Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 18:29
Behavioral task
behavioral1
Sample
ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
Resource
win10v2004-20240508-en
General
-
Target
ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe
-
Size
793KB
-
MD5
46b556cbf522ce882e1c4fe819b1df06
-
SHA1
eebc61c027538e381831ae6c7768ea2d94430e52
-
SHA256
ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d
-
SHA512
a1b5a7d2d67edd96f1d56a9f6bc668d8756794b099efe323c79e0e301af0df26249a39b6be602aede307dcf9c590a112ff08e79f691f0975f1e41dffdf9f9ffe
-
SSDEEP
12288:olZYc2z1y2dc5AgHQPQjl2d6v752e6tADa4ATouPycl4O8q7ksGq+mTMZxT:olKcIxWYPQjl2s75947zDusGq+mT2
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2060-0-0x0000000000400000-0x00000000004C9000-memory.dmp modiloader_stage2 F:\system.exe modiloader_stage2 behavioral1/memory/2060-14-0x0000000001E10000-0x0000000001ED9000-memory.dmp modiloader_stage2 behavioral1/memory/3032-24-0x0000000000400000-0x00000000004C9000-memory.dmp modiloader_stage2 behavioral1/memory/2060-35-0x0000000000400000-0x00000000004C9000-memory.dmp modiloader_stage2 behavioral1/memory/3032-36-0x0000000000400000-0x00000000004C9000-memory.dmp modiloader_stage2 behavioral1/memory/2060-44-0x0000000000400000-0x00000000004C9000-memory.dmp modiloader_stage2 -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2492 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
system.exepid process 3032 system.exe -
Loads dropped DLL 5 IoCs
Processes:
ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exeWerFault.exepid process 2060 ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe 2060 ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe 2604 WerFault.exe 2604 WerFault.exe 2604 WerFault.exe -
Processes:
resource yara_rule behavioral1/memory/2060-0-0x0000000000400000-0x00000000004C9000-memory.dmp upx F:\system.exe upx behavioral1/memory/2060-14-0x0000000001E10000-0x0000000001ED9000-memory.dmp upx behavioral1/memory/3032-24-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral1/memory/2060-35-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral1/memory/3032-36-0x0000000000400000-0x00000000004C9000-memory.dmp upx behavioral1/memory/2060-44-0x0000000000400000-0x00000000004C9000-memory.dmp upx -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exedescription ioc process File opened (read-only) \??\M: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\R: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\S: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\U: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\K: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\G: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\I: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\L: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\P: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\X: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\Z: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\E: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\N: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\Q: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\V: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\W: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\A: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\H: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\J: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\O: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\T: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\Y: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened (read-only) \??\B: ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exedescription ioc process File created F:\AutoRun.inf ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened for modification F:\AutoRun.inf ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File created C:\AutoRun.inf ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened for modification C:\AutoRun.inf ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe -
Drops file in System32 directory 2 IoCs
Processes:
system.exedescription ioc process File created C:\Windows\SysWOW64\_system.exe system.exe File opened for modification C:\Windows\SysWOW64\_system.exe system.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
system.exedescription pid process target process PID 3032 set thread context of 2540 3032 system.exe calc.exe -
Drops file in Program Files directory 3 IoCs
Processes:
ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2604 3032 WerFault.exe system.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exesystem.exedescription pid process target process PID 2060 wrote to memory of 3032 2060 ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe system.exe PID 2060 wrote to memory of 3032 2060 ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe system.exe PID 2060 wrote to memory of 3032 2060 ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe system.exe PID 2060 wrote to memory of 3032 2060 ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe system.exe PID 3032 wrote to memory of 2540 3032 system.exe calc.exe PID 3032 wrote to memory of 2540 3032 system.exe calc.exe PID 3032 wrote to memory of 2540 3032 system.exe calc.exe PID 3032 wrote to memory of 2540 3032 system.exe calc.exe PID 3032 wrote to memory of 2540 3032 system.exe calc.exe PID 3032 wrote to memory of 2540 3032 system.exe calc.exe PID 3032 wrote to memory of 2604 3032 system.exe WerFault.exe PID 3032 wrote to memory of 2604 3032 system.exe WerFault.exe PID 3032 wrote to memory of 2604 3032 system.exe WerFault.exe PID 3032 wrote to memory of 2604 3032 system.exe WerFault.exe PID 2060 wrote to memory of 2492 2060 ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe cmd.exe PID 2060 wrote to memory of 2492 2060 ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe cmd.exe PID 2060 wrote to memory of 2492 2060 ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe cmd.exe PID 2060 wrote to memory of 2492 2060 ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe"C:\Users\Admin\AppData\Local\Temp\ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe"C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\system32\calc.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3032 -s 2803⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\ReDelBat.bat""2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Microsoft Shared\MSInfo\ReDelBat.batFilesize
248B
MD55fe98fe3dc9c6c140c8509041ef00f43
SHA171f47694c1be60b6f89cb0f859dae52c03b142ed
SHA256cefe847e32e320630f3a978aabbca298d5b57ba1fda409cebbd03b0676de17fd
SHA512828c97b6831099b65956fafc5a46ab9bb6dc389dd706b094479da8b58e7583ea9f576f7ef42195d41dd0e10e79ee3ac107cdfb705459fa65b3f06463b5df3520
-
F:\system.exeFilesize
793KB
MD546b556cbf522ce882e1c4fe819b1df06
SHA1eebc61c027538e381831ae6c7768ea2d94430e52
SHA256ab3e5719a5c4b8b88d1a1520818b1d38f62b0dea74f70583ece7ae4e516cea7d
SHA512a1b5a7d2d67edd96f1d56a9f6bc668d8756794b099efe323c79e0e301af0df26249a39b6be602aede307dcf9c590a112ff08e79f691f0975f1e41dffdf9f9ffe
-
memory/2060-0-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2060-1-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2060-14-0x0000000001E10000-0x0000000001ED9000-memory.dmpFilesize
804KB
-
memory/2060-20-0x0000000001E10000-0x0000000001ED9000-memory.dmpFilesize
804KB
-
memory/2060-35-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2060-44-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2540-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3032-25-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/3032-24-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/3032-36-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB