Analysis

  • max time kernel
    300s
  • max time network
    298s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-05-2024 18:36

General

  • Target

    WinLocker_Builder_0.4.exe

  • Size

    699KB

  • MD5

    81dd862410af80c9d2717af912778332

  • SHA1

    8f1df476f58441db5973ccfdc211c8680808ffe1

  • SHA256

    60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f

  • SHA512

    8dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15

  • SSDEEP

    12288:0L/xX5KVeOnuH/u1Wig295xsmVXf6AaQLmEc+pdmWSwIHUOS6Vp:0bxpUz13g27raQmEcomWSHHUD

Score
10/10

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • ModiLoader Second Stage 20 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe
    "C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\Upx.exe
      "C:\Users\Admin\AppData\Local\Temp\Upx.exe" "C:\Users\Admin\Desktop\asd.exe"
      2⤵
      • Executes dropped EXE
      PID:868
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    1⤵
      PID:4144
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
      1⤵
        PID:1124
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
        1⤵
          PID:2492
        • C:\Windows\SysWOW64\DllHost.exe
          C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
          1⤵
            PID:2976
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
            1⤵
              PID:4668
            • C:\Windows\SysWOW64\DllHost.exe
              C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
              1⤵
                PID:3940
              • C:\Windows\SysWOW64\DllHost.exe
                C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                1⤵
                  PID:3176
                • C:\Windows\SysWOW64\DllHost.exe
                  C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                  1⤵
                    PID:4376
                  • C:\Windows\SysWOW64\DllHost.exe
                    C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                    1⤵
                      PID:776
                    • C:\Windows\SysWOW64\DllHost.exe
                      C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                      1⤵
                        PID:4464

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                        Filesize

                        14KB

                        MD5

                        f636bb22c96d1d096ff4d6140f045a97

                        SHA1

                        f0afce8b0a5c82fb52c70be4cdce039a7fff7cbc

                        SHA256

                        9ee21216db71d8e730a5decee8d1e6a166470c38096cb716491e11759453f52a

                        SHA512

                        20fd5108fa5cdc77bb325385968d3fd048c536f8ac51e7f66f51fe8e367c8cce35f93d3fc931a5c43945df3a1681e46191d00782e19b01e8975b50beb90e0b36

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                        Filesize

                        14KB

                        MD5

                        a1e53a66fae6381feb626622d4608a86

                        SHA1

                        fd0ba6b10878bba45bab306bb89020b7d6233d76

                        SHA256

                        33f0f4861ddcd5fea204612598a89d50aafd7750426a19bdaee401dde0f093a6

                        SHA512

                        9bf4ec9f975b63faed933bdd301c8a312c940ce89732355f47e3ad2a661534db7c13747bb799e1709399032cb1ccef997ccd3f4f80853ca2f63ab6010e1db001

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                        Filesize

                        14KB

                        MD5

                        867c71eff6afffc64e7f41954bd2cb75

                        SHA1

                        25af5fd9e3d090aa1d99093eb33fb40c62e5d7e6

                        SHA256

                        c00505ed4ec8951a3d2a4374ac2c7cc01affdc03d2d81da1006c2eddb64fc089

                        SHA512

                        94a8d8c4a89335bc9ddb85013dc64ac12e910a7fff1e3203e5f82ab0d3d72072937c84f16f9bb87432be7592764c18f981feedde7a9397a26aba2e64bfa839a9

                      • C:\Users\Admin\AppData\Local\Temp\Upx.exe

                        Filesize

                        283KB

                        MD5

                        308f709a8f01371a6dd088a793e65a5f

                        SHA1

                        a07c073d807ab0119b090821ee29edaae481e530

                        SHA256

                        c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35

                        SHA512

                        c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28

                      • C:\Users\Admin\Desktop\RCXD55F.tmp

                        Filesize

                        387KB

                        MD5

                        1d0aca621884b727941e738a116bf2a4

                        SHA1

                        361e0f2e67de52443b89cbcbca96b067bc30eead

                        SHA256

                        51df50d806004e4d59be7c497b2b474d838822747b53a5422b17526300b362cb

                        SHA512

                        9dec55524dca4cfefcb0d4426d87fddf6c802f2babe973f170e540cc591ccc7f2e4a6b35c75c1a9c5a39e647370f0627556626aa85d2e63bf17e5da90de3cf39

                      • C:\Users\Admin\Desktop\asd.exe

                        Filesize

                        433KB

                        MD5

                        ba86a45f0ec07371681bb896a102a09b

                        SHA1

                        10ad3f69451300fe5c7d733f9787df5987bbbf1e

                        SHA256

                        c136b7595dcb6ca9850377d104a930bae2ffb0fc787b5a52b3cb5a5210df8cdd

                        SHA512

                        5003e270d20c807e12391d99f5d57e2c2616a708e80b736228d40927afff474099345ae2aefee920d53198eb151de82184a8bbfc81cb49894a3288fef83b5519

                      • C:\Users\Admin\Desktop\asd.exe

                        Filesize

                        382KB

                        MD5

                        97eb6f7ec0586fe37b82dbe2f522da35

                        SHA1

                        7b9995845a89aec0a6eabe7e9eeb446abe8e5d58

                        SHA256

                        f738afbd4c316267d35e2f4d7b818139a55d8ef6b636c3bf736f1672cb4c8ea1

                        SHA512

                        888850fe4ea693a5168d6c0f2ab638862dc1a09a1e25f1de8cbfb373753cad982f2461826f5fa54144ba04ff6ed2c19c5850d70a3a2edc3bbb2024cf42710c49

                      • memory/868-110-0x0000000000400000-0x000000000057E000-memory.dmp

                        Filesize

                        1.5MB

                      • memory/868-101-0x0000000000400000-0x000000000057E000-memory.dmp

                        Filesize

                        1.5MB

                      • memory/2364-17-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-48-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-22-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-20-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-31-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-18-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-43-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-44-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-47-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-21-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-49-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-50-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-51-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-0-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-16-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-15-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-13-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-4-0x00000000006F0000-0x00000000006F1000-memory.dmp

                        Filesize

                        4KB

                      • memory/2364-2-0x0000000000400000-0x0000000000545000-memory.dmp

                        Filesize

                        1.3MB

                      • memory/2364-1-0x00000000006F0000-0x00000000006F1000-memory.dmp

                        Filesize

                        4KB