Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-05-2024 03:32

General

  • Target

    d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe

  • Size

    308KB

  • MD5

    36fc6bf8eea3c87edebc4409c068fe3a

  • SHA1

    2ade6c0b9b019990d88dbeb9020a03f3ea79f0ee

  • SHA256

    d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b

  • SHA512

    ee589e2e0d9dd9da97bba9acc3fa33143118b5747903653fcd4a482a814bd9089a2fc243e18fcdb9075e0591ecd9dd56fd69fc8e159dd0a36ee2734f9b437792

  • SSDEEP

    3072:/c3sBG7mXh7m/zZM3jAbNOM6CNtDCZFL:E3sBz0Z4Mj72F

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • ModiLoader Second Stage 1 IoCs
  • UPX dump on OEP (original entry point) 9 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe
    "C:\Users\Admin\AppData\Local\Temp\d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe
      "C:\Users\Admin\AppData\Local\Temp\d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:92436
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\TXJKH.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:92732
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f
          4⤵
          • Adds Run key to start application
          PID:92824
      • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:92860
        • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:23272
        • C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"
          4⤵
          • Executes dropped EXE
          PID:23368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\TXJKH.bat

    Filesize

    145B

    MD5

    4eb61ec7816c34ec8c125acadc57ec1b

    SHA1

    b0015cc865c0bb1a027be663027d3829401a31cc

    SHA256

    08375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff

    SHA512

    f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1

  • \Users\Admin\AppData\Roaming\Microsoft\csrsll.exe

    Filesize

    308KB

    MD5

    c35f57473e0d484bb6a972ace2eb93d0

    SHA1

    211a5d892f6f90200123b9aac6d1cc00424a91c9

    SHA256

    783e6381e98a2aaa7e075ec809b5122cf0ef36a6168c2af5dee70f53bebba3e2

    SHA512

    0cc0efc21634ba4ce2ec4e2636ed9553373d80bd81e10737318dc6d9942ed4eddb6f3faccbcd05183e99f5ebf2b7635ceda93e6b7526dfd545942694121c2ebe

  • memory/3000-0-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

  • memory/3000-3-0x0000000000270000-0x0000000000271000-memory.dmp

    Filesize

    4KB

  • memory/23272-147848-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/23368-147849-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/23368-147834-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/92436-73925-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/92436-73924-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/92436-73923-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/92436-73922-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/92436-90364-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/92436-73920-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/92436-147842-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/92436-73918-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/92436-73916-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/92860-73965-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB