Behavioral Report

Analysis

max time kernel
331s
max time network
377s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2022 21:38

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe
Size

159KB
MD5

cd602e1d9ed9af0f1d5c60b8e6598bfe
SHA1

b2f7534835fb48b5feb390c1ec5b2e9acf8fe578
SHA256

98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381
SHA512

6aa30d18cb7ffdf8f919b722d9e151b93f7b6f4d1d9a7003669b9aaca67c8539110249930d30d6319340959b3d812165992741187b66a24393c7784c077ace89
SSDEEP

3072:dRGEbqzPvmGEbqzHxsbE7IjXDNAiBs1SsVF9ylfPOlOqivfkr:XGkqzWGkqzHxsbEAXZTqVaOUqn

Score

10^/10

modiloader evasion trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage ⋅ 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5016-140-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5016-141-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

Executes dropped EXE ⋅ 2 IoCs

Processes:

Ýp Ýle Hack2.exeÝp Ýle Hack2.exe

pid process

4824 Ýp Ýle Hack2.exe
5016 Ýp Ýle Hack2.exe

pid	process
4824	Ýp Ýle Hack2.exe
5016	Ýp Ýle Hack2.exe

UPX packed file ⋅ 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5016-136-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5016-139-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5016-140-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5016-141-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Checks computer location settings ⋅ 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

TTPs:

Query Registry System Information Discovery

Processes:

98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe

Checks whether UAC is enabled ⋅ 1 TTPs 1 IoCs
evasion trojan

TTPs:

System Information Discovery

Processes:

Ýp Ýle Hack2.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Ýp Ýle Hack2.exe
Suspicious use of SetThreadContext ⋅ 1 IoCs

Processes:

Ýp Ýle Hack2.exe

description pid process target process

PID 4824 set thread context of 5016 4824 Ýp Ýle Hack2.exe Ýp Ýle Hack2.exe
Enumerates physical storage devices ⋅ 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs:

System Information Discovery
Suspicious use of AdjustPrivilegeToken ⋅ 1 IoCs

Processes:

Ýp Ýle Hack2.exe

description pid process

Token: SeDebugPrivilege 5016 Ýp Ýle Hack2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Ýp Ýle Hack2.exe

description	pid	process	target process
PID 4824 set thread context of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe

description	pid	process
Token: SeDebugPrivilege	5016	Ýp Ýle Hack2.exe

Suspicious use of WriteProcessMemory ⋅ 8 IoCs

Processes:

98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exeÝp Ýle Hack2.exe

description	pid	process	target process
PID 4828 wrote to memory of 4824	4828	98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe	Ýp Ýle Hack2.exe
PID 4828 wrote to memory of 4824	4828	98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe	Ýp Ýle Hack2.exe
PID 4828 wrote to memory of 4824	4828	98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe	Ýp Ýle Hack2.exe
PID 4824 wrote to memory of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe
PID 4824 wrote to memory of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe
PID 4824 wrote to memory of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe
PID 4824 wrote to memory of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe
PID 4824 wrote to memory of 5016	4824	Ýp Ýle Hack2.exe	Ýp Ýle Hack2.exe

C:\Users\Admin\AppData\Local\Temp\98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe

"C:\Users\Admin\AppData\Local\Temp\98619775d344c488847a5355433bb4d4206e8fe054b09302ca5e7eaf86cd2381.exe"

Checks computer location settings
Suspicious use of WriteProcessMemory

PID:4828

C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe

"C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe"

Executes dropped EXE
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory

PID:4824

C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe

"C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe"

Executes dropped EXE
Checks whether UAC is enabled
Suspicious use of AdjustPrivilegeToken

PID:5016

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

PID:4812

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe
MD5
0febcb4623c2a7de1a4a68801f273942

SHA1
7b5ad4f08cbf79995b6df3ee3ed33efc6b002111

SHA256
d9505c381011d0c35192cafc9ce01de657d13e64a0fe5f1fddfced86a00cc4fe

SHA512
e1b1ae8b59ce5752fb89ded450d2c50201321ecea71415b70378d396bd76bce6db77d778768325a6268c91543b4c581dc9e5e31d8b09bddd4356cafdd3243225

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe
MD5
0febcb4623c2a7de1a4a68801f273942

SHA1
7b5ad4f08cbf79995b6df3ee3ed33efc6b002111

SHA256
d9505c381011d0c35192cafc9ce01de657d13e64a0fe5f1fddfced86a00cc4fe

SHA512
e1b1ae8b59ce5752fb89ded450d2c50201321ecea71415b70378d396bd76bce6db77d778768325a6268c91543b4c581dc9e5e31d8b09bddd4356cafdd3243225

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ýp Ýle Hack2.exe
MD5
0febcb4623c2a7de1a4a68801f273942

SHA1
7b5ad4f08cbf79995b6df3ee3ed33efc6b002111

SHA256
d9505c381011d0c35192cafc9ce01de657d13e64a0fe5f1fddfced86a00cc4fe

SHA512
e1b1ae8b59ce5752fb89ded450d2c50201321ecea71415b70378d396bd76bce6db77d778768325a6268c91543b4c581dc9e5e31d8b09bddd4356cafdd3243225

Download Submit
memory/4824-132-0x0000000000000000-mapping.dmp

Download
memory/5016-135-0x0000000000000000-mapping.dmp

Download
memory/5016-136-0x0000000000400000-0x000000000044F000-memory.dmp

Download
memory/5016-139-0x0000000000400000-0x000000000044F000-memory.dmp

Download
memory/5016-140-0x0000000000400000-0x000000000044F000-memory.dmp

Download
memory/5016-141-0x0000000000400000-0x000000000044F000-memory.dmp

Download