Analysis

  • max time kernel
    147s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2024, 00:13

General

  • Target

    6e350d1e48ed8f2515c30714db2343a2.exe

  • Size

    202KB

  • MD5

    6e350d1e48ed8f2515c30714db2343a2

  • SHA1

    4dc58271ae88ccb0014a5dbe89583b96af0b4d0e

  • SHA256

    2da5fccb18e96468e1c327ae2d2dc072106dfd5f4e1f70ae71d10541221d5c22

  • SHA512

    38deabf8ff764c085ddb4fc135434b52627337df59c942ccbf7f423dc9abfa89a7057b32ac138f025325a54da2ff94fd44c2c077528ac81193f2876b728e2010

  • SSDEEP

    6144:Oz5qIMMQ7j7UGSaJxF+hzzyymJRJq6muwDGbFZAxNt+:aja7XmaJfemJRg6jwapZ

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 3 IoCs
  • Drops file in Drivers directory 4 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 46 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e350d1e48ed8f2515c30714db2343a2.exe
    "C:\Users\Admin\AppData\Local\Temp\6e350d1e48ed8f2515c30714db2343a2.exe"
    1⤵
    • Drops file in Windows directory
    PID:3544
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Drops file in Drivers directory
    • Deletes itself
    • Executes dropped EXE
    PID:3716
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:3448
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:1184
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:3416
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:4952
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:864
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:5032
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:4432
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:980
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:1028
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:4468
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:212
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:2848
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:2932
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:1664
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:2088
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:3136
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:3432
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:4504
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:3640
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:4048
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:2232
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:3408
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:872
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:2420
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:1896
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:768
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:3128
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:956
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:3860
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:2604
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:924
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:3916
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:1900
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:4028
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Executes dropped EXE
    PID:3148
  • C:\Windows\security\svchost.exe
    "C:\Windows\security\svchost.exe"
    1⤵
    • Drops file in Drivers directory
    • Executes dropped EXE
    PID:3868
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1196
      2⤵
      • Program crash
      PID:4892
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3868 -ip 3868
    1⤵
      PID:5044
    • C:\Windows\security\svchost.exe
      "C:\Windows\security\svchost.exe"
      1⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      PID:1044
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 1184
        2⤵
        • Program crash
        PID:408
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1044 -ip 1044
      1⤵
        PID:4244
      • C:\Windows\security\svchost.exe
        "C:\Windows\security\svchost.exe"
        1⤵
        • Executes dropped EXE
        PID:1976
      • C:\Windows\security\svchost.exe
        "C:\Windows\security\svchost.exe"
        1⤵
        • Executes dropped EXE
        PID:2320
      • C:\Windows\security\svchost.exe
        "C:\Windows\security\svchost.exe"
        1⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        PID:4248
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 1196
          2⤵
          • Program crash
          PID:4428
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4248 -ip 4248
        1⤵
          PID:3536
        • C:\Windows\security\svchost.exe
          "C:\Windows\security\svchost.exe"
          1⤵
          • Executes dropped EXE
          PID:3700
        • C:\Windows\security\svchost.exe
          "C:\Windows\security\svchost.exe"
          1⤵
          • Executes dropped EXE
          PID:1948
        • C:\Windows\security\svchost.exe
          "C:\Windows\security\svchost.exe"
          1⤵
          • Executes dropped EXE
          PID:3936
        • C:\Windows\security\svchost.exe
          "C:\Windows\security\svchost.exe"
          1⤵
          • Executes dropped EXE
          PID:4012
        • C:\Windows\security\svchost.exe
          "C:\Windows\security\svchost.exe"
          1⤵
          • Executes dropped EXE
          PID:1428

        Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Windows\SysWOW64\drivers\sysdrv32.sys

                Filesize

                11KB

                MD5

                0e219b74e2c68a34ca09d8fe114f6d11

                SHA1

                153554e644907d1e4e73b0660a7d0c3213691a6b

                SHA256

                163ef2a2f46fa6c20f45e51cbbcd56dcca6032eb791866967013882a25bb3a8f

                SHA512

                8a3120729b1e3fd441b83c9866fd2bc548cf2502ff723e2098c2cbddae41dc4a9ff73577bf426b71832fb0ec5e2b7d2a407205371f97a1feb81cb4b481f78f13

              • C:\Windows\security\svchost.exe

                Filesize

                193KB

                MD5

                cc5f84a60be521ed0b5b24b254a2d59e

                SHA1

                e45df273417c13fa674f1f6a5ff36f2040bdd936

                SHA256

                6e39e2fac917e991aa3d0a9bc3eae6847d3187ea0a8e72811adf64a2ac67aad4

                SHA512

                1cac4425f67805566e2ee51d4809ac823e2041f71cff4b0cb9d80b1642548079629b4aa62b57dfc2dcb42ecdc58d4f0b53f522f764e9ab04531b0a5c5bfb5c02

              • C:\Windows\security\svchost.exe

                Filesize

                93KB

                MD5

                2e4e0ed6cfeb234b036e1743b82a7574

                SHA1

                7273963443fd21bf904532238585ace86ad18c01

                SHA256

                81e34c3533170ce2bfa1736f9abb1a217d6e166b432c953ec70ebe0725d61227

                SHA512

                5f40512d43694d80d90a917f46b3cc6ec75460b05039fc1f2dd93123393f139b855709dfdfa3026bbf72c34bc92e8acb0b1e6c1a829de84bbe30a427578861bf

              • C:\Windows\security\svchost.exe

                Filesize

                202KB

                MD5

                6e350d1e48ed8f2515c30714db2343a2

                SHA1

                4dc58271ae88ccb0014a5dbe89583b96af0b4d0e

                SHA256

                2da5fccb18e96468e1c327ae2d2dc072106dfd5f4e1f70ae71d10541221d5c22

                SHA512

                38deabf8ff764c085ddb4fc135434b52627337df59c942ccbf7f423dc9abfa89a7057b32ac138f025325a54da2ff94fd44c2c077528ac81193f2876b728e2010

              • memory/212-41-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/212-40-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/768-86-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/768-85-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/864-23-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/864-22-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/872-77-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/872-76-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/956-91-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/956-92-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/980-32-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/980-31-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/1028-35-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/1028-34-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/1184-14-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/1184-13-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/1664-50-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/1664-49-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/1896-82-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/1896-83-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2088-53-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2088-52-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2232-70-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2232-71-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2420-79-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2420-80-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2604-98-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2604-97-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2848-44-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2848-43-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2932-47-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/2932-46-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3128-88-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3128-89-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3136-56-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3136-55-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3408-74-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3408-73-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3416-16-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3416-17-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3432-59-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3432-58-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3448-10-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3448-11-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3544-0-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3544-6-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3640-65-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3640-64-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3716-5-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3716-8-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3860-94-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/3860-95-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/4048-68-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/4048-67-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/4432-28-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/4432-29-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/4468-38-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/4468-37-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/4504-62-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/4504-61-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/4952-20-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/4952-19-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/5032-25-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB

              • memory/5032-26-0x00000000003E0000-0x0000000000A32000-memory.dmp

                Filesize

                6.3MB