Analysis
-
max time kernel
147s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 19:14
Static task
static1
Behavioral task
behavioral1
Sample
1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe
Resource
win10v2004-20220812-en
General
-
Target
1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe
-
Size
2.3MB
-
MD5
955ccd6df107b42537086c85a58e9eb4
-
SHA1
f2bce5d73b6445fe7d4e284fb68ba6195a6d78c3
-
SHA256
1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d
-
SHA512
5af3c1d57846f1c5e8cb0c6652bcbf179897e012f71794f5c0e6be8ca366a7b7881a036a86572e7a25f01b292c2c6dd64d086bdce9998183690dd75af8174f1d
-
SSDEEP
49152:zH67oc//////RTQ7CKmmFDmYVvURnhGMm5oH2+KulIjescZp71Pnxw/Z:zH67oc//////wmUK1pW3LWCB
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ACProtect 1.3x - 1.4x DLL software 3 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\enk8631.tmp acprotect \Users\Admin\AppData\Local\Temp\enk8631.tmp acprotect C:\Users\Admin\AppData\Local\Temp\enk8631.tmp acprotect -
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
ÁбíÉú³É.exeserver.exepid process 1680 ÁбíÉú³É.exe 1900 server.exe -
Loads dropped DLL 5 IoCs
Processes:
cmd.execmd.exeÁбíÉú³É.exeserver.exepid process 1016 cmd.exe 1516 cmd.exe 1516 cmd.exe 1680 ÁбíÉú³É.exe 1900 server.exe -
Drops file in Program Files directory 1 IoCs
Processes:
server.exedescription ioc process File created C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\2010.txt server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ÁбíÉú³É.exepid process 1680 ÁбíÉú³É.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.execmd.execmd.exeserver.exedescription pid process target process PID 1508 wrote to memory of 1516 1508 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 1508 wrote to memory of 1516 1508 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 1508 wrote to memory of 1516 1508 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 1508 wrote to memory of 1516 1508 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 1508 wrote to memory of 1016 1508 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 1508 wrote to memory of 1016 1508 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 1508 wrote to memory of 1016 1508 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 1508 wrote to memory of 1016 1508 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 1516 wrote to memory of 1680 1516 cmd.exe ÁбíÉú³É.exe PID 1516 wrote to memory of 1680 1516 cmd.exe ÁбíÉú³É.exe PID 1516 wrote to memory of 1680 1516 cmd.exe ÁбíÉú³É.exe PID 1516 wrote to memory of 1680 1516 cmd.exe ÁбíÉú³É.exe PID 1016 wrote to memory of 1900 1016 cmd.exe server.exe PID 1016 wrote to memory of 1900 1016 cmd.exe server.exe PID 1016 wrote to memory of 1900 1016 cmd.exe server.exe PID 1016 wrote to memory of 1900 1016 cmd.exe server.exe PID 1900 wrote to memory of 972 1900 server.exe IEXPLORE.EXE PID 1900 wrote to memory of 972 1900 server.exe IEXPLORE.EXE PID 1900 wrote to memory of 972 1900 server.exe IEXPLORE.EXE PID 1900 wrote to memory of 972 1900 server.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe"C:\Users\Admin\AppData\Local\Temp\1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exeC:\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\server.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\enk8631.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
