Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 11:52
Behavioral task
behavioral1
Sample
恋雪系统变速器 1.4 Beta2/lxspeed.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
恋雪系统变速器 1.4 Beta2/lxspeed.dll
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
恋雪系统变速器 1.4 Beta2/恋雪系统变速器 1.4 Beta2.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
恋雪系统变速器 1.4 Beta2/恋雪系统变速器 1.4 Beta2.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
恋雪系统变速器 1.4 Beta2/红豆软件站.url
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
恋雪系统变速器 1.4 Beta2/红豆软件站.url
Resource
win10v2004-20240419-en
General
-
Target
恋雪系统变速器 1.4 Beta2/恋雪系统变速器 1.4 Beta2.exe
-
Size
2.2MB
-
MD5
ed00bbb91cc136de5b56270fe470f0f6
-
SHA1
b3eac9bd49897ae871a2992368014534a9cd86f0
-
SHA256
1ea21ca8cbf3ca8e964d8a4a93c91eaf83771e2878bd67dc4cb4721774e6a260
-
SHA512
f933d267837ae594852bfc6cf357c11d539cb0b144ecd7d08f582bb0c5c79938ea18433d81480238bb0fc443fc54254212ce2e8a8249fde251adfc7253cb88e5
-
SSDEEP
49152:LXeJczfx+OmM7WNQovKIRZLdhS/bety0vYdqG85HedVm1s8:LXccb4dM7WLKIj8Ct1vcqrYa
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral3/memory/2688-33-0x0000000000400000-0x00000000004BE000-memory.dmp modiloader_stage2 behavioral3/memory/2688-31-0x0000000000400000-0x00000000004BE000-memory.dmp modiloader_stage2 behavioral3/memory/2688-34-0x0000000000400000-0x00000000004BE000-memory.dmp modiloader_stage2 behavioral3/memory/2688-36-0x0000000000400000-0x00000000004BE000-memory.dmp modiloader_stage2 -
Executes dropped EXE 2 IoCs
Processes:
LianXue_WPE.exeLianXue_WPE.exepid process 2936 LianXue_WPE.exe 2688 LianXue_WPE.exe -
Loads dropped DLL 3 IoCs
Processes:
恋雪系统变速器 1.4 Beta2.exeLianXue_WPE.exepid process 1760 恋雪系统变速器 1.4 Beta2.exe 1760 恋雪系统变速器 1.4 Beta2.exe 2936 LianXue_WPE.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\LianXue_WPE.exe upx behavioral3/memory/2936-28-0x0000000000400000-0x0000000000565000-memory.dmp upx -
Processes:
resource yara_rule behavioral3/memory/1760-0-0x0000000000400000-0x00000000008E7000-memory.dmp vmprotect behavioral3/memory/1760-10-0x0000000000400000-0x00000000008E7000-memory.dmp vmprotect behavioral3/memory/1760-13-0x0000000000400000-0x00000000008E7000-memory.dmp vmprotect behavioral3/memory/1760-14-0x0000000000400000-0x00000000008E7000-memory.dmp vmprotect behavioral3/memory/1760-37-0x0000000000400000-0x00000000008E7000-memory.dmp vmprotect behavioral3/memory/1760-39-0x0000000000400000-0x00000000008E7000-memory.dmp vmprotect behavioral3/memory/1760-43-0x0000000000400000-0x00000000008E7000-memory.dmp vmprotect -
Drops file in System32 directory 1 IoCs
Processes:
LianXue_WPE.exedescription ioc process File created C:\Windows\SysWOW64\2010.txt LianXue_WPE.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LianXue_WPE.exedescription pid process target process PID 2936 set thread context of 2688 2936 LianXue_WPE.exe LianXue_WPE.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
恋雪系统变速器 1.4 Beta2.exepid process 1760 恋雪系统变速器 1.4 Beta2.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 468 -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
恋雪系统变速器 1.4 Beta2.exepid process 1760 恋雪系统变速器 1.4 Beta2.exe 1760 恋雪系统变速器 1.4 Beta2.exe 1760 恋雪系统变速器 1.4 Beta2.exe 1760 恋雪系统变速器 1.4 Beta2.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
恋雪系统变速器 1.4 Beta2.exeLianXue_WPE.exedescription pid process target process PID 1760 wrote to memory of 2936 1760 恋雪系统变速器 1.4 Beta2.exe LianXue_WPE.exe PID 1760 wrote to memory of 2936 1760 恋雪系统变速器 1.4 Beta2.exe LianXue_WPE.exe PID 1760 wrote to memory of 2936 1760 恋雪系统变速器 1.4 Beta2.exe LianXue_WPE.exe PID 1760 wrote to memory of 2936 1760 恋雪系统变速器 1.4 Beta2.exe LianXue_WPE.exe PID 2936 wrote to memory of 2688 2936 LianXue_WPE.exe LianXue_WPE.exe PID 2936 wrote to memory of 2688 2936 LianXue_WPE.exe LianXue_WPE.exe PID 2936 wrote to memory of 2688 2936 LianXue_WPE.exe LianXue_WPE.exe PID 2936 wrote to memory of 2688 2936 LianXue_WPE.exe LianXue_WPE.exe PID 2936 wrote to memory of 2688 2936 LianXue_WPE.exe LianXue_WPE.exe PID 2936 wrote to memory of 2688 2936 LianXue_WPE.exe LianXue_WPE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\恋雪系统变速器 1.4 Beta2\恋雪系统变速器 1.4 Beta2.exe"C:\Users\Admin\AppData\Local\Temp\恋雪系统变速器 1.4 Beta2\恋雪系统变速器 1.4 Beta2.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exeC:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exeC:\Users\Admin\AppData\Local\Temp\LianXue_WPE.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
702KB
MD5c7734ebabc26a1989a0f151abe699a18
SHA14bfc5c8f96d220b0b768b266f0ad9a6020644938
SHA2562e6a28f71058d8641fa251a1327ff4f9a7891cb1a7079f1aa3da1713cfcf585b
SHA512e4e6fe6ec0c64ef4357921ed551f7436128e9ce3f86d8a939217023db78351080c09b78d6b0e9d7d6874d807e63ac62a0bc97d2782c673d3ef42a1323c4eb4bf