Analysis
-
max time kernel
91s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 22:53
Static task
static1
Behavioral task
behavioral1
Sample
eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
Resource
win10v2004-20220812-en
General
-
Target
eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe
-
Size
836KB
-
MD5
40bb425dbec19f1ef5f7b61b35a82267
-
SHA1
5e14bdba8cf01d123f2a711d3e8a595837eb69db
-
SHA256
eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5
-
SHA512
9219892ca4298ad19ce285e73f3af6b756e429e98b315d0f51de093db821e041f46adc8adcbc65ecee326abddff7c7a2db8069780e0019f13a2c3bae7912ee34
-
SSDEEP
12288:i/WNzAAmk+aiptW5v9edN1gFAbdYeqO+sMraahnk:i/WhLB+qI+vLraUn
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4868-144-0x0000000000402000-0x0000000000403000-memory.dmp modiloader_stage2 behavioral2/memory/4868-155-0x0000000000400000-0x0000000000503000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
bio 1.5.exewmplayer.exepid process 1652 bio 1.5.exe 4500 wmplayer.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exewmplayer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wmplayer.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
bio 1.5.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run bio 1.5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Updates = "c:\\windows\\system\\Update.exe" bio 1.5.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run bio 1.5.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updates = "c:\\windows\\system\\Update.exe" bio 1.5.exe -
Drops file in System32 directory 2 IoCs
Processes:
eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exebio 1.5.exedescription ioc process File created C:\Windows\SysWOW64\bio 1.5.exe eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe File opened for modification C:\WINDOWS\SysWOW64\MSWINSCK.OCX bio 1.5.exe -
Drops file in Windows directory 2 IoCs
Processes:
bio 1.5.exedescription ioc process File opened for modification \??\c:\windows\system\Update.exe bio 1.5.exe File created \??\c:\windows\system\Update.exe bio 1.5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 17 IoCs
Processes:
eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\VersionIndependentProgID eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ProgID eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\LocalServer32 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\AppID = "{03837503-098b-11d8-9414-505054503030}" eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ProgID\ = "PLA.SystemDataCollectorSetCollection.1" eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\TypeLib eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652} eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\InprocServer32\ThreadingModel = "both" eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\Version eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\Version\ = "1.0" eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\VersionIndependentProgID\ = "PLA.SystemDataCollectorSetCollection" eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3571969E-C383-C239-1526-065215260652}\ = "SystemDataCollectorSetCollection" eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exedescription pid process Token: 33 4868 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Token: SeIncBasePriorityPrivilege 4868 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Token: 33 4868 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe Token: SeIncBasePriorityPrivilege 4868 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bio 1.5.exepid process 1652 bio 1.5.