Analysis
-
max time kernel
53s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 11:08
Static task
static1
Behavioral task
behavioral1
Sample
f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe
Resource
win10v2004-20221111-en
General
-
Target
f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe
-
Size
690KB
-
MD5
3032257edda1791849566825d5ff1d99
-
SHA1
5ddfeda08a32abdbfa9264deb30dd46df74469eb
-
SHA256
f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb
-
SHA512
75dceebcfe39f6c6f57798bd8088560c6e047b2fc374cd18a5f34bd646dd162ae0771143b1bd315686c81a65ff096a4f667539a5f555e8ed718d6d468b72c65b
-
SSDEEP
12288:tzy6rRxEu8H7W5dImEVtQkJjDOGIcI/tGW4yrAtSNGC8fpmDH/tcTA:46rTkqdmVSkByEYr4yAtyb8RmTWE
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 6 IoCs
Processes:
resource yara_rule C:\Windows\qq.exe modiloader_stage2 C:\Windows\qq.exe modiloader_stage2 \Windows\WinRaR\WinRaR.exe modiloader_stage2 \Windows\WinRaR\WinRaR.exe modiloader_stage2 C:\Windows\WinRaR\WinRaR.exe modiloader_stage2 C:\Windows\WinRaR\WinRaR.exe modiloader_stage2 -
Executes dropped EXE 4 IoCs
Processes:
Keys.exeie.exeqq.exeWinRaR.exepid process 1900 Keys.exe 2028 ie.exe 2044 qq.exe 1524 WinRaR.exe -
Loads dropped DLL 6 IoCs
Processes:
f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exeKeys.exeqq.exepid process 1552 f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe 1900 Keys.exe 1900 Keys.exe 1900 Keys.exe 2044 qq.exe 2044 qq.exe -
Drops file in Windows directory 22 IoCs
Processes:
Keys.exeqq.exeie.exeWinRaR.exedescription ioc process File opened for modification C:\Windows\1.vbs Keys.exe File created C:\Windows\knlps.exe Keys.exe File created C:\Windows\1.bat Keys.exe File created C:\Windows\kulion qq.exe File created C:\Windows\WinRaR\WinRaR.exe qq.exe File opened for modification C:\Windows\WinRaR\WinRaR.exe qq.exe File opened for modification C:\Windows\knlps.sys Keys.exe File opened for modification C:\Windows\1.bat Keys.exe File created C:\Windows\1.vbs Keys.exe File created C:\Windows\11.bat Keys.exe File opened for modification C:\Windows\11.bat Keys.exe File opened for modification C:\Windows\ie.exe Keys.exe File opened for modification C:\Windows\knlps.exe Keys.exe File created C:\Windows\knlps.sys Keys.exe File opened for modification C:\Windows\qq.exe ie.exe File created C:\Windows\WinRaR\WinRaR.dll qq.exe File created C:\Windows\ie.exe Keys.exe File created C:\Windows\qq.exe ie.exe File opened for modification C:\Windows\WinRaR\ qq.exe File opened for modification C:\Windows\WinRaR\ WinRaR.exe File created C:\Windows\WinRaR\WinRaR.dll WinRaR.exe File created C:\Windows\WinRaR\WinRaR.exe WinRaR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Keys.exeqq.exedescription pid process Token: SeRestorePrivilege 1900 Keys.exe Token: SeBackupPrivilege 1900 Keys.exe Token: SeBackupPrivilege 2044 qq.exe Token: SeRestorePrivilege 2044 qq.exe Token: SeBackupPrivilege 2044 qq.exe Token: SeRestorePrivilege 2044 qq.exe -
Suspicious use of WriteProcessMemory 43 IoCs
Processes:
