Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2024, 07:00
Static task
static1
Behavioral task
behavioral1
Sample
Yeni sifaris siyahisi.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Yeni sifaris siyahisi.exe
Resource
win10v2004-20240226-en
General
-
Target
Yeni sifaris siyahisi.exe
-
Size
1.1MB
-
MD5
6826a90ade3cb684daeed5476c31faa3
-
SHA1
d938a3a3cae14ae0954d3e0edd541c1bf50ce622
-
SHA256
1c60bc833a05be736fd6734552cf56281db65a3cb0c8004b3f94d88cf6c31a84
-
SHA512
d6994bfc1a462bda203a6f3967e9bb8a1be8dc79db4a6474130f8348cc548ed0615a6f895313d015a02843304088fda369c5594beba21a27fdea8bf362aa34a1
-
SSDEEP
24576:llAinAzO5SRz+HJ0dkGdiNhp/BRaR6URr0GDp6eX:llAc5StANPpRaR6URrNp
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/1920-2-0x0000000003FE0000-0x0000000004FE0000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 1692 sjype.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xdchywvk = "C:\\Users\\Public\\Xdchywvk.url" Yeni sifaris siyahisi.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-H3YHZ8 = "\"C:\\Windows\\SysWOW64\\skype\\sjype.exe\"" SndVol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-H3YHZ8 = "\"C:\\Windows\\SysWOW64\\skype\\sjype.exe\"" SndVol.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\skype\sjype.exe SndVol.exe File opened for modification C:\Windows\SysWOW64\skype\sjype.exe SndVol.exe File opened for modification C:\Windows\SysWOW64\skype SndVol.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ SndVol.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 38 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1920 wrote to memory of 672 1920 Yeni sifaris siyahisi.exe 101 PID 1920 wrote to memory of 672 1920 Yeni sifaris siyahisi.exe 101 PID 1920 wrote to memory of 672 1920 Yeni sifaris siyahisi.exe 101 PID 1920 wrote to memory of 4364 1920 Yeni sifaris siyahisi.exe 102 PID 1920 wrote to memory of 4364 1920 Yeni sifaris siyahisi.exe 102 PID 1920 wrote to memory of 4364 1920 Yeni sifaris siyahisi.exe 102 PID 1920 wrote to memory of 4364 1920 Yeni sifaris siyahisi.exe 102 PID 4364 wrote to memory of 1692 4364 SndVol.exe 103 PID 4364 wrote to memory of 1692 4364 SndVol.exe 103 PID 4364 wrote to memory of 1692 4364 SndVol.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\Yeni sifaris siyahisi.exe"C:\Users\Admin\AppData\Local\Temp\Yeni sifaris siyahisi.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\Yeni sifaris siyahisi.exe C:\\Users\\Public\\Libraries\\Xdchywvk.PIF2⤵PID:672
-
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\skype\sjype.exe"C:\Windows\SysWOW64\skype\sjype.exe"3⤵
- Executes dropped EXE
PID:1692
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220KB
MD55ac83d3d18f9b6e1c5b78bd712661524
SHA19ee22c8038e47a4935aeac113d3f2ee6f03a22c4
SHA256d68ddc4be84705357288ba972939aa9aa5f95537ebc059c3ff3ccaae11638fca
SHA5122fc37b27836a4f0a4c61a5cd976e7452120585b86a615cce25108737337a9a02b73cc68c92b26fbb89a5cadbf3033ad0b6355cc5b7094f18318e3dbea1b84082