Analysis
-
max time kernel
46s -
max time network
51s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
27-11-2022 20:36
General
-
Target
86d44d3c698ae072cbe4678e12606721f1904d77fa7f229d0774e855a78bc75f.exe
-
Size
666KB
-
MD5
5187b4936b4b4880a3859729b5edc537
-
SHA1
43cba6c2e662ee5bb8a63a3fa1e73d3cb0a465a8
-
SHA256
86d44d3c698ae072cbe4678e12606721f1904d77fa7f229d0774e855a78bc75f
-
SHA512
e08c0d98fc443704cbe89e15da2a3322ccd009abbbabf4580dd1ed98afc1287bf12064a64f9abd061e8957984a94e7d6cfb45d933b1610a6931aed2fe6e4c805
-
SSDEEP
12288:aHLUMuiv9RgfSjAzRtyK+7PiJNMwEqCf6lxwfMUVQSHYcu9c00E5zZSK:4tARyCtDwfRQCY1qej
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\86d44d3c698ae072cbe4678e12606721f1904d77fa7f229d0774e855a78bc75f.exe"C:\Users\Admin\AppData\Local\Temp\86d44d3c698ae072cbe4678e12606721f1904d77fa7f229d0774e855a78bc75f.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\küüüüüüüüüü.exeC:\Users\Admin\AppData\Local\Temp/küüüüüüüüüü.exe2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\küüüüüüüüüü.exeFilesize
497KB
MD511ac163549fa998cae43205060cec17d
SHA197d8683f731107ef15ef465c47a01ae5320226db
SHA2566ca003ef95455766a26fd88dc6734ca3ebb4c79a130c3a12de012b5672e80205
SHA512483ef92aee2cc8838f8dbd050e7874299da44e02925491ead7da834344a5443ed5d5a9c9da7e3bbabb8e6de7e6c988d85d9623e9af6d2d8a9de8174b70aee29c
-
\Users\Admin\AppData\Local\Temp\küüüüüüüüüü.exeFilesize
497KB
MD511ac163549fa998cae43205060cec17d
SHA197d8683f731107ef15ef465c47a01ae5320226db
SHA2566ca003ef95455766a26fd88dc6734ca3ebb4c79a130c3a12de012b5672e80205
SHA512483ef92aee2cc8838f8dbd050e7874299da44e02925491ead7da834344a5443ed5d5a9c9da7e3bbabb8e6de7e6c988d85d9623e9af6d2d8a9de8174b70aee29c
-
\Users\Admin\AppData\Local\Temp\küüüüüüüüüü.exeFilesize
497KB
MD511ac163549fa998cae43205060cec17d
SHA197d8683f731107ef15ef465c47a01ae5320226db
SHA2566ca003ef95455766a26fd88dc6734ca3ebb4c79a130c3a12de012b5672e80205
SHA512483ef92aee2cc8838f8dbd050e7874299da44e02925491ead7da834344a5443ed5d5a9c9da7e3bbabb8e6de7e6c988d85d9623e9af6d2d8a9de8174b70aee29c
-
memory/1404-57-0x0000000000000000-mapping.dmp
-
memory/1404-61-0x0000000074761000-0x0000000074763000-memory.dmpFilesize
8KB
-
memory/1444-54-0x0000000075D71000-0x0000000075D73000-memory.dmpFilesize
8KB
-
memory/1444-59-0x0000000000400000-0x00000000004AC000-memory.dmpFilesize
688KB