f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exeKeys.exeWScript.execmd.exeie.exeqq.exedescription pid process target process PID 1552 wrote to memory of 1900 1552 f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe Keys.exe PID 1552 wrote to memory of 1900 1552 f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe Keys.exe PID 1552 wrote to memory of 1900 1552 f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe Keys.exe PID 1552 wrote to memory of 1900 1552 f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe Keys.exe PID 1552 wrote to memory of 1900 1552 f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe Keys.exe PID 1552 wrote to memory of 1900 1552 f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe Keys.exe PID 1552 wrote to memory of 1900 1552 f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe Keys.exe PID 1900 wrote to memory of 868 1900 Keys.exe WScript.exe PID 1900 wrote to memory of 868 1900 Keys.exe WScript.exe PID 1900 wrote to memory of 868 1900 Keys.exe WScript.exe PID 1900 wrote to memory of 868 1900 Keys.exe WScript.exe PID 1900 wrote to memory of 868 1900 Keys.exe WScript.exe PID 1900 wrote to memory of 868 1900 Keys.exe WScript.exe PID 1900 wrote to memory of 868 1900 Keys.exe WScript.exe PID 868 wrote to memory of 1052 868 WScript.exe cmd.exe PID 868 wrote to memory of 1052 868 WScript.exe cmd.exe PID 868 wrote to memory of 1052 868 WScript.exe cmd.exe PID 868 wrote to memory of 1052 868 WScript.exe cmd.exe PID 868 wrote to memory of 1052 868 WScript.exe cmd.exe PID 868 wrote to memory of 1052 868 WScript.exe cmd.exe PID 868 wrote to memory of 1052 868 WScript.exe cmd.exe PID 868 wrote to memory of 1364 868 WScript.exe cmd.exe PID 868 wrote to memory of 1364 868 WScript.exe cmd.exe PID 868 wrote to memory of 1364 868 WScript.exe cmd.exe PID 868 wrote to memory of 1364 868 WScript.exe cmd.exe PID 868 wrote to memory of 1364 868 WScript.exe cmd.exe PID 868 wrote to memory of 1364 868 WScript.exe cmd.exe PID 868 wrote to memory of 1364 868 WScript.exe cmd.exe PID 1364 wrote to memory of 2028 1364 cmd.exe ie.exe PID 1364 wrote to memory of 2028 1364 cmd.exe ie.exe PID 1364 wrote to memory of 2028 1364 cmd.exe ie.exe PID 1364 wrote to memory of 2028 1364 cmd.exe ie.exe PID 1364 wrote to memory of 2028 1364 cmd.exe ie.exe PID 1364 wrote to memory of 2028 1364 cmd.exe ie.exe PID 1364 wrote to memory of 2028 1364 cmd.exe ie.exe PID 2028 wrote to memory of 2044 2028 ie.exe qq.exe PID 2028 wrote to memory of 2044 2028 ie.exe qq.exe PID 2028 wrote to memory of 2044 2028 ie.exe qq.exe PID 2028 wrote to memory of 2044 2028 ie.exe qq.exe PID 2044 wrote to memory of 1524 2044 qq.exe WinRaR.exe PID 2044 wrote to memory of 1524 2044 qq.exe WinRaR.exe PID 2044 wrote to memory of 1524 2044 qq.exe WinRaR.exe PID 2044 wrote to memory of 1524 2044 qq.exe WinRaR.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe"C:\Users\Admin\AppData\Local\Temp\f681912ca730e36b770946df9b7fd9483334405984a7eee9cc8897f66d7af8eb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Keys.exe"C:\Users\Admin\AppData\Local\Temp\Keys.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\1.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\1.bat" "4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\11.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\ie.exeie.exe5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\qq.exe"C:\Windows\qq.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\WinRaR\WinRaR.exeC:\Windows\WinRaR\WinRaR.exe7⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Keys.exeFilesize
155KB
MD5e60c4133069c1c814cfea09699a8a73c
SHA1d9b80449267246c568a510bfb19a9296b9ae5745
