Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 19:13
Behavioral task
behavioral1
Sample
8d2006e02b3a574f7f50fb3852b4189f.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8d2006e02b3a574f7f50fb3852b4189f.exe
Resource
win10v2004-20231215-en
General
-
Target
8d2006e02b3a574f7f50fb3852b4189f.exe
-
Size
674KB
-
MD5
8d2006e02b3a574f7f50fb3852b4189f
-
SHA1
ad5ab323f222069d7d14b9e454e77063dba0d3b7
-
SHA256
cb7429fc7b021d46befc19a45f038c6dceb405587fa1be60f6e4e242b71f1557
-
SHA512
e547d368e06e397c46d0d4319c84b4c18e1a4804bece739b2f7aea266c527b17e9cd51e963bc329d982c9ecee714954f175183c989cbd704e39178cfbb3d96b1
-
SSDEEP
12288:AUSZilVzaP8ca4n+edlNnGNfsg4yRuh10rHTcauTa6:AjgvaPtJnXhVhn103cauTa6
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2768-2-0x0000000000060000-0x0000000000110000-memory.dmp modiloader_stage2 behavioral1/memory/1520-3-0x0000000000400000-0x00000000004B0000-memory.dmp modiloader_stage2 -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fiele Ps.txt 8d2006e02b3a574f7f50fb3852b4189f.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1520 set thread context of 2768 1520 8d2006e02b3a574f7f50fb3852b4189f.exe 28 -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5E245071-C2C8-11EE-A5DE-CE253106968E} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "413149499" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2768 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2768 IEXPLORE.EXE 2768 IEXPLORE.EXE 2740 IEXPLORE.EXE 2740 IEXPLORE.EXE 2740 IEXPLORE.EXE 2740 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1520 wrote to memory of 2768 1520 8d2006e02b3a574f7f50fb3852b4189f.exe 28 PID 1520 wrote to memory of 2768 1520 8d2006e02b3a574f7f50fb3852b4189f.exe 28 PID 1520 wrote to memory of 2768 1520 8d2006e02b3a574f7f50fb3852b4189f.exe 28 PID 1520 wrote to memory of 2768 1520 8d2006e02b3a574f7f50fb3852b4189f.exe 28 PID 1520 wrote to memory of 2768 1520 8d2006e02b3a574f7f50fb3852b4189f.exe 28 PID 2768 wrote to memory of 2740 2768 IEXPLORE.EXE 29 PID 2768 wrote to memory of 2740 2768 IEXPLORE.EXE 29 PID 2768 wrote to memory of 2740 2768 IEXPLORE.EXE 29 PID 2768 wrote to memory of 2740 2768 IEXPLORE.EXE 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d2006e02b3a574f7f50fb3852b4189f.exe"C:\Users\Admin\AppData\Local\Temp\8d2006e02b3a574f7f50fb3852b4189f.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59e006a60e57b75752ee6f5ffeb739dfa
SHA15dfd4e9ea6be8bd71f308c9d84803b27c8dcc2cb
SHA256b9400a17c7313a48e04ba5c26b81528dce7014cac329b09ffe1be70c3f1652f4
SHA512382393e6ea3756ae3a068d54ee500423e74920af8235a50e44837178b69e7cbef7737339b89a932ed8a5a94b684bd292231241cb31a3a50ada1b41d9ba1e760d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f328669781fe2a8961e3ea018e9567e3
SHA1816727948c6d8c28414dde43e8ac30b17e0ff1b1
SHA25615a1b5112a3f83ae396c880f0d458d42cebb6cbd74387d68518ce8e5905961a9
SHA51252aa54cde95ceb3d1c4735e171c1cd8a5fed6395c10b1a0cbc960ac7af0b72dd704cf4a2dd3a564a0de10132da5d98f8d552af978b057d6bb49f3d9c53079aac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD576b47ea82a4ced351fef84c68eac9927
SHA1c89d43c44254fdc5b1d3f00ca9728bf2fa0eac7e
SHA256740d587d03b45d7eafbc8084f76fc954be18cf7fc6e71f282e8771fd42bb9b7c
SHA51257ea042179deb15ccca0d700bb23fab53109772c0fda966a9b8dd608fb842d3fe657dc6d5bd6c0335241ede610a0dfdffcc415c68ee92235250236a9decc2b66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ccb93d17a6544f73543564d04fb53ae4
SHA190eb8c7ff40e4a2648304d5a1d415b6f0d172a5b
SHA256a9185fabbea63eba1d5ef284d6317b3a02106835aed5ed1a8bc862b4d517be87
SHA512f8739bb3d437465994691daa35029364abeda624870daebe74a0babdbf4621c7ce3865eec2b699585462909c9e352217047b469c7c11d0dee743ae1fbedf892c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f38404c7bd699f88d6d2006a6c737b53
SHA1a683665b17ef13e8a08e339240810d03ca47dfc0
SHA2566d11ef638450544d215ede65004fb4ce13d9c432c9dfc94c522200c14d86af6d
SHA5128362076ce55dc4b38b12bf64377ea4339c12efb82143f5c5d4cd5ff4e876c4a665f0cbd9a5d716e71e8d4d02f1f6b172b08db3d97da15468c136a57b940be0d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a6a4aaab56fb3f43547dc4158d8a15c7
SHA1dbf674152669602bfdc2af70b97c104d74d8a1cc
SHA25637986f32eeff9959ad5f6f29e138a4f2894d7e794efb10bb8e408a480d17fa31
