Analysis
-
max time kernel
153s -
max time network
196s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 17:41
Static task
static1
Behavioral task
behavioral1
Sample
e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe
Resource
win10v2004-20221111-en
General
-
Target
e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe
-
Size
1.2MB
-
MD5
4e41bc7a510c3bef5c1e445e072be5b7
-
SHA1
4839d91cdf8a02fff3a1530ed9309ed08f1546ec
-
SHA256
e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8
-
SHA512
1a78a4bb26cabc88361965df0b2fb683db4ebea5759fd4cd2a04e37885a8f0817055ed153add395d0a60bf12585599ccd37674fc4378883202b14b0500c1e216
-
SSDEEP
24576:WIXMo12mrF8GGNiLoRyiBNQl9vqiFZFp/Eu7GRERnCCifqCZAOl2QHa1+:TXtJZ8GQiLoRyiBKgoZFdniR/qCZFl2M
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 11 IoCs
Processes:
resource yara_rule behavioral2/memory/2740-134-0x0000000000010000-0x00000000002BD000-memory.dmp modiloader_stage2 behavioral2/memory/2740-135-0x0000000000010000-0x00000000002BD000-memory.dmp modiloader_stage2 behavioral2/memory/2740-136-0x0000000000010000-0x00000000002BD000-memory.dmp modiloader_stage2 behavioral2/memory/2740-138-0x0000000000010000-0x00000000002BD000-memory.dmp modiloader_stage2 behavioral2/memory/2740-139-0x0000000000010000-0x00000000002BD000-memory.dmp modiloader_stage2 behavioral2/memory/2740-155-0x0000000000010000-0x00000000002BD000-memory.dmp modiloader_stage2 behavioral2/memory/4236-160-0x0000000000010000-0x00000000002BD000-memory.dmp modiloader_stage2 behavioral2/memory/4236-161-0x0000000000010000-0x00000000002BD000-memory.dmp modiloader_stage2 behavioral2/memory/4236-162-0x0000000000010000-0x00000000002BD000-memory.dmp modiloader_stage2 behavioral2/memory/4236-164-0x0000000000010000-0x00000000002BD000-memory.dmp modiloader_stage2 behavioral2/memory/4236-166-0x0000000000010000-0x00000000002BD000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
Processes:
server.exeD3DWindower.exeapocalyps32.exepid process 1752 server.exe 3028 D3DWindower.exe 4236 apocalyps32.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\.Net CLR\Parameters\ServiceDll = "C:\\Windows\\system32\\e577530.dll" server.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exeserver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation server.exe -
Loads dropped DLL 3 IoCs
Processes:
server.exesvchost.exerundll32.exepid process 1752 server.exe 2476 svchost.exe 3748 rundll32.exe -
Drops file in System32 directory 1 IoCs
Processes:
server.exedescription ioc process File created C:\Windows\SysWOW64\e577530.dll server.exe -
Drops file in Windows directory 3 IoCs
Processes:
e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exeapocalyps32.exedescription ioc process File created C:\Windows\apocalyps32.exe e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe File opened for modification C:\Windows\apocalyps32.exe e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe File created C:\Windows\apocalyps32.exe apocalyps32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
server.exeD3DWindower.exedescription pid process Token: SeIncBasePriorityPrivilege 1752 server.exe Token: SeIncreaseQuotaPrivilege 3028 D3DWindower.exe Token: SeSecurityPrivilege 3028 D3DWindower.exe Token: SeTakeOwnershipPrivilege 3028 D3DWindower.exe Token: SeLoadDriverPrivilege 3028 D3DWindower.exe Token: SeSystemProfilePrivilege 3028 D3DWindower.exe Token: SeSystemtimePrivilege 3028 D3DWindower.exe Token: SeProfSingleProcessPrivilege 3028 D3DWindower.exe Token: SeIncBasePriorityPrivilege 3028 D3DWindower.exe Token: SeCreatePagefilePrivilege 3028 D3DWindower.exe Token: SeBackupPrivilege 3028 D3DWindower.exe Token: SeRestorePrivilege 3028 D3DWindower.exe Token: SeShutdownPrivilege 3028 D3DWindower.exe Token: SeDebugPrivilege 3028 D3DWindower.exe Token: SeSystemEnvironmentPrivilege 3028 D3DWindower.exe Token: SeRemoteShutdownPrivilege 3028 D3DWindower.exe Token: SeUndockPrivilege 3028 D3DWindower.exe Token: SeManageVolumePrivilege 3028 D3DWindower.exe Token: 33 3028 D3DWindower.exe Token: 34 3028 D3DWindower.exe Token: 35 3028 D3DWindower.exe Token: 36 3028 D3DWindower.exe Token: SeIncreaseQuotaPrivilege 3028 D3DWindower.exe