Analysis
-
max time kernel
157s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
01/12/2022, 09:16
General
-
Target
411c10491ceca5febe92be42ce2fbb3110ad8330d13a9d354c2f3bbbca4b070e.exe
-
Size
113KB
-
MD5
27eb476837647fc82c8b7da199d45bf0
-
SHA1
a346e377217b892ef1676f6d15979908568628dd
-
SHA256
411c10491ceca5febe92be42ce2fbb3110ad8330d13a9d354c2f3bbbca4b070e
-
SHA512
6e9cc27a5861b6479e1e7ec45cdb63557df3a9b53e76f4a8c511425419f6b3f8f77f3a2fe64f6e827f75a817b370bb618cad4240239ca4352cbd1820e833c9a3
-
SSDEEP
3072:o1+MJKrUnFYY5z1i0Nmbi5fJBN7yEf9Sout:QIrPj0NmWtN7yEf0oS
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
UAC bypass 3 TTPs 1 IoCs
-
ModiLoader Second Stage 4 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\411c10491ceca5febe92be42ce2fbb3110ad8330d13a9d354c2f3bbbca4b070e.exe"C:\Users\Admin\AppData\Local\Temp\411c10491ceca5febe92be42ce2fbb3110ad8330d13a9d354c2f3bbbca4b070e.exe"1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"2⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD508dfe4418903f277edc77e5ce4154f2d
SHA1606072fcad6841e73c884c88ec6ca050d6505bd1
SHA2565f8888eee8356b2c8d48b92dec0629843ceb7f57d5bd3f0f4e594d51e47ef4fb
SHA5120ad7c203c1eec1d4127b6d67f9fdab7b6073f3f7faba9de0014c9a33e92ee7aad9f306bb4dcc4a36c342553e23913b73d50fdad390cb3970d21893039f4de232
-
Filesize
32KB
MD508dfe4418903f277edc77e5ce4154f2d
SHA1606072fcad6841e73c884c88ec6ca050d6505bd1
SHA2565f8888eee8356b2c8d48b92dec0629843ceb7f57d5bd3f0f4e594d51e47ef4fb
SHA5120ad7c203c1eec1d4127b6d67f9fdab7b6073f3f7faba9de0014c9a33e92ee7aad9f306bb4dcc4a36c342553e23913b73d50fdad390cb3970d21893039f4de232
-
Filesize
113KB
MD527eb476837647fc82c8b7da199d45bf0
SHA1a346e377217b892ef1676f6d15979908568628dd
SHA256411c10491ceca5febe92be42ce2fbb3110ad8330d13a9d354c2f3bbbca4b070e
SHA5126e9cc27a5861b6479e1e7ec45cdb63557df3a9b53e76f4a8c511425419f6b3f8f77f3a2fe64f6e827f75a817b370bb618cad4240239ca4352cbd1820e833c9a3
-
Filesize
113KB
MD527eb476837647fc82c8b7da199d45bf0
SHA1a346e377217b892ef1676f6d15979908568628dd
SHA256411c10491ceca5febe92be42ce2fbb3110ad8330d13a9d354c2f3bbbca4b070e
SHA5126e9cc27a5861b6479e1e7ec45cdb63557df3a9b53e76f4a8c511425419f6b3f8f77f3a2fe64f6e827f75a817b370bb618cad4240239ca4352cbd1820e833c9a3
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
Filesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
Filesize
56KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
320KB