Malware Analysis Report

2024-10-19 08:28

Sample ID 240125-v7hcdabgh5
Target 751ccd064c1ac4acc94a598ac44188bc
SHA256 bd23a1d50b766ffb72a9e8817deef5e55af7fbe1ae58d6575df050dc84f2d496
Tags
upx modiloader trojan kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd23a1d50b766ffb72a9e8817deef5e55af7fbe1ae58d6575df050dc84f2d496

Threat Level: Known bad

The file 751ccd064c1ac4acc94a598ac44188bc was found to be: Known bad.

Malicious Activity Summary

upx modiloader trojan kinsing loader

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

Kinsing

ModiLoader Second Stage

UPX packed file

Loads dropped DLL

Drops file in Program Files directory

Unsigned PE

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:37

Signatures

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:37

Reported

2024-01-25 17:40

Platform

win7-20231215-en

Max time kernel

140s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe

"C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe"

Network

N/A

Files

memory/2300-3-0x0000000000400000-0x000000000041B000-memory.dmp

\Program Files\Common Files\Microsoft Shared\MSInfo\SysInfo.wmp

MD5 57cffe60faa60555d5910b5e0b77c052
SHA1 3d10e2dee7f4ad52d135f5d47a3f84e0334f760a
SHA256 2447a827cf3dc48b2085bb0576ef966da5e1a19dc1dfb561e9b079118a3bf317
SHA512 46cb1083c10da9f3d37487b601ffd44d39f65fc66d2a67a85fc843b959853e4bb4f21bf29a0ad1e809255e265701c9a0eb05b945fcb8a0bab68d98f36b39476d

memory/2300-6-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:37

Reported

2024-01-25 17:40

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe"

Signatures

Kinsing

loader kinsing

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.wmp C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SysInfo.dll C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe

"C:\Users\Admin\AppData\Local\Temp\751ccd064c1ac4acc94a598ac44188bc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/3960-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Common Files\microsoft shared\MSInfo\SysInfo.wmp

MD5 57cffe60faa60555d5910b5e0b77c052
SHA1 3d10e2dee7f4ad52d135f5d47a3f84e0334f760a
SHA256 2447a827cf3dc48b2085bb0576ef966da5e1a19dc1dfb561e9b079118a3bf317
SHA512 46cb1083c10da9f3d37487b601ffd44d39f65fc66d2a67a85fc843b959853e4bb4f21bf29a0ad1e809255e265701c9a0eb05b945fcb8a0bab68d98f36b39476d

memory/3960-8-0x00000000005C0000-0x00000000005D0000-memory.dmp

memory/3960-4-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3960-11-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3960-12-0x00000000005C0000-0x00000000005D0000-memory.dmp

memory/3960-28-0x00000000005C0000-0x00000000005D0000-memory.dmp