Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 19:14
Static task
static1
Behavioral task
behavioral1
Sample
1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe
Resource
win10v2004-20220812-en
General
-
Target
1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe
-
Size
2.3MB
-
MD5
955ccd6df107b42537086c85a58e9eb4
-
SHA1
f2bce5d73b6445fe7d4e284fb68ba6195a6d78c3
-
SHA256
1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d
-
SHA512
5af3c1d57846f1c5e8cb0c6652bcbf179897e012f71794f5c0e6be8ca366a7b7881a036a86572e7a25f01b292c2c6dd64d086bdce9998183690dd75af8174f1d
-
SSDEEP
49152:zH67oc//////RTQ7CKmmFDmYVvURnhGMm5oH2+KulIjescZp71Pnxw/Z:zH67oc//////wmUK1pW3LWCB
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ACProtect 1.3x - 1.4x DLL software 5 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ili7659.tmp acprotect C:\Users\Admin\AppData\Local\Temp\ili7659.tmp acprotect C:\Users\Admin\AppData\Local\Temp\ili7659.tmp acprotect C:\Users\Admin\AppData\Local\Temp\ili7659.tmp acprotect C:\Users\Admin\AppData\Local\Temp\ili7659.tmp acprotect -
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
ÁбíÉú³É.exeserver.exepid process 3784 ÁбíÉú³É.exe 3428 server.exe -
Loads dropped DLL 4 IoCs
Processes:
ÁбíÉú³É.exeserver.exepid process 3784 ÁбíÉú³É.exe 3784 ÁбíÉú³É.exe 3428 server.exe 3428 server.exe -
Drops file in Program Files directory 1 IoCs
Processes:
server.exedescription ioc process File created C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\2010.txt server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ÁбíÉú³É.exepid process 3784 ÁбíÉú³É.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.execmd.execmd.exeserver.exedescription pid process target process PID 2768 wrote to memory of 4032 2768 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 2768 wrote to memory of 4032 2768 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 2768 wrote to memory of 4032 2768 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 2768 wrote to memory of 3036 2768 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 2768 wrote to memory of 3036 2768 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 2768 wrote to memory of 3036 2768 1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe cmd.exe PID 4032 wrote to memory of 3784 4032 cmd.exe ÁбíÉú³É.exe PID 4032 wrote to memory of 3784 4032 cmd.exe ÁбíÉú³É.exe PID 4032 wrote to memory of 3784 4032 cmd.exe ÁбíÉú³É.exe PID 3036 wrote to memory of 3428 3036 cmd.exe server.exe PID 3036 wrote to memory of 3428 3036 cmd.exe server.exe PID 3036 wrote to memory of 3428 3036 cmd.exe server.exe PID 3428 wrote to memory of 2256 3428 server.exe IEXPLORE.EXE PID 3428 wrote to memory of 2256 3428 server.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe"C:\Users\Admin\AppData\Local\Temp\1c1e16107acc19c75b8e9c902747a6dbf49fd9e698362573e1f17e5b3b5dee4d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exeC:\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\server.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ili7659.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\ili7659.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\ili7659.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\ili7659.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\ili7659.tmpFilesize
172KB
MD5685f1cbd4af30a1d0c25f252d399a666
SHA16a1b978f5e6150b88c8634146f1406ed97d2f134
SHA2560e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4
SHA5126555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
678KB
MD56adb5a299c5a8fe28e433831ae3656d2
SHA12b29580575dd3006da304682d09176fa99b45e36
SHA256192ce7a670ce06f3644755d3156a92d62a292f44d8c327c590e193ef33df17b1
SHA512252588ccc4e1928806af5e42e2f204b661651d7ca64a44224640ee559fe0e6be60820abea62c580a2916ae06fc114429bc47cfa2a30917bb29c11507edd3d37a
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
678KB
MD56adb5a299c5a8fe28e433831ae3656d2
SHA12b29580575dd3006da304682d09176fa99b45e36
SHA256192ce7a670ce06f3644755d3156a92d62a292f44d8c327c590e193ef33df17b1
SHA512252588ccc4e1928806af5e42e2f204b661651d7ca64a44224640ee559fe0e6be60820abea62c580a2916ae06fc114429bc47cfa2a30917bb29c11507edd3d37a
-
C:\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exeFilesize
1.3MB
MD58b8686b0102c444b5bdfa5a722edd236
SHA1b7af6290a9d670519bccf04361dc44c58577f6c8
SHA256347bb189e99f31409bac69ed5ca91d6e87059f15378b1fff46b459083dc65d03
SHA51257a3d7bf93e18e4a3a60dda3b258f716a5d6c7a201a9b7a27eada63e44a2591397553a708b48a0956686929aed804557e3a1ef86877814d7f1e9501060531790
-
C:\Users\Admin\AppData\Local\Temp\ÁбíÉú³É.exeFilesize
1.3MB
MD58b8686b0102c444b5bdfa5a722edd236
SHA1b7af6290a9d670519bccf04361dc44c58577f6c8
SHA256347bb189e99f31409bac69ed5ca91d6e87059f15378b1fff46b459083dc65d03
SHA51257a3d7bf93e18e4a3a60dda3b258f716a5d6c7a201a9b7a27eada63e44a2591397553a708b48a0956686929aed804557e3a1ef86877814d7f1e9501060531790
-
memory/3036-133-0x0000000000000000-mapping.dmp
-
memory/3428-148-0x00000000024E0000-0x0000000002553000-memory.dmpFilesize
460KB
-
memory/3428-147-0x00000000024E0000-0x0000000002553000-memory.dmpFilesize
460KB
-
memory/3428-137-0x0000000000000000-mapping.dmp
-
memory/3784-145-0x0000000000400000-0x0000000000526000-memory.dmpFilesize
1.1MB
-
memory/3784-146-0x00000000021A0000-0x0000000002213000-memory.dmpFilesize
460KB
-
memory/3784-134-0x0000000000000000-mapping.dmp
-
memory/3784-149-0x0000000000400000-0x0000000000526000-memory.dmpFilesize
1.1MB
-
memory/3784-150-0x00000000021A0000-0x0000000002213000-memory.dmpFilesize
460KB
-
memory/4032-132-0x0000000000000000-mapping.dmp