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exeeeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exewmplayer.exedescription pid process target process PID 4800 wrote to memory of 4868 4800 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe PID 4800 wrote to memory of 4868 4800 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe PID 4800 wrote to memory of 4868 4800 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe PID 4800 wrote to memory of 4868 4800 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe PID 4800 wrote to memory of 4868 4800 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe PID 4800 wrote to memory of 4868 4800 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe PID 4800 wrote to memory of 4868 4800 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe PID 4800 wrote to memory of 4868 4800 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe PID 4868 wrote to memory of 1652 4868 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe bio 1.5.exe PID 4868 wrote to memory of 1652 4868 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe bio 1.5.exe PID 4868 wrote to memory of 1652 4868 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe bio 1.5.exe PID 4868 wrote to memory of 4500 4868 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe wmplayer.exe PID 4868 wrote to memory of 4500 4868 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe wmplayer.exe PID 4868 wrote to memory of 4500 4868 eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe wmplayer.exe PID 4500 wrote to memory of 4916 4500 wmplayer.exe setup_wm.exe PID 4500 wrote to memory of 4916 4500 wmplayer.exe setup_wm.exe PID 4500 wrote to memory of 4916 4500 wmplayer.exe setup_wm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe"C:\Users\Admin\AppData\Local\Temp\eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe"C:\Users\Admin\AppData\Local\Temp\eeae476fe174b9f3b86a615884e7c3316d93fa02dc23206938829150218135d5.exe"2⤵
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\bio 1.5.exe"C:\Windows\System32\bio 1.5.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\wmplayer.exe"C:\Users\Admin\Desktop\wmplayer.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Users\Admin\Desktop\wmplayer.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\wmplayer.exeFilesize
165KB
MD5be70ddf93f5e8ca9da13cbc6f849808c
SHA11a814be53ecc686bdaeecf0e196c7ce8bece59b1
SHA256194848d31a217a1115ba7211228c30750ea22a280d8c3ec285e91590b6f6e8ff
SHA5126063e5ab4c38aeda0149e3525302cff1eccee852becaf1c1ef726a21a86cc3f93d4dfff69a4f66f78fb15419916d78109db6c567480810b59ff2dcd79ece5af7
-
C:\Users\Admin\Desktop\wmplayer.exeFilesize
165KB
MD5be70ddf93f5e8ca9da13cbc6f849808c
SHA11a814be53ecc686bdaeecf0e196c7ce8bece59b1
SHA256194848d31a217a1115ba7211228c30750ea22a280d8c3ec285e91590b6f6e8ff
SHA5126063e5ab4c38aeda0149e3525302cff1eccee852becaf1c1ef726a21a86cc3f93d4dfff69a4f66f78fb15419916d78109db6c567480810b59ff2dcd79ece5af7
-
C:\Windows\SysWOW64\bio 1.5.exeFilesize
220KB
MD57527996f8b993998f82c44d886d1d2d9
SHA17edc3c99e1c3885fc7196b3da8a37921d3ee7087
SHA2569bec4d99aa3fc7dbb6d7f430265a2665b96a29b735bed81cb4647baa74e55aab
SHA5126269fd44ed1feacdabe060499a0d8000f695a9462724149865d59a8fa23fa0e8a70c2efa705f60088fa15cb640012186bd4540c58751cc81fb0cd4403798ef24
-
C:\Windows\SysWOW64\bio 1.5.exeFilesize
220KB
MD57527996f8b993998f82c44d886d1d2d9
SHA17edc3c99e1c3885fc7196b3da8a37921d3ee7087
SHA2569bec4d99aa3fc7dbb6d7f430265a2665b96a29b735bed81cb4647baa74e55aab
SHA5126269fd44ed1feacdabe060499a0d8000f695a9462724149865d59a8fa23fa0e8a70c2efa705f60088fa15cb640012186bd4540c58751cc81fb0cd4403798ef24
-
memory/1652-147-0x0000000000000000-mapping.dmp
-
memory/4500-151-0x0000000000000000-mapping.dmp
-
memory/4800-154-0x0000000000400000-0x0000000000503000-memory.dmpFilesize
1.0MB
-
memory/4800-132-0x0000000000400000-0x0000000000503000-memory.dmpFilesize
1.0MB
-
memory/4868-142-0x0000000001FC1000-0x000000000202E000-memory.dmpFilesize
436KB
-
memory/4868-146-0x0000000000403000-0x0000000000404000-memory.dmpFilesize
4KB
-
memory/4868-143-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB
-
memory/4868-145-0x0000000000401000-0x0000000000402000-memory.dmpFilesize
4KB
-
memory/4868-144-0x0000000000402000-0x0000000000403000-memory.dmpFilesize
4KB
-
memory/4868-137-0x0000000001FC0000-0x0000000002054000-memory.dmpFilesize
592KB
-
memory/4868-136-0x0000000000400000-0x0000000000503000-memory.dmpFilesize
1.0MB
-
memory/4868-134-0x0000000000000000-mapping.dmp
-
memory/4868-155-0x0000000000400000-0x0000000000503000-memory.dmpFilesize
1.0MB
-
memory/4916-157-0x0000000000000000-mapping.dmp