Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2024, 07:00

General

  • Target

    Yeni sifaris siyahisi.exe

  • Size

    1.1MB

  • MD5

    6826a90ade3cb684daeed5476c31faa3

  • SHA1

    d938a3a3cae14ae0954d3e0edd541c1bf50ce622

  • SHA256

    1c60bc833a05be736fd6734552cf56281db65a3cb0c8004b3f94d88cf6c31a84

  • SHA512

    d6994bfc1a462bda203a6f3967e9bb8a1be8dc79db4a6474130f8348cc548ed0615a6f895313d015a02843304088fda369c5594beba21a27fdea8bf362aa34a1

  • SSDEEP

    24576:llAinAzO5SRz+HJ0dkGdiNhp/BRaR6URr0GDp6eX:llAc5StANPpRaR6URrNp

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Drops file in System32 directory 3 IoCs
  • Modifies registry class 1 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Yeni sifaris siyahisi.exe
    "C:\Users\Admin\AppData\Local\Temp\Yeni sifaris siyahisi.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\SysWOW64\extrac32.exe
      C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Yeni sifaris siyahisi.exe C:\\Users\\Public\\Libraries\\Xdchywvk.PIF
      2⤵
        PID:672
      • C:\Windows\SysWOW64\SndVol.exe
        C:\Windows\System32\SndVol.exe
        2⤵
        • Adds Run key to start application
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4364
        • C:\Windows\SysWOW64\skype\sjype.exe
          "C:\Windows\SysWOW64\skype\sjype.exe"
          3⤵
          • Executes dropped EXE
          PID:1692

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\SysWOW64\skype\sjype.exe

            Filesize

            220KB

            MD5

            5ac83d3d18f9b6e1c5b78bd712661524

            SHA1

            9ee22c8038e47a4935aeac113d3f2ee6f03a22c4

            SHA256

            d68ddc4be84705357288ba972939aa9aa5f95537ebc059c3ff3ccaae11638fca

            SHA512

            2fc37b27836a4f0a4c61a5cd976e7452120585b86a615cce25108737337a9a02b73cc68c92b26fbb89a5cadbf3033ad0b6355cc5b7094f18318e3dbea1b84082

          • memory/1920-0-0x0000000000800000-0x0000000000801000-memory.dmp

            Filesize

            4KB

          • memory/1920-1-0x0000000003FE0000-0x0000000004FE0000-memory.dmp

            Filesize

            16.0MB

          • memory/1920-2-0x0000000003FE0000-0x0000000004FE0000-memory.dmp

            Filesize

            16.0MB

          • memory/1920-4-0x0000000000400000-0x0000000000527000-memory.dmp

            Filesize

            1.2MB