Token: SeSecurityPrivilege 3028 D3DWindower.exe Token: SeTakeOwnershipPrivilege 3028 D3DWindower.exe Token: SeLoadDriverPrivilege 3028 D3DWindower.exe Token: SeSystemProfilePrivilege 3028 D3DWindower.exe Token: SeSystemtimePrivilege 3028 D3DWindower.exe Token: SeProfSingleProcessPrivilege 3028 D3DWindower.exe Token: SeIncBasePriorityPrivilege 3028 D3DWindower.exe Token: SeCreatePagefilePrivilege 3028 D3DWindower.exe Token: SeBackupPrivilege 3028 D3DWindower.exe Token: SeRestorePrivilege 3028 D3DWindower.exe Token: SeShutdownPrivilege 3028 D3DWindower.exe Token: SeDebugPrivilege 3028 D3DWindower.exe Token: SeSystemEnvironmentPrivilege 3028 D3DWindower.exe Token: SeRemoteShutdownPrivilege 3028 D3DWindower.exe Token: SeUndockPrivilege 3028 D3DWindower.exe Token: SeManageVolumePrivilege 3028 D3DWindower.exe Token: 33 3028 D3DWindower.exe Token: 34 3028 D3DWindower.exe Token: 35 3028 D3DWindower.exe Token: 36 3028 D3DWindower.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
D3DWindower.exepid process 3028 D3DWindower.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exeserver.exesvchost.exeapocalyps32.exedescription pid process target process PID 2740 wrote to memory of 1752 2740 e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe server.exe PID 2740 wrote to memory of 1752 2740 e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe server.exe PID 2740 wrote to memory of 1752 2740 e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe server.exe PID 2740 wrote to memory of 3028 2740 e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe D3DWindower.exe PID 2740 wrote to memory of 3028 2740 e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe D3DWindower.exe PID 2740 wrote to memory of 3028 2740 e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe D3DWindower.exe PID 2740 wrote to memory of 4236 2740 e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe apocalyps32.exe PID 2740 wrote to memory of 4236 2740 e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe apocalyps32.exe PID 2740 wrote to memory of 4236 2740 e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe apocalyps32.exe PID 1752 wrote to memory of 3076 1752 server.exe cmd.exe PID 1752 wrote to memory of 3076 1752 server.exe cmd.exe PID 1752 wrote to memory of 3076 1752 server.exe cmd.exe PID 2476 wrote to memory of 3748 2476 svchost.exe rundll32.exe PID 2476 wrote to memory of 3748 2476 svchost.exe rundll32.exe PID 2476 wrote to memory of 3748 2476 svchost.exe rundll32.exe PID 4236 wrote to memory of 4856 4236 apocalyps32.exe msedge.exe PID 4236 wrote to memory of 4856 4236 apocalyps32.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe"C:\Users\Admin\AppData\Local\Temp\e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Sets DLL path for service in the registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\server.exe" > nul3⤵
-
C:\Users\Admin\AppData\Local\Temp\D3DWindower.exe"C:\Users\Admin\AppData\Local\Temp\D3DWindower.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\apocalyps32.exe-bs2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe-bs3⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k ".Net CLR"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe c:\windows\system32\e577530.dll, Launch2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D3DWindower.exeFilesize
738KB
MD55ba07aae61ac0b88a761232680916468
SHA134347c599e061084833399cbbdfeb3f367b4dc36
SHA256f3d167c70b74e46e1946b5f9e6199fb5d2333ddd34ec4dd87b6c7894ef4b61ed
SHA5123b71086534234e53aef2e8f38a080d868f5e2252c73d20353ff38728c48868116e48ee14e6896fa17514fbf1d1c1f9abb444c1210f42458415969b75f277d330
-
C:\Users\Admin\AppData\Local\Temp\D3DWindower.exeFilesize
738KB
MD55ba07aae61ac0b88a761232680916468
SHA134347c599e061084833399cbbdfeb3f367b4dc36
SHA256f3d167c70b74e46e1946b5f9e6199fb5d2333ddd34ec4dd87b6c7894ef4b61ed
SHA5123b71086534234e53aef2e8f38a080d868f5e2252c73d20353ff38728c48868116e48ee14e6896fa17514fbf1d1c1f9abb444c1210f42458415969b75f277d330
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
658KB
MD58ead19cc64b8556df8d68d7d2d75bacb
SHA1fe41b9f8008db5d71ba02412a44fe1437069f826
SHA2563943594c4da45d1e998f1c955e313f49047d0e573f58415acfb31cf7b1af83a0