SHA25636f91b043b5f889704a2502435cb26f3119fccc281668c9aebfca630918ca55c
SHA512ef90ee5c50f0a753fe0239a07edf926177d84fa3470ccd252fcbcbfaf366f3c8f06b1a622b4d3e9ca1479de74d2362b67f148f26d1e5e5390550092278d00074
-
C:\Users\Admin\AppData\Local\Temp\Keys.exeFilesize
155KB
MD5e60c4133069c1c814cfea09699a8a73c
SHA1d9b80449267246c568a510bfb19a9296b9ae5745
SHA25636f91b043b5f889704a2502435cb26f3119fccc281668c9aebfca630918ca55c
SHA512ef90ee5c50f0a753fe0239a07edf926177d84fa3470ccd252fcbcbfaf366f3c8f06b1a622b4d3e9ca1479de74d2362b67f148f26d1e5e5390550092278d00074
-
C:\Windows\1.batFilesize
1KB
MD54578af15ca83e4199985a5e9f5f4b2a1
SHA102db5425a69f2ec79b17c5e56d76328b2b476ec1
SHA256f896d2660ca83c995daec5a4d6396faa25fe1c4f76e44c5f37233c3da6a9de60
SHA5126bcde6bc7f5a4fbfd1e8c3361958a519186b0b88b4e9a33de9b832c731b889089bac8494d5e3dc28459d7e7cae5b8de92b6ad34c22d5e6754c2c9de60c639198
-
C:\Windows\1.vbsFilesize
104B
MD5f36d3e837e1cb99c1b7f6be2ad169ce2
SHA1745bce46397d7204e41e7ef6361de491771230cc
SHA2568c3a2fb7046ae91ec46d60d56468503ddf04f05563d98c8cb188ab358ec82f74
SHA5125e76bb75543ae4742efc21f3c1203735fe2bf9bafc2b3cf0c81108f97e019125e3c9a0108ddef839576742923116013e988bc30974cd6cff6a58d53eaa486d03
-
C:\Windows\11.batFilesize
43B
MD5247b7afaf8b02e02629c306cd443b250
SHA1660ee7fc66a85e523f2a3a72587cb98b308915b4
SHA256c5f9a06abd38192d75f886b073a96c8799cb62ababedeaf933c63f3a276569c6
SHA512c303301737daec79cbcc91ec758a295ba822c8478485565189a3edfeda78da3ad15ab49dcbc3c0d089032afe7919821db56a2aa06caa53cebb94710091291fc7
-
C:\Windows\WinRaR\WinRaR.dllFilesize
25KB
MD5d7c705bd2817806b2c469fb23956be8e
SHA1d280a77c5fa4a83be0536882309875e129af1dd3
SHA2564463b36d6055b5fa2b93f54f304a6247795610b896f30525410f9673c3a95af0
SHA51297adbc1059a4bc233a6f39448b357691ec82daa6c47c1e3109560656344bf9a7f6d51c9274081721505fa669b08675271f9469ba1c23e548db31318876e3467d
-
C:\Windows\WinRaR\WinRaR.exeFilesize
56KB
MD568e47a99f4b80d1fcae33ff9fae8751e
SHA1dac30a241f5c397ce5a02cc7be94f16726a322c3
SHA256ec7ead2d869c2ed630c641db54e59bd1777ccf1c0a1c8be5273ad5d85ab91aca
SHA5127ee5c52e98ae1251ae24041582d79f377fe62e2e014e456c397d0d3777388dacdc23aee1dcb106132fe58ff07a0154f018d9d65ec8747bd1d9f0698703842d4a
-
C:\Windows\WinRaR\WinRaR.exeFilesize
56KB
MD568e47a99f4b80d1fcae33ff9fae8751e
SHA1dac30a241f5c397ce5a02cc7be94f16726a322c3
SHA256ec7ead2d869c2ed630c641db54e59bd1777ccf1c0a1c8be5273ad5d85ab91aca
SHA5127ee5c52e98ae1251ae24041582d79f377fe62e2e014e456c397d0d3777388dacdc23aee1dcb106132fe58ff07a0154f018d9d65ec8747bd1d9f0698703842d4a
-
C:\Windows\ie.exeFilesize
81KB
MD5d11e62e27cd8edfb3cfcdc80c5f1062d
SHA1aea0071cd6517291221e90079ff2b3b5f83ee3af
SHA2566251ba2ade300d07fcd002b17166f3b06791800134aed7ee4a7db6801569fd3d
SHA51203acf3003dbe6df222618a3f66e1463d751b0a9d6f5847e44dedb8b4c79af71b3e607ad1e8e4511f3b4d1e0c320b00e667a75d8234845503876cf212e5b77af2
-
C:\Windows\ie.exeFilesize
81KB
MD5d11e62e27cd8edfb3cfcdc80c5f1062d
SHA1aea0071cd6517291221e90079ff2b3b5f83ee3af
SHA2566251ba2ade300d07fcd002b17166f3b06791800134aed7ee4a7db6801569fd3d
SHA51203acf3003dbe6df222618a3f66e1463d751b0a9d6f5847e44dedb8b4c79af71b3e607ad1e8e4511f3b4d1e0c320b00e667a75d8234845503876cf212e5b77af2
-
C:\Windows\qq.exeFilesize
56KB
MD568e47a99f4b80d1fcae33ff9fae8751e
SHA1dac30a241f5c397ce5a02cc7be94f16726a322c3
SHA256ec7ead2d869c2ed630c641db54e59bd1777ccf1c0a1c8be5273ad5d85ab91aca
