb12015ba7d0d21b290f6985e28b359fe9763066c4326f8734c066b427e0f0c05fb439a85a1f5748
-
\Users\Admin\AppData\Local\Temp\EXE_temp2.exeFilesize
795KB
MD56d4c27a39686689f98a83de90383ebc8
SHA113c37e67230033dc729c99c83da593f1af634908
SHA25660b79787052c00e26c733a04facb040c4d7f81b10b9b3b4ae423930b640c0d43
SHA512d29e2f043e1b6c71620658e5e3b510fde14407b28089bbbbdb12015ba7d0d21b290f6985e28b359fe9763066c4326f8734c066b427e0f0c05fb439a85a1f5748
-
memory/816-75-0x0000000000400000-0x00000000004E9000-memory.dmpFilesize
932KB
-
memory/816-57-0x0000000000000000-mapping.dmp
-
memory/960-67-0x0000000000000000-mapping.dmp
-
memory/1156-65-0x0000000000000000-mapping.dmp
-
memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmpFilesize
8KB
-
memory/1340-73-0x00000000005C0000-0x00000000006A9000-memory.dmpFilesize
932KB
-
memory/1340-74-0x00000000005C0000-0x00000000006A9000-memory.dmpFilesize
932KB
-
memory/1632-81-0x0000000000830000-0x0000000000841000-memory.dmpFilesize
68KB
-
memory/1704-61-0x0000000000000000-mapping.dmp