Analysis
-
max time kernel
146s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03-12-2022 20:30
General
-
Target
ec62f21d53859c3d31db7d7f49ccef494793f9dbb6e060f9d42d86403c2853af.exe
-
Size
252KB
-
MD5
bd1dfa7b9c24902277019104a80488fa
-
SHA1
8ad2983b4c28e82393004b05ff5e6fc4f47fe9bf
-
SHA256
ec62f21d53859c3d31db7d7f49ccef494793f9dbb6e060f9d42d86403c2853af
-
SHA512
e9b0281dcd38ee5d7175739052b66a8d9f950c11337b018a17ebcbdd593122999dcd8dcf0169e2f32187617bf2c3759a93cf83c6e8edd641639da3e49b170e56
-
SSDEEP
6144:3+sgruWCTXu0+EI8AroFQDDP/m5dNP8ICzdBoQS6:rMuWCiNf8uDDodl8IedBoQn
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 2 IoCs
-
ModiLoader Second Stage 11 IoCs
-
Executes dropped EXE 2 IoCs
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 5 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Windows directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec62f21d53859c3d31db7d7f49ccef494793f9dbb6e060f9d42d86403c2853af.exe"C:\Users\Admin\AppData\Local\Temp\ec62f21d53859c3d31db7d7f49ccef494793f9dbb6e060f9d42d86403c2853af.exe"1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\ec62f21d53859c3d31db7d7f49ccef494793f9dbb6e060f9d42d86403c2853af.exeC:\Users\Admin\AppData\Local\Temp\ec62f21d53859c3d31db7d7f49ccef494793f9dbb6e060f9d42d86403c2853af.exe2⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\mstwain32.exe"C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\ec62f21d53859c3d31db7d7f49ccef494793f9dbb6e060f9d42d86403c2853af.exe"3⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\mstwain32.exeC:\Windows\mstwain32.exe4⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mstwain32.exeFilesize
252KB
MD5bd1dfa7b9c24902277019104a80488fa
SHA18ad2983b4c28e82393004b05ff5e6fc4f47fe9bf
SHA256ec62f21d53859c3d31db7d7f49ccef494793f9dbb6e060f9d42d86403c2853af
SHA512e9b0281dcd38ee5d7175739052b66a8d9f950c11337b018a17ebcbdd593122999dcd8dcf0169e2f32187617bf2c3759a93cf83c6e8edd641639da3e49b170e56
-
C:\Windows\mstwain32.exeFilesize
252KB
MD5bd1dfa7b9c24902277019104a80488fa
SHA18ad2983b4c28e82393004b05ff5e6fc4f47fe9bf
SHA256ec62f21d53859c3d31db7d7f49ccef494793f9dbb6e060f9d42d86403c2853af
SHA512e9b0281dcd38ee5d7175739052b66a8d9f950c11337b018a17ebcbdd593122999dcd8dcf0169e2f32187617bf2c3759a93cf83c6e8edd641639da3e49b170e56
-
C:\Windows\mstwain32.exeFilesize
252KB
MD5bd1dfa7b9c24902277019104a80488fa
SHA18ad2983b4c28e82393004b05ff5e6fc4f47fe9bf
SHA256ec62f21d53859c3d31db7d7f49ccef494793f9dbb6e060f9d42d86403c2853af
SHA512e9b0281dcd38ee5d7175739052b66a8d9f950c11337b018a17ebcbdd593122999dcd8dcf0169e2f32187617bf2c3759a93cf83c6e8edd641639da3e49b170e56
-
memory/560-78-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/560-77-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/560-76-0x00000000004F0000-0x00000000004FE000-memory.dmpFilesize
56KB
-
memory/560-75-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/560-69-0x0000000000430464-mapping.dmp
-
memory/980-63-0x0000000000000000-mapping.dmp
-
memory/1320-60-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1320-62-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1320-61-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1320-74-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1320-56-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1320-59-0x0000000076681000-0x0000000076683000-memory.dmpFilesize
8KB
-
memory/1320-58-0x0000000000400000-0x000000000044B000-memory.dmpFilesize
300KB
-
memory/1320-57-0x0000000000430464-mapping.dmp