SHA5127ee5c52e98ae1251ae24041582d79f377fe62e2e014e456c397d0d3777388dacdc23aee1dcb106132fe58ff07a0154f018d9d65ec8747bd1d9f0698703842d4a
-
C:\Windows\qq.exeFilesize
56KB
MD568e47a99f4b80d1fcae33ff9fae8751e
SHA1dac30a241f5c397ce5a02cc7be94f16726a322c3
SHA256ec7ead2d869c2ed630c641db54e59bd1777ccf1c0a1c8be5273ad5d85ab91aca
SHA5127ee5c52e98ae1251ae24041582d79f377fe62e2e014e456c397d0d3777388dacdc23aee1dcb106132fe58ff07a0154f018d9d65ec8747bd1d9f0698703842d4a
-
\Users\Admin\AppData\Local\Temp\Keys.exeFilesize
155KB
MD5e60c4133069c1c814cfea09699a8a73c
SHA1d9b80449267246c568a510bfb19a9296b9ae5745
SHA25636f91b043b5f889704a2502435cb26f3119fccc281668c9aebfca630918ca55c
SHA512ef90ee5c50f0a753fe0239a07edf926177d84fa3470ccd252fcbcbfaf366f3c8f06b1a622b4d3e9ca1479de74d2362b67f148f26d1e5e5390550092278d00074
-
\Users\Admin\AppData\Local\Temp\Keys.exeFilesize
155KB
MD5e60c4133069c1c814cfea09699a8a73c
SHA1d9b80449267246c568a510bfb19a9296b9ae5745
SHA25636f91b043b5f889704a2502435cb26f3119fccc281668c9aebfca630918ca55c
SHA512ef90ee5c50f0a753fe0239a07edf926177d84fa3470ccd252fcbcbfaf366f3c8f06b1a622b4d3e9ca1479de74d2362b67f148f26d1e5e5390550092278d00074
-
\Users\Admin\AppData\Local\Temp\Keys.exeFilesize
155KB
MD5e60c4133069c1c814cfea09699a8a73c
SHA1d9b80449267246c568a510bfb19a9296b9ae5745
SHA25636f91b043b5f889704a2502435cb26f3119fccc281668c9aebfca630918ca55c
SHA512ef90ee5c50f0a753fe0239a07edf926177d84fa3470ccd252fcbcbfaf366f3c8f06b1a622b4d3e9ca1479de74d2362b67f148f26d1e5e5390550092278d00074
-
\Users\Admin\AppData\Local\Temp\Keys.exeFilesize
155KB
MD5e60c4133069c1c814cfea09699a8a73c
SHA1d9b80449267246c568a510bfb19a9296b9ae5745
SHA25636f91b043b5f889704a2502435cb26f3119fccc281668c9aebfca630918ca55c
SHA512ef90ee5c50f0a753fe0239a07edf926177d84fa3470ccd252fcbcbfaf366f3c8f06b1a622b4d3e9ca1479de74d2362b67f148f26d1e5e5390550092278d00074
-
\Windows\WinRaR\WinRaR.exeFilesize
56KB
MD568e47a99f4b80d1fcae33ff9fae8751e
SHA1dac30a241f5c397ce5a02cc7be94f16726a322c3
SHA256ec7ead2d869c2ed630c641db54e59bd1777ccf1c0a1c8be5273ad5d85ab91aca
SHA5127ee5c52e98ae1251ae24041582d79f377fe62e2e014e456c397d0d3777388dacdc23aee1dcb106132fe58ff07a0154f018d9d65ec8747bd1d9f0698703842d4a
-
\Windows\WinRaR\WinRaR.exeFilesize
56KB
MD568e47a99f4b80d1fcae33ff9fae8751e
SHA1dac30a241f5c397ce5a02cc7be94f16726a322c3
SHA256ec7ead2d869c2ed630c641db54e59bd1777ccf1c0a1c8be5273ad5d85ab91aca
SHA5127ee5c52e98ae1251ae24041582d79f377fe62e2e014e456c397d0d3777388dacdc23aee1dcb106132fe58ff07a0154f018d9d65ec8747bd1d9f0698703842d4a
-
memory/868-66-0x0000000000000000-mapping.dmp
-
memory/1052-71-0x0000000000000000-mapping.dmp
-
memory/1364-74-0x0000000000000000-mapping.dmp
-
memory/1524-88-0x0000000000000000-mapping.dmp
-
memory/1552-54-0x0000000075C81000-0x0000000075C83000-memory.dmpFilesize
8KB
-
memory/1900-63-0x0000000000830000-0x0000000000861000-memory.dmpFilesize
196KB
-
memory/1900-65-0x0000000000400000-0x0000000000430214-memory.dmpFilesize
192KB
-
memory/1900-69-0x0000000000400000-0x0000000000430214-memory.dmpFilesize
192KB
-
memory/1900-56-0x0000000000000000-mapping.dmp
-
memory/1900-64-0x0000000000400000-0x0000000000430214-memory.dmpFilesize
192KB
-
memory/2028-84-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2028-81-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2028-80-0x0000000000400000-0x0000000000432000-memory.dmpFilesize
200KB
-
memory/2028-77-0x0000000000000000-mapping.dmp
-
memory/2044-82-0x0000000000000000-mapping.dmp