Analysis
-
max time kernel
150s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
27-11-2022 16:46
General
-
Target
9a321823d67a4bee20585589357f70eaca6c5d71969625e185f56ca67e2166c8.exe
-
Size
108KB
-
MD5
844e569740ff9bd028f5da0f6406b206
-
SHA1
9a69d0e5ddbee0ed16dcd3eb2c52af19655f1962
-
SHA256
9a321823d67a4bee20585589357f70eaca6c5d71969625e185f56ca67e2166c8
-
SHA512
5d3b9dde61291c6219e59658e13b187d7d6993321e44440ddf67a1ade66d583a4ef033e7cc8250d92fb0480e3efcda7fa2f8c9403a7d3f712fd45851493ce78b
-
SSDEEP
1536:pVuNAXTj4Fj/91/NnLZqeWEPVpa8DzePjkgcwYS7S5+Vfk09+2HxUnMTsWdinout:Hoy8j7VnNdrPHaSekwi+mW+2uAFgout
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 3 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9a321823d67a4bee20585589357f70eaca6c5d71969625e185f56ca67e2166c8.exe"C:\Users\Admin\AppData\Local\Temp\9a321823d67a4bee20585589357f70eaca6c5d71969625e185f56ca67e2166c8.exe"1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\9a321823d67a4bee20585589357f70eaca6c5d71969625e185f56ca67e2166c8.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mstwain32.exeFilesize
108KB
MD5844e569740ff9bd028f5da0f6406b206
SHA19a69d0e5ddbee0ed16dcd3eb2c52af19655f1962
SHA2569a321823d67a4bee20585589357f70eaca6c5d71969625e185f56ca67e2166c8
SHA5125d3b9dde61291c6219e59658e13b187d7d6993321e44440ddf67a1ade66d583a4ef033e7cc8250d92fb0480e3efcda7fa2f8c9403a7d3f712fd45851493ce78b
-
memory/1344-56-0x0000000000000000-mapping.dmp
-
memory/1344-61-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1344-62-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1744-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmpFilesize
8KB
-
memory/1744-55-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1744-59-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB