Analysis

  • max time kernel
    45s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2022 17:39

General

  • Target

    ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe

  • Size

    521KB

  • MD5

    d9ab08dfe2176e7fb3f04b597314859f

  • SHA1

    90e818eda58840c5d811dd9729ea8aca20654d3e

  • SHA256

    ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e

  • SHA512

    b44dfe1fbd3595143cdf2b50ffed64feab8c4975436d55fbd1db001101d7554d8fb6747ad59c99d9bcbb7486be0b02c1bad9a9686099888984bad6bd99772ad9

  • SSDEEP

    12288:evoLy6NugQ5yRRc/Xu5uy5n3MESioMsis/tKw4cNL4qXh:cYHNEgRa/Xu/3PzoMwKw4c2qXh

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • ModiLoader Second Stage 2 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe
    "C:\Users\Admin\AppData\Local\Temp\ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" about:blank
      2⤵
        PID:1260
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c del "C:\Users\Admin\AppData\Local\Temp\ce98537bd1ce48ca975292f0cf911db4b5d4c0248d44f20aefe10dc5ab995c4e.exe"
        2⤵
        • Deletes itself
        PID:1748

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Defense Evasion

    Modify Registry

    1
    T1112

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1324-54-0x00000000752B1000-0x00000000752B3000-memory.dmp
      Filesize

      8KB

    • memory/1324-55-0x0000000000400000-0x00000000004D0000-memory.dmp
      Filesize

      832KB

    • memory/1324-56-0x0000000000740000-0x00000000007A0000-memory.dmp
      Filesize

      384KB

    • memory/1324-57-0x0000000000400000-0x00000000004D0000-memory.dmp
      Filesize

      832KB

    • memory/1324-59-0x0000000010410000-0x0000000010494000-memory.dmp
      Filesize

      528KB

    • memory/1324-64-0x0000000000740000-0x00000000007A0000-memory.dmp
      Filesize

      384KB

    • memory/1324-63-0x0000000000400000-0x00000000004D0000-memory.dmp
      Filesize

      832KB

    • memory/1748-62-0x0000000000000000-mapping.dmp