Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
27-03-2023 11:06
General
-
Target
761F42F03E50EF9B2EB1B1041C81CC6ED24CBC8CE2D6D.exe
-
Size
334KB
-
MD5
a11ae57c068442f751c4a7f4f5f542b0
-
SHA1
131eaded2b2507fa0b1fbf5677705a09496d0f4c
-
SHA256
761f42f03e50ef9b2eb1b1041c81cc6ed24cbc8ce2d6df3c87f193493b4a4772
-
SHA512
c62d70a3391f30cd5084d8ca4cfe0bdc65205205ac3913d4f9a9af847e1f224a780b3ddb4e981e105dd1dde6a1d52d628c6bb5380901f357156e3063dde2e674
-
SSDEEP
6144:5P8U5dPZDa/iuqO2pi14MlxYSCG1H95dp4kq5bx4fbJr/CYzCIbeY3opBMc:F5VZDaj5xZC2dGkebubJr/CIbbopBp
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 44 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\761F42F03E50EF9B2EB1B1041C81CC6ED24CBC8CE2D6D.exe"C:\Users\Admin\AppData\Local\Temp\761F42F03E50EF9B2EB1B1041C81CC6ED24CBC8CE2D6D.exe"1⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:ho5tm8Z="DFUS83";gd9=new%20ActiveXObject("WScript.Shell");A3lilIOk="qNSPA4U0";ZaU6r=gd9.RegRead("HKCU\\software\\h8RI9jV0\\EqpJDGj");Ax0p3ticr="Fx7ExEfu";eval(ZaU6r);cGE8o="Gr";1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:vsjxirfb2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\516d\2531.1389fFilesize
30KB
MD502a25f8877254b57ae64defd393eac51
SHA16d549d2c7c093b37ba42908f6fcd360a3130d943
SHA2567f368fbb1d11175992c9c1d1837b6162417769e8c7eea91251093c94a89e162e
SHA512c79005844bee7087b45df0553b2a979d647d9e3dad920410687f26904a1abcb9889cd01f8df1509363c7ac0d8f7bfaa26b96dae25f288297e535a4e42ab9a5e9
-
C:\Users\Admin\AppData\Local\516d\b1b1.batFilesize
65B
MD50f0e2181bd7e755e5b4368f7bfa43bf4
SHA1057c40c16a76f83cc1801facaf88dcdbbc2ae98a
SHA256570a4e9ca1242958796a4910f07bbc802281964d32029d1050150524908560aa
SHA51238fd95b67cf9ff46224a1c379b1746c6666534a57f0f4f970ce9bc06e97c72b80cc4cbd99a01d3a37e7066a708d5609ac3cc4c234029c06725b32ee1cfcd74bb
-
memory/800-72-0x0000000005C50000-0x0000000005D2C000-memory.dmpFilesize
880KB
-
memory/800-65-0x00000000023E0000-0x0000000002420000-memory.dmpFilesize
256KB
-
memory/800-69-0x00000000023E0000-0x0000000002420000-memory.dmpFilesize
256KB
-
memory/800-70-0x0000000004F90000-0x0000000004F91000-memory.dmpFilesize
4KB
-
memory/800-71-0x0000000005C50000-0x0000000005D2C000-memory.dmpFilesize
880KB
-
memory/800-64-0x00000000023E0000-0x0000000002420000-memory.dmpFilesize
256KB
-
memory/800-76-0x0000000005C50000-0x0000000005D2C000-memory.dmpFilesize
880KB
-
memory/1232-99-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-109-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-73-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-77-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-217-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-79-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-81-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-83-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-85-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-87-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-89-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-91-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-93-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-95-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-97-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-127-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-101-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-103-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-105-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-107-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-108-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-126-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-110-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-113-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-114-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-116-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-115-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-118-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-117-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1232-119-0x0000000000220000-0x000000000036A000-memory.dmpFilesize
1.3MB
-
memory/1536-176-0x00000000001D0000-0x000000000031A000-memory.dmpFilesize
1.3MB
-
memory/1536-230-0x00000000001D0000-0x000000000031A000-memory.dmpFilesize
1.3MB
-
memory/1704-60-0x0000000001F80000-0x000000000205C000-memory.dmpFilesize
880KB
-
memory/1704-56-0x0000000001F80000-0x000000000205C000-memory.dmpFilesize
880KB
-
memory/1704-61-0x0000000001F80000-0x000000000205C000-memory.dmpFilesize
880KB
-
memory/1704-66-0x0000000000400000-0x000000000045C5E8-memory.dmpFilesize
369KB
-
memory/1704-67-0x0000000001F80000-0x000000000205C000-memory.dmpFilesize
880KB
-
memory/1704-130-0x0000000001F80000-0x000000000205C000-memory.dmpFilesize
880KB
-
memory/1704-57-0x0000000001F80000-0x000000000205C000-memory.dmpFilesize
880KB
-
memory/1704-54-0x0000000000400000-0x000000000045C5E8-memory.dmpFilesize
369KB
-
memory/1704-55-0x0000000001F80000-0x000000000205C000-memory.dmpFilesize
880KB