SHA5123b2aa2122953d60da9bff275ab24b2d3d7e3e2d2c0e55ebd85755907819b909f3b5e38fab2fccc83b53c533e3dfd44389d1c3fc762f1965f72839a5954773d1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD507aa49acf3e9a2a7d64a1cf516a8444d
SHA15ad8132e8719acf6e7073d9a3f031c105a927cff
SHA25643f78d89e6140df3798e9b9fbc7b99d14bd2e9a11b3921c1f9cf49b35cc35a95
SHA512bf70a744b64ac95de326dfdfcd5f036ce9f69a55a70babf3c62f728a67aaed355679d039c9a7e9a277fe70d2a9dc7638eb2c9d0877a69f669b0a111972891463
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e8aefa6d219510ace103d6f90332bfa0
SHA18b429905c090a7fb8462ec8d0814c3ac49ce7aa9
SHA2561326693cf79d15e495e7b0259540c013920ee26371c4b21edba49f730f4c65e8
SHA51222cb4f592c843084b5053b7bd5d004b2b3e16a5d86fe770495d5ba8292b706ea29d3ef7b8f16af8369ec65a6ce222305f7dd2d7fc5942d350d08636eb39fab52
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cdc9e176d9f981745017faf9d996336e
SHA1822955639cad6dda17cac37e2a8bf4873a069ed0
SHA256498372ec1f0a0be83f25351b0a4969180b71ac0c6c5321ebdc7a36e4e59f9c7f
SHA512473510dad6018ef08283327c741ce9eff2f58338997d4f28c2218fc6bbc592a6d6d4cd53350d096f99463c618ccfbdb434dda644ae712773c2ac49b09f3c3494
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54c401b966f921de967483e35c51625e6
SHA1ee41298feb23bfeec92531a5a2ba0d0c9cae8a88
SHA2565d11ddd422828fa0773c307f91f2e1e68422f0402e94bf4278ac3b93eaf60729
SHA51220c402dbf700ce007c16c704433655cb84720b4e1deef278d7916cf3d8e05d573fd47a71d6d17ec85940f2bf2268df79996a0287aa25157b4df2e5a73ebd6a14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5199646b1716108001ee8e08096e2fffb
SHA145559df7efe0ff49ccf5f5c8c46e1b7b516a73ee
SHA25671dca4b82242d2f5d06a4a76135a405eb8fd9d6e155176173de744a810409c23
SHA512b0365f947530f0a314a1a3f68bffb75d675700e797549427d2c9da7b40ee3c2f47c860846cf9f66f9d55ea4cfe3a50f2ad6dd1e1c4933a09c0060eadfc4358e9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5403bfbc89a354bc083e80e852d2e37c0
SHA1cbc08a5dcdc2105976f823e0a3bf4856890a871e
SHA256c974123a7c4ad25e65b2b2f6f51e541dc5934080eaebb4a925658f43465afcbe
SHA512f190bc5a3825b5cda4b856646b5a90dd2409056c5fded58eefd6c416b95e10d9e4df8315249c0fa0ae859622a29b17d85790d37d3390d33cc68a64ac85bb5760
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5364ad29f733f237a71b1ff4f2f667e5b
SHA1566df0596d3b58777b9639a77d9cb2c9dbb35c5c
SHA256699ed41ac597bc3f7b27a6b21642575d903f8083e20ac8ad2f2a0108fdd0200e
SHA51206ce8e6b23903a7288212ee02388a8b2577a0fef47ae6aa9933cff0c53c980abd357ce0bb396584bcef62175024923450f5ebe035ad4413455dae2c73895aa66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD526b3e535170ccadfaee0792a88a75bd2
SHA166ad1fe17960ab40ca4c62eea859513238ad38f2
SHA256e9541c07fc804e96742f43067184354b182c2fd2ac960e1d0d6f87595d29ebe8
SHA51218c4604149e7a387d4471bbbc6380eaf4675e0ca35ff29853d05d59e3a97bcd2d1c943ecd55613436aa103acc8e1f79b4e921f52a55c6cdf1549e00018f2cc2d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5adea909bfc63ce9cfd6416306b97e983
SHA1b0a6bfb049e4fe35b26e1697f5c07b748331ea74
SHA256af471bd3e5f2a0d5060c3bc711616c7b5bf9e23ea953e5d45ef4eb4245ffc392
SHA51293399e0e1ff2c06b69f27cba480c7b85f30caaf492b394394897798056ed89342b0693004c40f4b9a746c9efebd1077a418e403438a61e472d59040d0b20aef1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD529feb5ff8420b2ed517701805237a72c
SHA1f4f5dd5252a80bf029eb11f8cc792f16a4821c12
SHA25646fcee8f95318ca2dc2bbd8d376898c06e993fe5c349b50c875379c98f630c43
SHA512006a938951cebc97781a142c645aa0134a55ae5249089b11a45526e949ec8e9cca9bcb59af0560ea713750d295aacf76077f99cf4cabacce15fa6d12cc80a985
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59d7f366c0d061995064f935938c4a0a9
SHA129f6b10f0d42be7a95b75bcf1aa98ad5b4fa592b
SHA2563a482aedc702016ab6bcadb71d87785ec8c11468fb0785db6665637708e933fc
SHA51240fc0a13251ab1c9ff47ca7c4c3e03e72c945c525e5d0055d31681c3f31c306d39c6974ca5ece1f546fcf25e5af5fd7a0a6eb140203be9bf9a1dff4993857771
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d3ec57b86527073d66079c4579a7569a
SHA1e95ef83bdfd31a47a9ae59b593510cbf7a4ec43d
SHA25637d77310ebd96d7b48cef61c5be14ba0b846d2fdb4d69e3660ab0c45daa12339
SHA512e744a25caa81393b7d6c8d512014fa7cea31becbe1c25c081bb3c2d6ba15b64e242bd2e9d63af17540021af80a3da91e7b4db4dd47c1cdf3ae65598011aa2f5d
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06