Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 00:41
Behavioral task
behavioral1
Sample
960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe
Resource
win10v2004-20240419-en
General
-
Target
960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe
-
Size
90KB
-
MD5
c3e2153caa82f1662f0ee4fce86ec9ad
-
SHA1
dc185493143192a39a231ef5bea22632bca853b6
-
SHA256
960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7
-
SHA512
9acc96a17b95c2bcd3b50e6b0bc52a1768ff5083b8c9be63cbd83e372f1620fcc2078b19f13a6d15edec5419edadd57271cc617c7cafb8b99a98b71c2d067487
-
SSDEEP
1536:UiYwjQt6QJvzZsgDIWzm/xsXfv+hYhyQQyV5uv4JBrB7w5VRGulTG1ZCL8nj1oDK:0wjZQJvzZsgsW6/Afv+hYfQIm4/rdE3Y
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Detects Windows executables referencing non-Windows User-Agents 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1252-56-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1252-55-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1252-54-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1252-52-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/1252-61-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
ModiLoader Second Stage 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1252-56-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/1252-55-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/1252-54-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/1252-52-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/1252-61-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
UPX dump on OEP (original entry point) 18 IoCs
Processes:
resource yara_rule behavioral2/memory/4988-0-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1412-3-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/1412-10-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/1412-12-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/4988-13-0x0000000000400000-0x0000000000453000-memory.dmp UPX C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe UPX behavioral2/memory/3504-37-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/3504-47-0x0000000000400000-0x0000000000453000-memory.dmp UPX behavioral2/memory/1252-56-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/1412-59-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/1252-55-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/1252-54-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/1832-53-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/1252-52-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/1252-50-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/1252-45-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/1832-60-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/1252-61-0x0000000000400000-0x0000000000414000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe -
Executes dropped EXE 3 IoCs
Processes:
csrsll.execsrsll.execsrsll.exepid process 3504 csrsll.exe 1832 csrsll.exe 1252 csrsll.exe -
Processes:
resource yara_rule behavioral2/memory/4988-0-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/1412-3-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1412-10-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1412-12-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4988-13-0x0000000000400000-0x0000000000453000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe upx behavioral2/memory/3504-37-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/3504-47-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral2/memory/1252-56-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1412-59-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1252-55-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1252-54-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1832-53-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1252-52-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1252-50-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1252-45-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1832-60-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1252-61-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.execsrsll.exedescription pid process target process PID 4988 set thread context of 1412 4988 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe PID 3504 set thread context of 1832 3504 csrsll.exe csrsll.exe PID 3504 set thread context of 1252 3504 csrsll.exe csrsll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
csrsll.exedescription pid process Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe Token: SeDebugPrivilege 1832 csrsll.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.execsrsll.execsrsll.exepid process 4988 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe 1412 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe 3504 csrsll.exe 1832 csrsll.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.execmd.execsrsll.exedescription pid process target process PID 4988 wrote to memory of 1412 4988 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe PID 4988 wrote to memory of 1412 4988 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe PID 4988 wrote to memory of 1412 4988 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe PID 4988 wrote to memory of 1412 4988 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe PID 4988 wrote to memory of 1412 4988 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe PID 4988 wrote to memory of 1412 4988 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe PID 4988 wrote to memory of 1412 4988 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe PID 4988 wrote to memory of 1412 4988 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe PID 1412 wrote to memory of 1756 1412 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe cmd.exe PID 1412 wrote to memory of 1756 1412 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe cmd.exe PID 1412 wrote to memory of 1756 1412 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe cmd.exe PID 1756 wrote to memory of 3688 1756 cmd.exe reg.exe PID 1756 wrote to memory of 3688 1756 cmd.exe reg.exe PID 1756 wrote to memory of 3688 1756 cmd.exe reg.exe PID 1412 wrote to memory of 3504 1412 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe csrsll.exe PID 1412 wrote to memory of 3504 1412 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe csrsll.exe PID 1412 wrote to memory of 3504 1412 960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe csrsll.exe PID 3504 wrote to memory of 1832 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1832 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1832 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1832 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1832 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1832 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1832 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1832 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1252 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1252 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1252 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1252 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1252 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1252 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1252 3504 csrsll.exe csrsll.exe PID 3504 wrote to memory of 1252 3504 csrsll.exe csrsll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe"C:\Users\Admin\AppData\Local\Temp\960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Users\Admin\AppData\Local\Temp\960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe"C:\Users\Admin\AppData\Local\Temp\960bea688cbe2f6decb6efa664efb8b1c32f34e3c8b8added1167a9fdf6fc3a7.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCAEH.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f4⤵
- Adds Run key to start application
PID:3688 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1832 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
PID:1252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD54eb61ec7816c34ec8c125acadc57ec1b
SHA1b0015cc865c0bb1a027be663027d3829401a31cc
SHA25608375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1
-
Filesize
90KB
MD59fb3d8a396da7f7a9576926ecff699ff
SHA14d4b326d676bf4bdb2a9224f6fb4917a1928e5e1
SHA256a776313d4d34b797e953054b04797f1eec8123dde377a193e69d5d72210e5903
SHA51258d5fe6537e2053cd3417a36d20d8ce981978926989943cc3a45a6a369b49e4eef97d4463ca0dafdc8506bc580a86a8cf77270900b2510637f2b5ce9823e0b57