Analysis
-
max time kernel
147s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2024, 00:13
Behavioral task
behavioral1
Sample
6e350d1e48ed8f2515c30714db2343a2.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6e350d1e48ed8f2515c30714db2343a2.exe
Resource
win10v2004-20231222-en
General
-
Target
6e350d1e48ed8f2515c30714db2343a2.exe
-
Size
202KB
-
MD5
6e350d1e48ed8f2515c30714db2343a2
-
SHA1
4dc58271ae88ccb0014a5dbe89583b96af0b4d0e
-
SHA256
2da5fccb18e96468e1c327ae2d2dc072106dfd5f4e1f70ae71d10541221d5c22
-
SHA512
38deabf8ff764c085ddb4fc135434b52627337df59c942ccbf7f423dc9abfa89a7057b32ac138f025325a54da2ff94fd44c2c077528ac81193f2876b728e2010
-
SSDEEP
6144:Oz5qIMMQ7j7UGSaJxF+hzzyymJRJq6muwDGbFZAxNt+:aja7XmaJfemJRg6jwapZ
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral2/files/0x00070000000231ed-4.dat modiloader_stage2 behavioral2/files/0x00070000000231ed-27.dat modiloader_stage2 behavioral2/files/0x00070000000231ed-33.dat modiloader_stage2 -
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\sysdrv32.sys svchost.exe File opened for modification C:\Windows\SysWOW64\drivers\sysdrv32.sys svchost.exe File opened for modification C:\Windows\SysWOW64\drivers\sysdrv32.sys svchost.exe File opened for modification C:\Windows\SysWOW64\drivers\sysdrv32.sys svchost.exe -
Deletes itself 1 IoCs
pid Process 3716 svchost.exe -
Executes dropped EXE 46 IoCs
pid Process 3716 svchost.exe 3448 svchost.exe 1184 svchost.exe 3416 svchost.exe 4952 svchost.exe 864 svchost.exe 5032 svchost.exe 4432 svchost.exe 980 svchost.exe 1028 svchost.exe 4468 svchost.exe 212 svchost.exe 2848 svchost.exe 2932 svchost.exe 1664 svchost.exe 2088 svchost.exe 3136 svchost.exe 3432 svchost.exe 4504 svchost.exe 3640 svchost.exe 4048 svchost.exe 2232 svchost.exe 3408 svchost.exe 872 svchost.exe 2420 svchost.exe 1896 svchost.exe 768 svchost.exe 3128 svchost.exe 956 svchost.exe 3860 svchost.exe 2604 svchost.exe 924 svchost.exe 3916 svchost.exe 1900 svchost.exe 4028 svchost.exe 3148 svchost.exe 3868 svchost.exe 1044 svchost.exe 1976 svchost.exe 2320 svchost.exe 4248 svchost.exe 3700 svchost.exe 1948 svchost.exe 3936 svchost.exe 4012 svchost.exe 1428 svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\security\svchost.exe 6e350d1e48ed8f2515c30714db2343a2.exe File opened for modification C:\Windows\security\svchost.exe 6e350d1e48ed8f2515c30714db2343a2.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 4892 3868 WerFault.exe 144 408 1044 WerFault.exe 147 4428 4248 WerFault.exe 152
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e350d1e48ed8f2515c30714db2343a2.exe"C:\Users\Admin\AppData\Local\Temp\6e350d1e48ed8f2515c30714db2343a2.exe"1⤵
- Drops file in Windows directory
PID:3544
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Drops file in Drivers directory
- Deletes itself
- Executes dropped EXE
PID:3716
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3448
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:1184
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3416
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:4952
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:864
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:5032
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:4432
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:980
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:1028
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:4468
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:212
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:2848
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:2932
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:1664
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:2088
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3136
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3432
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:4504
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3640
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:4048
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:2232
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3408
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:872
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:2420
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:1896
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:768
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3128
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:956
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3860
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:2604
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:924
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3916
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:1900
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:4028
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3148
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:3868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 11962⤵
- Program crash
PID:4892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3868 -ip 38681⤵PID:5044
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 11842⤵
- Program crash
PID:408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1044 -ip 10441⤵PID:4244
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:1976
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:2320
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4248 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 11962⤵
- Program crash
PID:4428
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4248 -ip 42481⤵PID:3536
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3700
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:1948
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:3936
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:4012
-
C:\Windows\security\svchost.exe"C:\Windows\security\svchost.exe"1⤵
- Executes dropped EXE
PID:1428
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD50e219b74e2c68a34ca09d8fe114f6d11
SHA1153554e644907d1e4e73b0660a7d0c3213691a6b
SHA256163ef2a2f46fa6c20f45e51cbbcd56dcca6032eb791866967013882a25bb3a8f
SHA5128a3120729b1e3fd441b83c9866fd2bc548cf2502ff723e2098c2cbddae41dc4a9ff73577bf426b71832fb0ec5e2b7d2a407205371f97a1feb81cb4b481f78f13
-
Filesize
193KB
MD5cc5f84a60be521ed0b5b24b254a2d59e
SHA1e45df273417c13fa674f1f6a5ff36f2040bdd936
SHA2566e39e2fac917e991aa3d0a9bc3eae6847d3187ea0a8e72811adf64a2ac67aad4
SHA5121cac4425f67805566e2ee51d4809ac823e2041f71cff4b0cb9d80b1642548079629b4aa62b57dfc2dcb42ecdc58d4f0b53f522f764e9ab04531b0a5c5bfb5c02
-
Filesize
93KB
MD52e4e0ed6cfeb234b036e1743b82a7574
SHA17273963443fd21bf904532238585ace86ad18c01
SHA25681e34c3533170ce2bfa1736f9abb1a217d6e166b432c953ec70ebe0725d61227
SHA5125f40512d43694d80d90a917f46b3cc6ec75460b05039fc1f2dd93123393f139b855709dfdfa3026bbf72c34bc92e8acb0b1e6c1a829de84bbe30a427578861bf
-
Filesize
202KB
MD56e350d1e48ed8f2515c30714db2343a2
SHA14dc58271ae88ccb0014a5dbe89583b96af0b4d0e
SHA2562da5fccb18e96468e1c327ae2d2dc072106dfd5f4e1f70ae71d10541221d5c22
SHA51238deabf8ff764c085ddb4fc135434b52627337df59c942ccbf7f423dc9abfa89a7057b32ac138f025325a54da2ff94fd44c2c077528ac81193f2876b728e2010