Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 03:32
Static task
static1
Behavioral task
behavioral1
Sample
d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe
Resource
win10v2004-20240426-en
General
-
Target
d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe
-
Size
308KB
-
MD5
36fc6bf8eea3c87edebc4409c068fe3a
-
SHA1
2ade6c0b9b019990d88dbeb9020a03f3ea79f0ee
-
SHA256
d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b
-
SHA512
ee589e2e0d9dd9da97bba9acc3fa33143118b5747903653fcd4a482a814bd9089a2fc243e18fcdb9075e0591ecd9dd56fd69fc8e159dd0a36ee2734f9b437792
-
SSDEEP
3072:/c3sBG7mXh7m/zZM3jAbNOM6CNtDCZFL:E3sBz0Z4Mj72F
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Detects Windows executables referencing non-Windows User-Agents 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4636-45-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4636-47-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4636-46-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4636-53-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4636-45-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/4636-47-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/4636-46-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/4636-53-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
UPX dump on OEP (original entry point) 11 IoCs
Processes:
resource yara_rule behavioral2/memory/1684-4-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/1684-6-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/1684-7-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/4636-44-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/4636-37-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/4636-45-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/4636-47-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/4636-46-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/1684-50-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/1152-52-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/4636-53-0x0000000000400000-0x0000000000414000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe -
Executes dropped EXE 3 IoCs
Processes:
csrsll.execsrsll.execsrsll.exepid process 4884 csrsll.exe 1152 csrsll.exe 4636 csrsll.exe -
Processes:
resource yara_rule behavioral2/memory/1684-4-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1684-6-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1684-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4636-44-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4636-37-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4636-45-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4636-47-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4636-46-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/1684-50-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/1152-52-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4636-53-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.execsrsll.exedescription pid process target process PID 4784 set thread context of 1684 4784 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe PID 4884 set thread context of 1152 4884 csrsll.exe csrsll.exe PID 4884 set thread context of 4636 4884 csrsll.exe csrsll.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
csrsll.exedescription pid process Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe Token: SeDebugPrivilege 1152 csrsll.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exed59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.execsrsll.execsrsll.exepid process 4784 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe 1684 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe 4884 csrsll.exe 1152 csrsll.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exed59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.execmd.execsrsll.exedescription pid process target process PID 4784 wrote to memory of 1684 4784 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe PID 4784 wrote to memory of 1684 4784 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe PID 4784 wrote to memory of 1684 4784 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe PID 4784 wrote to memory of 1684 4784 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe PID 4784 wrote to memory of 1684 4784 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe PID 4784 wrote to memory of 1684 4784 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe PID 4784 wrote to memory of 1684 4784 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe PID 4784 wrote to memory of 1684 4784 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe PID 1684 wrote to memory of 4380 1684 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe cmd.exe PID 1684 wrote to memory of 4380 1684 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe cmd.exe PID 1684 wrote to memory of 4380 1684 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe cmd.exe PID 4380 wrote to memory of 1104 4380 cmd.exe reg.exe PID 4380 wrote to memory of 1104 4380 cmd.exe reg.exe PID 4380 wrote to memory of 1104 4380 cmd.exe reg.exe PID 1684 wrote to memory of 4884 1684 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe csrsll.exe PID 1684 wrote to memory of 4884 1684 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe csrsll.exe PID 1684 wrote to memory of 4884 1684 d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe csrsll.exe PID 4884 wrote to memory of 1152 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 1152 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 1152 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 1152 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 1152 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 1152 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 1152 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 1152 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 4636 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 4636 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 4636 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 4636 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 4636 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 4636 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 4636 4884 csrsll.exe csrsll.exe PID 4884 wrote to memory of 4636 4884 csrsll.exe csrsll.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe"C:\Users\Admin\AppData\Local\Temp\d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe"C:\Users\Admin\AppData\Local\Temp\d59eb82f6d72b21a2328827d9649adcb744828d51426ccab3be006976176072b.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HVVJK.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f4⤵
- Adds Run key to start application
PID:1104 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1152 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
PID:4636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD54eb61ec7816c34ec8c125acadc57ec1b
SHA1b0015cc865c0bb1a027be663027d3829401a31cc
SHA25608375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1
-
Filesize
308KB
MD5d13fcf8e04651481194ad6eeb1bd17cd
SHA1e3bdee4329ac3ffebae7d7a9541321adb7cf3ebc
SHA25659846548debc71de1cb28405b4e3db3eb5e49cad9af98047ef5ec86b6d175ecf
SHA51210f07694a2921744cb9233c711e9e0218c3a29360686fd156c646b067fa194c2f0ab2bc05aa677ec11341da80b80069b73d0c0a5908f022a17bcd0bcfd73b92c