Analysis
-
max time kernel
189s -
max time network
219s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 11:38
Static task
static1
Behavioral task
behavioral1
Sample
0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe
Resource
win10v2004-20221111-en
General
-
Target
0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe
-
Size
854KB
-
MD5
365cf5f5d7fc1f822927b507fb54e57a
-
SHA1
7d1ea87fb46709700d89a70a7fd668fb1ece7e16
-
SHA256
0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082
-
SHA512
65eed9c257993dc3a52a29b2a7d64122b32d5494e75da9f382788e3e2e06009d7285280ddcb5b62f920286776018a2b5b4051cde3d4e5e69f2111c3869b92545
-
SSDEEP
12288:zZ927jdTn4YRkAvIHenu/JdgQbug0lyxa66kXUqTfTB2O4rwSMpxA6Fs2Cz1dqX:zZU7VxRkwPusKqbpq7oOqLMfF8q
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1DZ_JyNSO-_rsy0GYLNeY10ZhLJ-wnrou
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2096-133-0x00000000028C0000-0x00000000028EC000-memory.dmp modiloader_stage2 -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 92 4756 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 428 2096 WerFault.exe 0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe 3280 2096 WerFault.exe 0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4756 powershell.exe 4756 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 4756 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.execmd.exedescription pid process target process PID 2096 wrote to memory of 744 2096 0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe cmd.exe PID 2096 wrote to memory of 744 2096 0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe cmd.exe PID 2096 wrote to memory of 744 2096 0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe cmd.exe PID 744 wrote to memory of 4756 744 cmd.exe powershell.exe PID 744 wrote to memory of 4756 744 cmd.exe powershell.exe PID 744 wrote to memory of 4756 744 cmd.exe powershell.exe PID 2096 wrote to memory of 428 2096 0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe WerFault.exe PID 2096 wrote to memory of 428 2096 0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe WerFault.exe PID 2096 wrote to memory of 428 2096 0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe"C:\Users\Admin\AppData\Local\Temp\0ff047f531432449a97fd28e8bbd79a2e2aff5fb11552560ef2398bbdbba8082.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\png.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -FILE C:\Users\Public\Libraries\png.ps13⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 8402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 8402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2096 -ip 20961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\png.batFilesize
100B
MD5c385a71887d828b1df961942e68ecfe8
SHA13f539a56267af3db91be9ac9ea2fd5d803a53279
SHA256bcd9e416bc017b7f079e7daee3b628ccdcf34cfb93d1d131f0d11ee2ba3498f3
SHA51283d48fa5c8d06918fe63404500f35231f461dd7ce57540d9f9c36b0fcc81a15e02f28e5aa66acdf2183ce95acd2f301e3d5963c10e2bc298c93dab87e9d90848
-
C:\Users\Public\Libraries\png.ps1Filesize
213B
MD53f883d3644bf68282106384d5a1b91d5
SHA1b0b5719a1bbabdfbaa492dac0008c969f3f70f00
SHA256ed0c1ca841c2a764a5ea2556277f63297ebe1940eb598f4e2fce7d2feec30dbb
SHA512109b806b986bd92abf7f692a3da0ffed07c14c00d8c78728646b0ce9ecaa4baa0457210ffa547e7644e38d5798c91107226a61e73d330637291489947bdbdbe9
-
memory/428-147-0x0000000000000000-mapping.dmp
-
memory/744-135-0x0000000000000000-mapping.dmp
-
memory/2096-133-0x00000000028C0000-0x00000000028EC000-memory.dmpFilesize
176KB
-
memory/4756-140-0x0000000005450000-0x0000000005472000-memory.dmpFilesize
136KB
-
memory/4756-139-0x00000000054E0000-0x0000000005B08000-memory.dmpFilesize
6.2MB
-
memory/4756-141-0x0000000005C00000-0x0000000005C66000-memory.dmpFilesize
408KB
-
memory/4756-142-0x0000000005C70000-0x0000000005CD6000-memory.dmpFilesize
408KB
-
memory/4756-143-0x0000000006270000-0x000000000628E000-memory.dmpFilesize
120KB
-
memory/4756-138-0x00000000029C0000-0x00000000029F6000-memory.dmpFilesize
216KB
-
memory/4756-145-0x00000000078E0000-0x0000000007F5A000-memory.dmpFilesize
6.5MB
-
memory/4756-146-0x0000000005410000-0x000000000542A000-memory.dmpFilesize
104KB
-
memory/4756-137-0x0000000000000000-mapping.dmp