Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 02:24
Static task
static1
Behavioral task
behavioral1
Sample
627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe
Resource
win10v2004-20220812-en
General
-
Target
627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe
-
Size
121KB
-
MD5
22f898d4a880f2e284bef5f183a05aa2
-
SHA1
e65b0ba02e551a43f7f1377c6cb12695e6170752
-
SHA256
627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22
-
SHA512
c6f12c7c15cc7d11729a643012436463be43af30dbcf2de7cbe201d01e53e84831422909c82e77cdd384d609685401e427c6d55bddaa582f4c453bcad8299e48
-
SSDEEP
3072:yJJ2ql3+A5+JBJA0U4zZaEY2cVq9ftIwRoGnc1MdfX:yJJ2qJvw6TEY2cVkNyj4X
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SHELL = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Local\\KB3780534\\KB3780534.exe\"" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions svchost.exe -
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1640-133-0x0000000000400000-0x0000000000415000-memory.dmp modiloader_stage2 behavioral2/memory/1640-136-0x0000000000400000-0x0000000000415000-memory.dmp modiloader_stage2 behavioral2/memory/1640-138-0x0000000000400000-0x0000000000415000-memory.dmp modiloader_stage2 behavioral2/memory/836-139-0x0000000000EB0000-0x0000000000EBE000-memory.dmp modiloader_stage2 -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KB3780534 = "\"C:\\Users\\Admin\\AppData\\Local\\KB3780534\\KB3780534.exe\"" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\KB3780534 = "\"C:\\Users\\Admin\\AppData\\Local\\KB3780534\\KB3780534.exe\"" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.exe -
Disables Task Manager via registry modification
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools svchost.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KB3780534 = "\"C:\\Users\\Admin\\AppData\\Local\\KB3780534\\KB3780534.exe\"" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KB3780534 = "\"C:\\Users\\Admin\\AppData\\Local\\KB3780534\\KB3780534.exe\"" svchost.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exedescription pid process target process PID 4860 set thread context of 1640 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe -
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "yes" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable AutoImageResize = "yes" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Animations = "yes" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\UseThemes = "1" svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exesvchost.exepid process 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe 836 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exepid process 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exepid process 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exedescription pid process target process PID 4860 wrote to memory of 1640 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe PID 4860 wrote to memory of 1640 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe PID 4860 wrote to memory of 1640 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe PID 4860 wrote to memory of 1640 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe PID 4860 wrote to memory of 1640 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe PID 4860 wrote to memory of 1640 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe PID 4860 wrote to memory of 1640 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe PID 4860 wrote to memory of 1640 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe PID 4860 wrote to memory of 1640 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe PID 4860 wrote to memory of 1640 4860 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe PID 1640 wrote to memory of 836 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe svchost.exe PID 1640 wrote to memory of 836 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe svchost.exe PID 1640 wrote to memory of 836 1640 627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe"C:\Users\Admin\AppData\Local\Temp\627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exeC:\Users\Admin\AppData\Local\Temp\627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"svchost.exe" c:\users\admin\appdata\local\temp\627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exepath<<c:\users\admin\appdata\local\temp\627709624a61471f42b8856d7d2b35e116efa6cc00c3415b72ca7dbc8de64f22.exe>>path3⤵
- Modifies WinLogon for persistence
- Looks for VirtualBox Guest Additions in registry
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/836-137-0x0000000000000000-mapping.dmp
-
memory/836-139-0x0000000000EB0000-0x0000000000EBE000-memory.dmpFilesize
56KB
-
memory/1640-132-0x0000000000000000-mapping.dmp
-
memory/1640-133-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1640-136-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/1640-138-0x0000000000400000-0x0000000000415000-memory.dmpFilesize
84KB
-
memory/4860-134-0x0000000002230000-0x0000000002234000-memory.dmpFilesize
16KB