Analysis
-
max time kernel
163s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-11-2022 08:11
Behavioral task
behavioral1
Sample
6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe
Resource
win7-20220812-en
General
-
Target
6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe
-
Size
1.3MB
-
MD5
4ea4b38cca339739e28e5021517dd0e4
-
SHA1
03dfb91f6c383191c943ff9789b4691edefd563f
-
SHA256
6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9
-
SHA512
95754b2eb9fb11a731c2e736afad9c21eeaee87463406006ef4a4d130446d5a53b5ee361a69b609df54104cd6d4a7c78975f5a70d23d51fb666cbea443471c40
-
SSDEEP
24576:me7J0+7Vhd84h7Yif6QIMgwAOdo0HKI3R1roMgSmzLfA4VVRlpRx+s4aN:meV0+7NP911I7wRnOj3pRx1x
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
Windows_Defender.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Windows_Defender.exe -
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-55-0x0000000000400000-0x000000000055A000-memory.dmp modiloader_stage2 behavioral1/memory/1728-58-0x0000000000400000-0x000000000055A000-memory.dmp modiloader_stage2 behavioral1/memory/1072-63-0x0000000000400000-0x000000000055A000-memory.dmp modiloader_stage2 behavioral1/memory/1072-64-0x0000000000400000-0x000000000055A000-memory.dmp modiloader_stage2 behavioral1/memory/1072-65-0x0000000000400000-0x000000000055A000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
Windows_Defender.exepid process 1072 Windows_Defender.exe -
Deletes itself 1 IoCs
Processes:
Windows_Defender.exepid process 1072 Windows_Defender.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exeWindows_Defender.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Wine 6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Wine Windows_Defender.exe -
Processes:
resource yara_rule behavioral1/memory/1728-55-0x0000000000400000-0x000000000055A000-memory.dmp themida behavioral1/memory/1728-58-0x0000000000400000-0x000000000055A000-memory.dmp themida C:\Windows\Windows_Defender.exe themida behavioral1/memory/1072-60-0x0000000000400000-0x000000000055A000-memory.dmp themida C:\Windows\Windows_Defender.exe themida behavioral1/memory/1072-63-0x0000000000400000-0x000000000055A000-memory.dmp themida behavioral1/memory/1072-64-0x0000000000400000-0x000000000055A000-memory.dmp themida behavioral1/memory/1072-65-0x0000000000400000-0x000000000055A000-memory.dmp themida -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Windows_Defender.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Windows_Defender.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows_Defender = "C:\\Windows\\Windows_Defender.exe" Windows_Defender.exe -
Processes:
6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exeWindows_Defender.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Windows_Defender.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Windows_Defender.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exeWindows_Defender.exepid process 1728 6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe 1072 Windows_Defender.exe -
Drops file in Windows directory 4 IoCs
Processes:
6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exeWindows_Defender.exedescription ioc process File created C:\Windows\Windows_Defender.exe 6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe File opened for modification C:\Windows\Windows_Defender.exe 6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe File created C:\Windows\ntdtcstp.dll Windows_Defender.exe File created C:\Windows\cmsetac.dll Windows_Defender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exeWindows_Defender.exepid process 1728 6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe 1072 Windows_Defender.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exevssvc.exeWindows_Defender.exedescription pid process Token: SeDebugPrivilege 1728 6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe Token: SeBackupPrivilege 588 vssvc.exe Token: SeRestorePrivilege 588 vssvc.exe Token: SeAuditPrivilege 588 vssvc.exe Token: SeDebugPrivilege 1072 Windows_Defender.exe Token: SeDebugPrivilege 1072 Windows_Defender.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Windows_Defender.exepid process 1072 Windows_Defender.exe 1072 Windows_Defender.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exedescription pid process target process PID 1728 wrote to memory of 1072 1728 6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe Windows_Defender.exe PID 1728 wrote to memory of 1072 1728 6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe Windows_Defender.exe PID 1728 wrote to memory of 1072 1728 6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe Windows_Defender.exe PID 1728 wrote to memory of 1072 1728 6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe Windows_Defender.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
Windows_Defender.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Windows_Defender.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe"C:\Users\Admin\AppData\Local\Temp\6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe"1⤵
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Windows_Defender.exe"C:\Windows\Windows_Defender.exe" \melt "C:\Users\Admin\AppData\Local\Temp\6bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Deletes itself
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Windows_Defender.exeFilesize
1.3MB
MD54ea4b38cca339739e28e5021517dd0e4
SHA103dfb91f6c383191c943ff9789b4691edefd563f
SHA2566bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9
SHA51295754b2eb9fb11a731c2e736afad9c21eeaee87463406006ef4a4d130446d5a53b5ee361a69b609df54104cd6d4a7c78975f5a70d23d51fb666cbea443471c40
-
C:\Windows\Windows_Defender.exeFilesize
1.3MB
MD54ea4b38cca339739e28e5021517dd0e4
SHA103dfb91f6c383191c943ff9789b4691edefd563f
SHA2566bf70f86f383ccb5b95d6ad30069a14e76cd8c40910b7e57093fc4d2296ef7b9
SHA51295754b2eb9fb11a731c2e736afad9c21eeaee87463406006ef4a4d130446d5a53b5ee361a69b609df54104cd6d4a7c78975f5a70d23d51fb666cbea443471c40
-
memory/1072-56-0x0000000000000000-mapping.dmp
-
memory/1072-60-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB
-
memory/1072-62-0x0000000004730000-0x000000000473E000-memory.dmpFilesize
56KB
-
memory/1072-63-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB
-
memory/1072-64-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB
-
memory/1072-65-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB
-
memory/1728-54-0x0000000076091000-0x0000000076093000-memory.dmpFilesize
8KB
-
memory/1728-55-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB
-
memory/1728-58-0x0000000000400000-0x000000000055A000-memory.dmpFilesize
1.4MB