678KB
MD56adb5a299c5a8fe28e433831ae3656d2
SHA12b29580575dd3006da304682d09176fa99b45e36
SHA256192ce7a670ce06f3644755d3156a92d62a292f44d8c327c590e193ef33df17b1
SHA512252588ccc4e1928806af5e42e2f204b661651d7ca64a44224640ee559fe0e6be60820abea62c580a2916ae06fc114429bc47cfa2a30917bb29c11507edd3d37a
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
678KB
MD56adb5a299c5a8fe28e433831ae3656d2
SHA12b29580575dd3006da304682d09176fa99b45e36
SHA256192ce7a670ce06f3644755d3156a92d62a292f44d8c327c590e193ef33df17b1
SHA512252588ccc4e1928806af5e42e2f204b661651d7ca64a44224640ee559fe0e6be60820abea62c580a2916ae06fc114429bc47cfa2a30917bb29c11507edd3d37a
-
C:\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exeFilesize
1.3MB
MD58b8686b0102c444b5bdfa5a722edd236
SHA1b7af6290a9d670519bccf04361dc44c58577f6c8
SHA256347bb189e99f31409bac69ed5ca91d6e87059f15378b1fff46b459083dc65d03
SHA51257a3d7bf93e18e4a3a60dda3b258f716a5d6c7a201a9b7a27eada63e44a2591397553a708b48a0956686929aed804557e3a1ef86877814d7f1e9501060531790
-
C:\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exeFilesize
1.3MB
MD58b8686b0102c444b5bdfa5a722edd236
SHA1b7af6290a9d670519bccf04361dc44c58577f6c8
SHA256347bb189e99f31409bac69ed5ca91d6e87059f15378b1fff46b459083dc65d03
SHA51257a3d7bf93e18e4a3a60dda3b258f716a5d6c7a201a9b7a27eada63e44a2591397553a708b48a0956686929aed804557e3a1ef86877814d7f1e9501060531790
-
\Users\Admin\AppData\Local\Temp\enk8631.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
\Users\Admin\AppData\Local\Temp\enk8631.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
678KB
MD56adb5a299c5a8fe28e433831ae3656d2
SHA12b29580575dd3006da304682d09176fa99b45e36
SHA256192ce7a670ce06f3644755d3156a92d62a292f44d8c327c590e193ef33df17b1
SHA512252588ccc4e1928806af5e42e2f204b661651d7ca64a44224640ee559fe0e6be60820abea62c580a2916ae06fc114429bc47cfa2a30917bb29c11507edd3d37a
-
\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exeFilesize
1.3MB
MD58b8686b0102c444b5bdfa5a722edd236
SHA1b7af6290a9d670519bccf04361dc44c58577f6c8
SHA256347bb189e99f31409bac69ed5ca91d6e87059f15378b1fff46b459083dc65d03
SHA51257a3d7bf93e18e4a3a60dda3b258f716a5d6c7a201a9b7a27eada63e44a2591397553a708b48a0956686929aed804557e3a1ef86877814d7f1e9501060531790
-
\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exeFilesize
1.3MB
MD58b8686b0102c444b5bdfa5a722edd236
SHA1b7af6290a9d670519bccf04361dc44c58577f6c8
SHA256347bb189e99f31409bac69ed5ca91d6e87059f15378b1fff46b459083dc65d03
SHA51257a3d7bf93e18e4a3a60dda3b258f716a5d6c7a201a9b7a27eada63e44a2591397553a708b48a0956686929aed804557e3a1ef86877814d7f1e9501060531790
-
memory/1016-55-0x0000000000000000-mapping.dmp
-
memory/1516-54-0x0000000000000000-mapping.dmp
-
memory/1516-67-0x0000000002040000-0x0000000002166000-memory.dmpFilesize
1.1MB
-
memory/1680-63-0x0000000075451000-0x0000000075453000-memory.dmpFilesize
8KB
-
memory/1680-68-0x0000000000400000-0x0000000000526000-memory.dmpFilesize
1.1MB
-
memory/1680-61-0x0000000000000000-mapping.dmp
-
memory/1680-73-0x0000000001D30000-0x0000000001DA3000-memory.dmpFilesize
460KB
-
memory/1680-74-0x0000000000400000-0x0000000000526000-memory.dmpFilesize
1.1MB
-
memory/1680-75-0x0000000001D30000-0x0000000001DA3000-memory.dmpFilesize
460KB
-
memory/1900-64-0x0000000000000000-mapping.dmp
-
memory/1900-72-0x0000000001C50000-0x0000000001CC3000-memory.dmpFilesize
460KB