SHA5129497914a24ac9440432bcc23091928295d5f7685bc7aba0732612f68f124d19e288a40ff3a0f68368f2687b1e95d816393f200fa22956dc56c8bc145b759039c
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
658KB
MD58ead19cc64b8556df8d68d7d2d75bacb
SHA1fe41b9f8008db5d71ba02412a44fe1437069f826
SHA2563943594c4da45d1e998f1c955e313f49047d0e573f58415acfb31cf7b1af83a0
SHA5129497914a24ac9440432bcc23091928295d5f7685bc7aba0732612f68f124d19e288a40ff3a0f68368f2687b1e95d816393f200fa22956dc56c8bc145b759039c
-
C:\Windows\SysWOW64\e577530.dllFilesize
610KB
MD5fa0c08737db9bb8e0a94f5059b8b5a52
SHA1fb14b173454e24e208992757325fd81ed21ed680
SHA256f1ecbb0d4a51dc1a4f11b9031b460bc1b1635706a3a7075003a970d39bf89987
SHA512e3669a3feb975a9d85bad28970fcc3a24bd8b9caad9ba74bcc2517f99a40ec31fd135a2272ecf5c68cee818829c1b42e56bc8dd883374708dcea0b747633aae6
-
C:\Windows\SysWOW64\e577530.dllFilesize
610KB
MD5fa0c08737db9bb8e0a94f5059b8b5a52
SHA1fb14b173454e24e208992757325fd81ed21ed680
SHA256f1ecbb0d4a51dc1a4f11b9031b460bc1b1635706a3a7075003a970d39bf89987
SHA512e3669a3feb975a9d85bad28970fcc3a24bd8b9caad9ba74bcc2517f99a40ec31fd135a2272ecf5c68cee818829c1b42e56bc8dd883374708dcea0b747633aae6
-
C:\Windows\SysWOW64\e577530.dllFilesize
610KB
MD5fa0c08737db9bb8e0a94f5059b8b5a52
SHA1fb14b173454e24e208992757325fd81ed21ed680
SHA256f1ecbb0d4a51dc1a4f11b9031b460bc1b1635706a3a7075003a970d39bf89987
SHA512e3669a3feb975a9d85bad28970fcc3a24bd8b9caad9ba74bcc2517f99a40ec31fd135a2272ecf5c68cee818829c1b42e56bc8dd883374708dcea0b747633aae6
-
C:\Windows\apocalyps32.exeFilesize
1.2MB
MD54e41bc7a510c3bef5c1e445e072be5b7
SHA14839d91cdf8a02fff3a1530ed9309ed08f1546ec
SHA256e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8
SHA5121a78a4bb26cabc88361965df0b2fb683db4ebea5759fd4cd2a04e37885a8f0817055ed153add395d0a60bf12585599ccd37674fc4378883202b14b0500c1e216
-
C:\Windows\apocalyps32.exeFilesize
1.2MB
MD54e41bc7a510c3bef5c1e445e072be5b7
SHA14839d91cdf8a02fff3a1530ed9309ed08f1546ec
SHA256e27317f1abe0a73a1435992f60d5180788445f17961d596f71b7cf1d774c69e8
SHA5121a78a4bb26cabc88361965df0b2fb683db4ebea5759fd4cd2a04e37885a8f0817055ed153add395d0a60bf12585599ccd37674fc4378883202b14b0500c1e216
-
\??\c:\windows\SysWOW64\e577530.dllFilesize
610KB
MD5fa0c08737db9bb8e0a94f5059b8b5a52
SHA1fb14b173454e24e208992757325fd81ed21ed680
SHA256f1ecbb0d4a51dc1a4f11b9031b460bc1b1635706a3a7075003a970d39bf89987
SHA512e3669a3feb975a9d85bad28970fcc3a24bd8b9caad9ba74bcc2517f99a40ec31fd135a2272ecf5c68cee818829c1b42e56bc8dd883374708dcea0b747633aae6
-
memory/1752-141-0x0000000000000000-mapping.dmp
-
memory/2740-138-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/2740-132-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/2740-133-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/2740-139-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/2740-157-0x0000000000870000-0x00000000008AE000-memory.dmpFilesize
248KB
-
memory/2740-137-0x0000000000870000-0x00000000008AE000-memory.dmpFilesize
248KB
-
memory/2740-136-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/2740-140-0x0000000000870000-0x00000000008AE000-memory.dmpFilesize
248KB
-
memory/2740-135-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/2740-134-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/2740-155-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/3028-145-0x0000000000000000-mapping.dmp
-
memory/3076-156-0x0000000000000000-mapping.dmp
-
memory/3748-151-0x0000000000000000-mapping.dmp
-
memory/4236-150-0x0000000000000000-mapping.dmp
-
memory/4236-154-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/4236-159-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/4236-160-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/4236-161-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/4236-162-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/4236-163-0x00000000007D0000-0x000000000080E000-memory.dmpFilesize
248KB
-
memory/4236-164-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/4236-166-0x0000000000010000-0x00000000002BD000-memory.dmpFilesize
2.7MB
-
memory/4236-167-0x00000000007D0000-0x000000000080E000-memory.dmpFilesize
248KB
-
memory/4856-165-0x0000000000000000-mapping.dmp