Analysis
-
max time kernel
150s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 22:10
Behavioral task
behavioral1
Sample
a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe
Resource
win10v2004-20240226-en
General
-
Target
a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe
-
Size
81KB
-
MD5
120fc4b8089f3e0b8c37cc6fe99527a4
-
SHA1
0223c0f378a2121522739c96264e76245d8c34f2
-
SHA256
a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7
-
SHA512
a3450d5ff51ff1f2ad9e735d9478c6efc21c5ccd1eb68434287fc81465dc9ed4457a79766e0f34384453fc74544dd394be07a4c542df2be8876b09713407f32a
-
SSDEEP
1536:bWPv13GIJ+cbqWvhzCeJtjxPwFV1FJi1oDb/twZyBiGVvdLuwoSjBH:bWP6ceWvhzJP2woftwQiGhdywoI
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/1988-30-0x0000000000400000-0x000000000041B000-memory.dmp modiloader_stage2 -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1956 netsh.exe 4540 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation clener.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d2c0291b8e251a997c188028968b747b.exe dlhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22358c6b282a2a0eb26ff1e1403a0595.exe clener.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\22358c6b282a2a0eb26ff1e1403a0595.exe clener.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d2c0291b8e251a997c188028968b747b.exe dlhost.exe -
Executes dropped EXE 4 IoCs
pid Process 3004 shodanEngine.exe 2740 clener.exe 3684 dlhost.exe 1636 clener.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22358c6b282a2a0eb26ff1e1403a0595 = "\"C:\\Users\\Admin\\AppData\\Roaming\\clener.exe\" .." clener.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\22358c6b282a2a0eb26ff1e1403a0595 = "\"C:\\Users\\Admin\\AppData\\Roaming\\clener.exe\" .." clener.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d2c0291b8e251a997c188028968b747b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dlhost.exe\" .." dlhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\d2c0291b8e251a997c188028968b747b = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dlhost.exe\" .." dlhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3684 dlhost.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: SeDebugPrivilege 1636 clener.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 3684 dlhost.exe Token: SeIncBasePriorityPrivilege 3684 dlhost.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe Token: 33 1636 clener.exe Token: SeIncBasePriorityPrivilege 1636 clener.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3004 shodanEngine.exe 3004 shodanEngine.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1988 wrote to memory of 3004 1988 a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe 95 PID 1988 wrote to memory of 3004 1988 a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe 95 PID 1988 wrote to memory of 3004 1988 a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe 95 PID 1988 wrote to memory of 2740 1988 a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe 96 PID 1988 wrote to memory of 2740 1988 a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe 96 PID 1988 wrote to memory of 2740 1988 a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe 96 PID 1988 wrote to memory of 3684 1988 a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe 97 PID 1988 wrote to memory of 3684 1988 a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe 97 PID 1988 wrote to memory of 3684 1988 a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe 97 PID 2740 wrote to memory of 1636 2740 clener.exe 100 PID 2740 wrote to memory of 1636 2740 clener.exe 100 PID 2740 wrote to memory of 1636 2740 clener.exe 100 PID 3684 wrote to memory of 1956 3684 dlhost.exe 101 PID 3684 wrote to memory of 1956 3684 dlhost.exe 101 PID 3684 wrote to memory of 1956 3684 dlhost.exe 101 PID 1636 wrote to memory of 4540 1636 clener.exe 103 PID 1636 wrote to memory of 4540 1636 clener.exe 103 PID 1636 wrote to memory of 4540 1636 clener.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe"C:\Users\Admin\AppData\Local\Temp\a87e5df2fd734bb8bf0ee6395289065506e7064b266b90714e9c35b4d2f6c4c7.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe"C:\Users\Admin\AppData\Local\Temp\shodanEngine.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3004
-
-
C:\Users\Admin\AppData\Local\Temp\clener.exe"C:\Users\Admin\AppData\Local\Temp\clener.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Roaming\clener.exe"C:\Users\Admin\AppData\Roaming\clener.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\clener.exe" "clener.exe" ENABLE4⤵
- Modifies Windows Firewall
PID:4540
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dlhost.exe"C:\Users\Admin\AppData\Local\Temp\dlhost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\dlhost.exe" "dlhost.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1956
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4152 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:81⤵PID:2448
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD5824ba7b7eed8b900a98dd25129c4cd83
SHA154478770b2158000ef365591d42977cb854453a1
SHA256d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03
SHA512ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e
-
Filesize
32KB
MD59d0c7f378c611384c5588c3cb330a57e
SHA12773d0025791feb56d9bafba1ac6de934508cc40
SHA256eaa231c6c77b4ae0051431ebe5f10561742701544937921da3568d41e7b577af
SHA512ebaad0cc84ea696a6d272e3b5072367d61f9cd19d61b6e33757dd5c73adfdb64e3d674c4b054f8560930a6dffdb508680124d0f2e27ae5e499c2e506488f1509
-
Filesize
23KB
MD5a8454775f251fc38e87e252cc9854355
SHA179c3ba51d940977b881a185f804d63bdfce57f6d
SHA2565358f382c0588fd21df9a94a8f3b287cf5c0d300af764dd55056be48c51b1528
SHA5127ef001bc9299c7d8972fbd2a8643f7eb111ef425c72aea3cd3212d58a8c826e0640c7e4edff44516a64708a0493e21182ae663a95bcd761fe6c4262d43527ac7
-
Filesize
15KB
MD52f413a8c1dfdf364c04807bc5fb131f8
SHA172afc1b6c1b20fd787cbfd50cfdeaad1bc4d4f81
SHA256b6e3a1cda525c4a129ab90e97217f324b13c343d92224628b7c365e726c87745
SHA512f6c921aec38c32b5c21eb229aaf793610408b0027653d1085a96d9f0f0f576ca54734b6124c411061a64776b8825ebd17304ee49a4d78d3aea985ddc46697edf