Analysis
-
max time kernel
150s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 22:28
Static task
static1
Behavioral task
behavioral1
Sample
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe
Resource
win10v2004-20220812-en
General
-
Target
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe
-
Size
173KB
-
MD5
12b93bfce82eef65ae7fe39bf1177ec6
-
SHA1
db3889b2617237d0f8c6b0f326c78af2ccb2658e
-
SHA256
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347
-
SHA512
54f509bc15c97e8de83d902dee5ff78b8ae1900bcfd77b29796df56c80e7b649507b6d8eca21ee573781af432535b620eaf0bf67344008001e556dcf7db46aec
-
SSDEEP
3072:UyXo1wdb0+Th7Qbvmron2kuF0uhbEeYkAk1UFEpmHe05P4ekCMaSZwGD:Uy4mwKh7Gvmr1F7hoeFUFEcDPDkCJSCO
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4832-141-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4808-147-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 behavioral2/memory/4808-148-0x0000000000400000-0x0000000000450000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
Copy of Others.mp3.exemstwain32.exepid process 4832 Copy of Others.mp3.exe 4808 mstwain32.exe -
Processes:
resource yara_rule C:\Windows\Copy of Others.mp3.exe upx behavioral2/memory/4832-137-0x0000000000400000-0x0000000000450000-memory.dmp upx C:\Windows\Copy of Others.mp3.exe upx C:\Windows\mstwain32.exe upx behavioral2/memory/4832-141-0x0000000000400000-0x0000000000450000-memory.dmp upx C:\Windows\mstwain32.exe upx behavioral2/memory/4808-147-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/4808-148-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exeCopy of Others.mp3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Copy of Others.mp3.exe -
Loads dropped DLL 4 IoCs
Processes:
mstwain32.exepid process 4808 mstwain32.exe 4808 mstwain32.exe 4808 mstwain32.exe 4808 mstwain32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
mstwain32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ mstwain32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe" mstwain32.exe -
Processes:
Copy of Others.mp3.exemstwain32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Copy of Others.mp3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mstwain32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe -
Drops file in Windows directory 5 IoCs
Processes:
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exeCopy of Others.mp3.exemstwain32.exedescription ioc process File opened for modification C:\Windows\Copy of Others.mp3.exe d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe File created C:\Windows\mstwain32.exe Copy of Others.mp3.exe File opened for modification C:\Windows\mstwain32.exe Copy of Others.mp3.exe File created C:\Windows\ntdtcstp.dll mstwain32.exe File created C:\Windows\cmsetac.dll mstwain32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Copy of Others.mp3.exemstwain32.exedescription pid process Token: SeDebugPrivilege 4832 Copy of Others.mp3.exe Token: SeDebugPrivilege 4808 mstwain32.exe Token: SeDebugPrivilege 4808 mstwain32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exemstwain32.exepid process 1688 d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe 4808 mstwain32.exe 4808 mstwain32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exeCopy of Others.mp3.exedescription pid process target process PID 1688 wrote to memory of 4832 1688 d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe Copy of Others.mp3.exe PID 1688 wrote to memory of 4832 1688 d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe Copy of Others.mp3.exe PID 1688 wrote to memory of 4832 1688 d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe Copy of Others.mp3.exe PID 4832 wrote to memory of 4808 4832 Copy of Others.mp3.exe mstwain32.exe PID 4832 wrote to memory of 4808 4832 Copy of Others.mp3.exe mstwain32.exe PID 4832 wrote to memory of 4808 4832 Copy of Others.mp3.exe mstwain32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
mstwain32.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" mstwain32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe"C:\Users\Admin\AppData\Local\Temp\d4f856a473edf29a1c2eb2718755bbe3c7fcc928db6984f00d04030b44255347.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Copy of Others.mp3.exe"C:\Windows\Copy of Others.mp3.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe"3⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Copy of Others.mp3.exeFilesize
111KB
MD5b6a7e40f872ed20cca333c408879da88
SHA16905e676bf08e445d2be3afe13d550ccdf10e429
SHA25624bc14dd00b7f537d37f9227056cc1f5983f0caf28bf69076be078b657fc07b3
SHA512792e7c2347b76f80971935fa44e68059633d66bd5bae2d1a95e9f531398b0b6f853b4f9396c26d335f710a018536be5adbab6a217cf579ed218685b009ff20c7
-
C:\Windows\Copy of Others.mp3.exeFilesize
111KB
MD5b6a7e40f872ed20cca333c408879da88
SHA16905e676bf08e445d2be3afe13d550ccdf10e429
SHA25624bc14dd00b7f537d37f9227056cc1f5983f0caf28bf69076be078b657fc07b3
SHA512792e7c2347b76f80971935fa44e68059633d66bd5bae2d1a95e9f531398b0b6f853b4f9396c26d335f710a018536be5adbab6a217cf579ed218685b009ff20c7
-
C:\Windows\cmsetac.dllFilesize
33KB
MD5fa880f8e06dc439b0118acf58849d8eb
SHA1dd3c2ad333468488facbad9fe72ef1b13c1d1f54
SHA256b74b9f32fcbd8f48d98bb875587b1f6124588323d17e204b5536f8c11509f55d
SHA51291804ad22c287f0eb01f89de104a2e620b35868f13fa41371b374694b39c209842fb5936e2724b21c585eb0ef3602bc82a48334502740215b7dbb8af9917d059
-
C:\Windows\cmsetac.dllFilesize
33KB
MD5fa880f8e06dc439b0118acf58849d8eb
SHA1dd3c2ad333468488facbad9fe72ef1b13c1d1f54
SHA256b74b9f32fcbd8f48d98bb875587b1f6124588323d17e204b5536f8c11509f55d
SHA51291804ad22c287f0eb01f89de104a2e620b35868f13fa41371b374694b39c209842fb5936e2724b21c585eb0ef3602bc82a48334502740215b7dbb8af9917d059
-
C:\Windows\mstwain32.exeFilesize
111KB
MD5b6a7e40f872ed20cca333c408879da88
SHA16905e676bf08e445d2be3afe13d550ccdf10e429
SHA25624bc14dd00b7f537d37f9227056cc1f5983f0caf28bf69076be078b657fc07b3
SHA512792e7c2347b76f80971935fa44e68059633d66bd5bae2d1a95e9f531398b0b6f853b4f9396c26d335f710a018536be5adbab6a217cf579ed218685b009ff20c7
-
C:\Windows\mstwain32.exeFilesize
111KB
MD5b6a7e40f872ed20cca333c408879da88
SHA16905e676bf08e445d2be3afe13d550ccdf10e429
SHA25624bc14dd00b7f537d37f9227056cc1f5983f0caf28bf69076be078b657fc07b3
SHA512792e7c2347b76f80971935fa44e68059633d66bd5bae2d1a95e9f531398b0b6f853b4f9396c26d335f710a018536be5adbab6a217cf579ed218685b009ff20c7
-
C:\Windows\ntdtcstp.dllFilesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
C:\Windows\ntdtcstp.dllFilesize
7KB
MD567587e25a971a141628d7f07bd40ffa0
SHA176fcd014539a3bb247cc0b761225f68bd6055f6b
SHA256e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378
SHA5126e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350
-
memory/4808-138-0x0000000000000000-mapping.dmp
-
memory/4808-146-0x0000000003080000-0x000000000308E000-memory.dmpFilesize
56KB
-
memory/4808-147-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4808-148-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4832-141-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4832-137-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/4832-134-0x0000000000000000-mapping.dmp