Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 09:12
Behavioral task
behavioral1
Sample
a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe
Resource
win10v2004-20220812-en
General
-
Target
a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe
-
Size
2.2MB
-
MD5
999ca9f1b7db4bb516d72b01d1ea5efc
-
SHA1
bbefa0fda0c1e02088bbb06ab6a06dd98f17b66e
-
SHA256
a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9
-
SHA512
67576060a7dc59ea5393132dec42dc9f8cf74d760c16a873ad999fdb48638d66cfd979304554c427cca3773f6f92ba5a0ea75b0c7033c320f3c6a0c221e52bfb
-
SSDEEP
49152:HxfEY2wEW3m8j8k8ddADgLhFMY4bXNMWHZNV9EkFZ3fwZzL:HV2BW28jneFMY4bXpNAu30X
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 \Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 C:\Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 \Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 \Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 \Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 \Users\Admin\AppData\Local\Temp\server.exe modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 1928 server.exe -
Loads dropped DLL 6 IoCs
Processes:
a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exeWerFault.exepid process 1756 a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe 1756 a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe 1700 WerFault.exe 1700 WerFault.exe 1700 WerFault.exe 1700 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1700 1928 WerFault.exe server.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exepid process 1756 a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DllHost.exepid process 688 DllHost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exepid process 1756 a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exeserver.exedescription pid process target process PID 1756 wrote to memory of 1928 1756 a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe server.exe PID 1756 wrote to memory of 1928 1756 a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe server.exe PID 1756 wrote to memory of 1928 1756 a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe server.exe PID 1756 wrote to memory of 1928 1756 a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe server.exe PID 1928 wrote to memory of 1700 1928 server.exe WerFault.exe PID 1928 wrote to memory of 1700 1928 server.exe WerFault.exe PID 1928 wrote to memory of 1700 1928 server.exe WerFault.exe PID 1928 wrote to memory of 1700 1928 server.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe"C:\Users\Admin\AppData\Local\Temp\a9f5efb19a067b36eb54709ac26ff004da516df9272bd213e662acb3cfe97ae9.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 883⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RS.JPGFilesize
415KB
MD5e197a74788bec3a0adf3d314d6c0a1a1
SHA136a340f134ae242a5adde536e88d75f4b4baa793
SHA25681a13bbd3dbb44b416ae7b6dd1231a8f3e24df64a55ccccd2734e83e35e20ae6
SHA51206761133b9593668d834511d80d3e3cd65c1af3c015024a57ce79e95e37ebb2c17d780ddf7c39fec255ee3a2b99e389cb2e80c8f081a53a360f6f9782888c6bd
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
29KB
MD5a7ba2da473489d55b415d180cc171118
SHA19d62317f11f54f7d04fc0e1e1ea9a6584800c8a8
SHA256addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd
SHA512b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
29KB
MD5a7ba2da473489d55b415d180cc171118
SHA19d62317f11f54f7d04fc0e1e1ea9a6584800c8a8
SHA256addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd
SHA512b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
29KB
MD5a7ba2da473489d55b415d180cc171118
SHA19d62317f11f54f7d04fc0e1e1ea9a6584800c8a8
SHA256addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd
SHA512b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
29KB
MD5a7ba2da473489d55b415d180cc171118
SHA19d62317f11f54f7d04fc0e1e1ea9a6584800c8a8
SHA256addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd
SHA512b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
29KB
MD5a7ba2da473489d55b415d180cc171118
SHA19d62317f11f54f7d04fc0e1e1ea9a6584800c8a8
SHA256addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd
SHA512b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
29KB
MD5a7ba2da473489d55b415d180cc171118
SHA19d62317f11f54f7d04fc0e1e1ea9a6584800c8a8
SHA256addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd
SHA512b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241
-
\Users\Admin\AppData\Local\Temp\server.exeFilesize
29KB
MD5a7ba2da473489d55b415d180cc171118
SHA19d62317f11f54f7d04fc0e1e1ea9a6584800c8a8
SHA256addc66a1f6c3f3c172fdebb1d5457f02daf91f2c3ca0acb8a2b503375ef37bfd
SHA512b4e8c1831096e92b32b82d60cfd4c65b34317c6bb20bef602cb967c24b372c972a5df251d2972146eb27d97331bceb29752ac2a7ff59da0c8ef88a9f24e6e241
-
memory/1700-62-0x0000000000000000-mapping.dmp
-
memory/1756-56-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB
-
memory/1756-57-0x0000000004730000-0x0000000004733000-memory.dmpFilesize
12KB
-
memory/1928-60-0x0000000000000000-mapping.dmp