Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 13:08
Behavioral task
behavioral1
Sample
123.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
123.exe
Resource
win10v2004-20240508-en
General
-
Target
123.exe
-
Size
397KB
-
MD5
699e220e2f6c4b2ead0a3a2fc780b567
-
SHA1
760868038eef5a42011b298ef886588de142ea85
-
SHA256
16b69225a2ff2864aa0dd9753b69f4e0c79985bea93edc8f235bb0bd8cee11c5
-
SHA512
9f82b88e35e146068fa7cce058c66721ec7de03869d8595c7e9ae61852d0b9261efa9bf72eb6694701096bc159f2f703ea6e744c414b1fa183abdc6ddd8e6775
-
SSDEEP
6144:MLy84u9nSO2GjZkD10BIY3rb1YfBdfpoZ3u/Ht52w6JSeiFPXmg7:Y+u9nx2GjMY3XKfd/H/9Pr7
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2168-1-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 behavioral1/memory/2168-2-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 behavioral1/memory/2168-4-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
123.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\123.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\123.exe" 123.exe -
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
123.exepid process 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe 2168 123.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 2516 explorer.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe Token: SeShutdownPrivilege 2516 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
explorer.exepid process 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
Processes:
explorer.exepid process 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
123.exedescription pid process target process PID 2168 wrote to memory of 2516 2168 123.exe explorer.exe PID 2168 wrote to memory of 2516 2168 123.exe explorer.exe PID 2168 wrote to memory of 2516 2168 123.exe explorer.exe PID 2168 wrote to memory of 2516 2168 123.exe explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2168-0-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2168-1-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2168-2-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2168-3-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2168-4-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB