Analysis
-
max time kernel
160s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 22:28
Static task
static1
Behavioral task
behavioral1
Sample
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe
Resource
win10v2004-20220812-en
General
-
Target
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe
-
Size
173KB
-
MD5
12b93bfce82eef65ae7fe39bf1177ec6
-
SHA1
db3889b2617237d0f8c6b0f326c78af2ccb2658e
-
SHA256
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347
-
SHA512
54f509bc15c97e8de83d902dee5ff78b8ae1900bcfd77b29796df56c80e7b649507b6d8eca21ee573781af432535b620eaf0bf67344008001e556dcf7db46aec
-
SSDEEP
3072:UyXo1wdb0+Th7Qbvmron2kuF0uhbEeYkAk1UFEpmHe05P4ekCMaSZwGD:Uy4mwKh7Gvmr1F7hoeFUFEcDPDkCJSCO
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/276-65-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2000-67-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral1/memory/2000-68-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
Copy of Others.mp3.exemstwain32.exepid process 276 Copy of Others.mp3.exe 2000 mstwain32.exe -
Processes:
resource yara_rule C:\Windows\Copy of Others.mp3.exe upx C:\Windows\Copy of Others.mp3.exe upx behavioral1/memory/276-65-0x0000000000400000-0x0000000000450000-memory.dmp upx C:\Windows\mstwain32.exe upx behavioral1/memory/2000-67-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/2000-68-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mstwain32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ mstwain32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
Copy of Others.mp3.exemstwain32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Copy of Others.mp3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 5 IoCs
Processes:
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exeCopy of Others.mp3.exemstwain32.exedescription ioc process File opened for modification C:\Windows\Copy of Others.mp3.exe d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe File created C:\Windows\mstwain32.exe Copy of Others.mp3.exe File opened for modification C:\Windows\mstwain32.exe Copy of Others.mp3.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Copy of Others.mp3.exemstwain32.exedescription pid process Token: SeDebugPrivilege 276 Copy of Others.mp3.exe Token: SeDebugPrivilege 2000 mstwain32.exe Token: SeDebugPrivilege 2000 mstwain32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exemstwain32.exepid process 1668 d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe 2000 mstwain32.exe 2000 mstwain32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exeCopy of Others.mp3.exedescription pid process target process PID 1668 wrote to memory of 276 1668 d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe Copy of Others.mp3.exe PID 1668 wrote to memory of 276 1668 d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe Copy of Others.mp3.exe PID 1668 wrote to memory of 276 1668 d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe Copy of Others.mp3.exe PID 1668 wrote to memory of 276 1668 d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe Copy of Others.mp3.exe PID 276 wrote to memory of 2000 276 Copy of Others.mp3.exe mstwain32.exe PID 276 wrote to memory of 2000 276 Copy of Others.mp3.exe mstwain32.exe PID 276 wrote to memory of 2000 276 Copy of Others.mp3.exe mstwain32.exe PID 276 wrote to memory of 2000 276 Copy of Others.mp3.exe mstwain32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe"C:\Users\Admin\AppData\Local\Temp\d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Copy of Others.mp3.exe"C:\Windows\Copy of Others.mp3.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Copy of Others.mp3.exeFilesize
111KB
MD5b6a7e40f872ed20cca333c408879da88
SHA16905e676bf08e445d2be3afe13d550ccdf10e429
SHA25624bc14dd00b7f537d37f9227056cc1f5983f0caf28bf69076be078b657fc07b3
SHA512792e7c2347b76f80971935fa44e68059633d66bd5bae2d1a95e9f531398b0b6f853b4f9396c26d335f710a018536be5adbab6a217cf579ed218685b009ff20c7
-
C:\Windows\Copy of Others.mp3.exeFilesize
111KB
MD5b6a7e40f872ed20cca333c408879da88
SHA16905e676bf08e445d2be3afe13d550ccdf10e429
SHA25624bc14dd00b7f537d37f9227056cc1f5983f0caf28bf69076be078b657fc07b3
SHA512792e7c2347b76f80971935fa44e68059633d66bd5bae2d1a95e9f531398b0b6f853b4f9396c26d335f710a018536be5adbab6a217cf579ed218685b009ff20c7
-
C:\Windows\mstwain32.exeFilesize
111KB
MD5b6a7e40f872ed20cca333c408879da88
SHA16905e676bf08e445d2be3afe13d550ccdf10e429
SHA25624bc14dd00b7f537d37f9227056cc1f5983f0caf28bf69076be078b657fc07b3
SHA512792e7c2347b76f80971935fa44e68059633d66bd5bae2d1a95e9f531398b0b6f853b4f9396c26d335f710a018536be5adbab6a217cf579ed218685b009ff20c7
-
memory/276-57-0x0000000000000000-mapping.dmp
-
memory/276-65-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/276-63-0x0000000000530000-0x000000000053D000-memory.dmpFilesize
52KB
-
memory/1668-56-0x0000000075241000-0x0000000075243000-memory.dmpFilesize
8KB
-
memory/2000-61-0x0000000000000000-mapping.dmp
-
memory/2000-66-0x0000000000790000-0x000000000079E000-memory.dmpFilesize
56KB
-
memory/2000-67-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2000-68-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB