Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
07-06-2024 01:32
General
-
Target
43db42b4ba232a67c442de8f05e12d61d8bd1c84061d8f0a73d4bab0f9629cfa.cmd
-
Size
3.6MB
-
MD5
77459eb8f65bfbfe7fa5af7966a90391
-
SHA1
1bc222205955806516b4eb06352fd9d133a656cb
-
SHA256
43db42b4ba232a67c442de8f05e12d61d8bd1c84061d8f0a73d4bab0f9629cfa
-
SHA512
b8b3614b06840c28be73dd34578e687db5f9a4e75565bb24c11791b14c33f516cb8e4811d03a19fdf6852aae2a4e1cbf3e3e29c441d86bb1dc57c15bc701118c
-
SSDEEP
49152:vgk00JywMTAermhoGyBDj1kwXui5zlrT2Da0QhMQ:Y
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 61 IoCs
-
Executes dropped EXE 8 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\43db42b4ba232a67c442de8f05e12d61d8bd1c84061d8f0a73d4bab0f9629cfa.cmd"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"3⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe4⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\43db42b4ba232a67c442de8f05e12d61d8bd1c84061d8f0a73d4bab0f9629cfa.cmd" "C:\\Users\\Public\\Audio.mp4" 93⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\43db42b4ba232a67c442de8f05e12d61d8bd1c84061d8f0a73d4bab0f9629cfa.cmd" "C:\\Users\\Public\\Audio.mp4" 94⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 123⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 124⤵
- Executes dropped EXE
-
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows \System32"4⤵
-
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Bhvdpblh.PIF4⤵
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S3⤵
- Executes dropped EXE
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\Libraries\Audio.pif"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3812 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Audio.mp4Filesize
2.5MB
MD50528593d70b9b922ad3cbaf6e717938f
SHA11d332267fa9b98c4524466eb18c6b92fa9e983eb
SHA2568fcc21231ad08f4f4256441ce064a4d88e39be7fc33aa757d82662f7f43519eb
SHA512bf3596fb53557449bde39968cd9b1c2e5225db016421bdc437756cc0f7b6b247e446fa038cc9a680d06f08fbb0fc6df42bfd7f6af6523850316973228b486759
-
C:\Users\Public\Libraries\Audio.pifFilesize
1.2MB
MD53c13507701d8b2fe7ee770842d143323
SHA12ddfdfd72bf05e5db3b692ad9023469ef9123170
SHA2562f37b67330c37adf1314f490bd1a49d0507f51e6c4cfeeb174c4cb9f3df184c8
SHA5121fed83887652b39d6be6dbf6be36d3a25c2ab80996f8f43f0ab5aec1d2dcd1e74223c171c45a7845c6343b13aac90b57273fd3925aa004da90ff873e77fab409
-
C:\Users\Public\Libraries\Bhvdpblh.PIFFilesize
1.1MB
MD5d922418f9bd9588f5b17e2745ef89ed5
SHA115ea424980a50c1adcdd9e910a62e6fb857ee689
SHA256933ff804a741c238a7c7356750c659e0d97313ab578924125f781fc266399e47
SHA512220edbcdbb306acd8072e3a35cc0fd3e9b6d1f8b3749fa45600a5a0801caafbbb575f67704312fafd0f7dd8212482e118fadd668d833b985f572d5e9b78ca311
-
C:\Users\Public\alpha.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Users\Public\kn.exeFilesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
memory/5000-28-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/5000-29-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/5000-31-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-34-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-35-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-32-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-33-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-39-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-40-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-46-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-67-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-104-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-96-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-81-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-102-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-99-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-98-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-97-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-56-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-55-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-93-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-54-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-90-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-88-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-87-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-84-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-83-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-79-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-78-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-77-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-50-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-74-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-73-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-47-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-66-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-64-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-63-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-62-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-45-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-60-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-59-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-58-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-44-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-101-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-100-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-92-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-91-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-89-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-53-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-85-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-52-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-82-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-80-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-51-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-48-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-49-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-57-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-43-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-38-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-42-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-41-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-36-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB
-
memory/5000-37-0x0000000002970000-0x0000000003970000-memory.dmpFilesize
16.0MB