Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2024, 18:57
Behavioral task
behavioral1
Sample
336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe
Resource
win7-20240221-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
13 signatures
150 seconds
General
-
Target
336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe
-
Size
326KB
-
MD5
53689dd4a048d9e4439d08929ea6963b
-
SHA1
05c486bb7e0c341ef191f7fc1e031aa727e05021
-
SHA256
336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff
-
SHA512
a8c8af08faaa6d2a0fc3c76be43f46ef92eb1b7005636d2f9cc433d114fdaf0ec6bff11431440cc8d53d6396bc299602d8bdc23ebad066389a84c39d0161d58b
-
SSDEEP
3072:Ie2A0wxDqUpM5scww4chO+O1BmP5DG0sg3i4XZ9WvDZHwdRX/L+gP38XV:IsxD5cwohO+O1sVG0/pZ6iPC8
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Detects Windows executables referencing non-Windows User-Agents 3 IoCs
resource yara_rule behavioral2/memory/2156-60-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2156-57-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/2156-62-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral2/memory/2156-60-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/2156-57-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/2156-62-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
UPX dump on OEP (original entry point) 17 IoCs
resource yara_rule behavioral2/memory/5016-0-0x0000000000400000-0x0000000000454000-memory.dmp UPX behavioral2/memory/2280-7-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/5016-9-0x0000000000400000-0x0000000000454000-memory.dmp UPX behavioral2/memory/2280-10-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2280-11-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2280-14-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/files/0x000600000001da70-28.dat UPX behavioral2/memory/1164-35-0x0000000000400000-0x0000000000454000-memory.dmp UPX behavioral2/memory/2280-39-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2156-49-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/2156-56-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/1164-55-0x0000000000400000-0x0000000000454000-memory.dmp UPX behavioral2/memory/2280-58-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2156-60-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/2156-57-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/868-61-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/2156-62-0x0000000000400000-0x0000000000414000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe -
Executes dropped EXE 3 IoCs
pid Process 1164 csrsll.exe 868 csrsll.exe 2156 csrsll.exe -
resource yara_rule behavioral2/memory/5016-0-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/2280-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/5016-9-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/2280-10-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2280-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2280-14-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x000600000001da70-28.dat upx behavioral2/memory/1164-35-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/2280-39-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1164-41-0x00000000021D0000-0x00000000021D2000-memory.dmp upx behavioral2/memory/2156-49-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/2156-56-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1164-55-0x0000000000400000-0x0000000000454000-memory.dmp upx behavioral2/memory/2280-58-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2156-60-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/2156-57-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/868-61-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2156-62-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 5016 set thread context of 2280 5016 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 92 PID 1164 set thread context of 868 1164 csrsll.exe 101 PID 1164 set thread context of 2156 1164 csrsll.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe Token: SeDebugPrivilege 868 csrsll.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5016 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 2280 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 1164 csrsll.exe 868 csrsll.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 5016 wrote to memory of 2280 5016 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 92 PID 5016 wrote to memory of 2280 5016 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 92 PID 5016 wrote to memory of 2280 5016 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 92 PID 5016 wrote to memory of 2280 5016 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 92 PID 5016 wrote to memory of 2280 5016 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 92 PID 5016 wrote to memory of 2280 5016 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 92 PID 5016 wrote to memory of 2280 5016 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 92 PID 5016 wrote to memory of 2280 5016 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 92 PID 2280 wrote to memory of 2956 2280 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 94 PID 2280 wrote to memory of 2956 2280 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 94 PID 2280 wrote to memory of 2956 2280 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 94 PID 2956 wrote to memory of 220 2956 cmd.exe 97 PID 2956 wrote to memory of 220 2956 cmd.exe 97 PID 2956 wrote to memory of 220 2956 cmd.exe 97 PID 2280 wrote to memory of 1164 2280 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 98 PID 2280 wrote to memory of 1164 2280 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 98 PID 2280 wrote to memory of 1164 2280 336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe 98 PID 1164 wrote to memory of 868 1164 csrsll.exe 101 PID 1164 wrote to memory of 868 1164 csrsll.exe 101 PID 1164 wrote to memory of 868 1164 csrsll.exe 101 PID 1164 wrote to memory of 868 1164 csrsll.exe 101 PID 1164 wrote to memory of 868 1164 csrsll.exe 101 PID 1164 wrote to memory of 868 1164 csrsll.exe 101 PID 1164 wrote to memory of 868 1164 csrsll.exe 101 PID 1164 wrote to memory of 868 1164 csrsll.exe 101 PID 1164 wrote to memory of 2156 1164 csrsll.exe 102 PID 1164 wrote to memory of 2156 1164 csrsll.exe 102 PID 1164 wrote to memory of 2156 1164 csrsll.exe 102 PID 1164 wrote to memory of 2156 1164 csrsll.exe 102 PID 1164 wrote to memory of 2156 1164 csrsll.exe 102 PID 1164 wrote to memory of 2156 1164 csrsll.exe 102 PID 1164 wrote to memory of 2156 1164 csrsll.exe 102 PID 1164 wrote to memory of 2156 1164 csrsll.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe"C:\Users\Admin\AppData\Local\Temp\336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\AppData\Local\Temp\336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe"C:\Users\Admin\AppData\Local\Temp\336351a321353dffc3a7742b21dd9948e2cbb613f2ed152da6a1746adea5d8ff.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WJLGE.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f4⤵
- Adds Run key to start application
PID:220
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:868
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
PID:2156
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD54eb61ec7816c34ec8c125acadc57ec1b
SHA1b0015cc865c0bb1a027be663027d3829401a31cc
SHA25608375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1
-
Filesize
326KB
MD5d7870174490dc9c0227bde5deddd40fc
SHA13398f09fea905e60f20daeb57ba0d06704ad46f0
SHA25666ae81c9e4aba39d098de6760688f4008c9831254ec2d5869e01ba0312dcca4c
SHA512b36c59fb9da6bb10d7ebb8eb5ec8b0f20c56b3d09c17f22051074f38541ff5882e45d4ecc20f0f26da25b3218c437623f8c648f9b3823d96b14fed43d5ea2bfb