Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
28-11-2022 09:19
General
-
Target
ba0ad305e5680f0f61789e864090fc11772378937b8adf1536b3273112c73d55.exe
-
Size
243KB
-
MD5
44643696a1c92cad0c89458847d6712d
-
SHA1
b2d8c4b2dfae4b17b3bdbcf32984da816d6bbbd7
-
SHA256
ba0ad305e5680f0f61789e864090fc11772378937b8adf1536b3273112c73d55
-
SHA512
f0a81d56c6a6d5cd4c991831ba281b989952a212c247bded6c26616d4365298c9905025bbe6925e4bf851fd119ab05fb8994b5a98a8fd3bdd55453e46b76521f
-
SSDEEP
6144:ttsH5vwieeDU5kU6qjBq+W8jZ7rvaU3+mW4ZeoSKo:ywiex5khq8jeFzF7ZeoSZ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 2 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 39 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba0ad305e5680f0f61789e864090fc11772378937b8adf1536b3273112c73d55.exe"C:\Users\Admin\AppData\Local\Temp\ba0ad305e5680f0f61789e864090fc11772378937b8adf1536b3273112c73d55.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IMG0012.exe"C:\Users\Admin\AppData\Local\Temp\IMG0012.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\kub.gif2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3968 CREDAT:17410 /prefetch:23⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5bd4f3cb3175ff83bbc2c827705950a60
SHA19d940539de8317a8a6444559d9fc9f190dd9f80b
SHA256ff821119d7d2bf9d795503ed63996c81611b84cdcdacac943da9a9ae2d0d2384
SHA51202b99cb5a7e2cf6004fd010c5718f85830aca7b6f43b5ed929d2df8ca4209a29cfd9e54280a35392b2617ab58e578c097834ce24e9baa8b226c6181c64c0d377
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD5cd9753df50dbfa5ef31cd0a7801b4637
SHA1b1a5281a9054724a80913e640e0a4f014e4bea8b
SHA2568e5317f5cd406519b0321d497e152528488860f20fc0ea69b993ff8c581a5bb8
SHA51298997157a33e0d3c6318ef87e99a4010645d8a6256a5e9e9ac8c587f4966b2a3fa34767354ab590ef2fb1fb43d2f99414630e04269a3448660c0133d10a4da11
-
C:\Users\Admin\AppData\Local\Temp\IMG0012.exeFilesize
113KB
MD5849dfc2e717d555679040c40ddbefee4
SHA1e15aca3e1f9036ca94f091340e2cf29d3add4933
SHA2560e07607bf4988792060788b79db2ef4c3f08c822f84d53f94df19bbe4a01a6da
SHA512e92e080e9f81ca601a29bfbc3bbb9fde3ba521fcc7daf952a8d7c0aed09a96c698b79ed8145ec53fe2d8058e11282883295abb9ee3adfaaf468a43b08cb9d309
-
C:\Users\Admin\AppData\Local\Temp\IMG0012.exeFilesize
113KB
MD5849dfc2e717d555679040c40ddbefee4
SHA1e15aca3e1f9036ca94f091340e2cf29d3add4933
SHA2560e07607bf4988792060788b79db2ef4c3f08c822f84d53f94df19bbe4a01a6da
SHA512e92e080e9f81ca601a29bfbc3bbb9fde3ba521fcc7daf952a8d7c0aed09a96c698b79ed8145ec53fe2d8058e11282883295abb9ee3adfaaf468a43b08cb9d309
-
C:\Users\Admin\AppData\Local\Temp\cmsetac.dllFilesize
33KB
MD549616bec13d584f8e3b7db118a487152
SHA125311db5ff28d48c9eeb067fb185e8dff0f2e11d
SHA25656f1dcd83fbfe3a0e067981dc44f9478c0b2200897b3d6c799d9ef105033c70e
SHA5125deaa832321f5a49e8649cc55b4b429810afbc45d0f0d44fa2b6d6714d0c47ce1b6656ba6bd1cd2dfbfa0654c0cd813dcd02b19cc5820888b353917d4a541d8b
-
C:\Users\Admin\AppData\Local\Temp\cmsetac.dllFilesize
33KB
MD549616bec13d584f8e3b7db118a487152
SHA125311db5ff28d48c9eeb067fb185e8dff0f2e11d
SHA25656f1dcd83fbfe3a0e067981dc44f9478c0b2200897b3d6c799d9ef105033c70e
SHA5125deaa832321f5a49e8649cc55b4b429810afbc45d0f0d44fa2b6d6714d0c47ce1b6656ba6bd1cd2dfbfa0654c0cd813dcd02b19cc5820888b353917d4a541d8b
-
C:\Users\Admin\AppData\Local\Temp\cmsetac.dllFilesize
33KB
MD549616bec13d584f8e3b7db118a487152
SHA125311db5ff28d48c9eeb067fb185e8dff0f2e11d
SHA25656f1dcd83fbfe3a0e067981dc44f9478c0b2200897b3d6c799d9ef105033c70e
SHA5125deaa832321f5a49e8649cc55b4b429810afbc45d0f0d44fa2b6d6714d0c47ce1b6656ba6bd1cd2dfbfa0654c0cd813dcd02b19cc5820888b353917d4a541d8b
-
C:\Users\Admin\AppData\Local\Temp\cmsetac.dllFilesize
33KB
MD549616bec13d584f8e3b7db118a487152
SHA125311db5ff28d48c9eeb067fb185e8dff0f2e11d
SHA25656f1dcd83fbfe3a0e067981dc44f9478c0b2200897b3d6c799d9ef105033c70e
SHA5125deaa832321f5a49e8649cc55b4b429810afbc45d0f0d44fa2b6d6714d0c47ce1b6656ba6bd1cd2dfbfa0654c0cd813dcd02b19cc5820888b353917d4a541d8b
-
C:\Users\Admin\AppData\Local\Temp\cmsetac.dllFilesize
33KB
MD549616bec13d584f8e3b7db118a487152
SHA125311db5ff28d48c9eeb067fb185e8dff0f2e11d
SHA25656f1dcd83fbfe3a0e067981dc44f9478c0b2200897b3d6c799d9ef105033c70e
SHA5125deaa832321f5a49e8649cc55b4b429810afbc45d0f0d44fa2b6d6714d0c47ce1b6656ba6bd1cd2dfbfa0654c0cd813dcd02b19cc5820888b353917d4a541d8b
-
C:\Users\Admin\AppData\Local\Temp\kub.gifFilesize
121KB
MD5da7c2e72525f7b41163721cad6b7f513
SHA18f4d787b2de385b731cc8429426c2134b7d2f12a
SHA256925f81f01e3ad300969f10af624febf1ea74a4d8c1a613ab72e9998bd41177d7
SHA512dc35e038473e6c4f7be06cd0b6059551b59826555a9280924ed841959070e2859050a07810c25f70c2458b4160a4da6ee6130471b2742da3d7a3170cbbacebff
-
C:\Users\Admin\AppData\Local\Temp\ntdtcstp.dllFilesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
C:\Users\Admin\AppData\Local\Temp\ntdtcstp.dllFilesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
memory/2320-136-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2320-144-0x0000000000400000-0x0000000000451000-memory.dmpFilesize
324KB
-
memory/2320-143-0x00000000036C0000-0x00000000036CE000-memory.dmpFilesize
56KB
-
memory/2320-133-0x0000000000000000-mapping.dmp
-
memory/4252-137-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
-
memory/4252-132-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB
