Analysis
-
max time kernel
600s -
max time network
600s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08-06-2024 13:27
General
-
Target
B44A8DBE40CF3D75A23D5B991246249B.exe
-
Size
386KB
-
MD5
b44a8dbe40cf3d75a23d5b991246249b
-
SHA1
78f70912abd3599935dd15d12428b41bee81e452
-
SHA256
e93ea2c9e689a35ef77e597a4cf34409f9c02dd74790716eae060304995d6289
-
SHA512
9dbdd06ba87fb1478c07bf97facf69e079553393c3905afc960ea1bb5727aa59b260bd77652b3c877de518234875f6a8fb7fd82096c9049578ae143d47609251
-
SSDEEP
6144:JzYyFEqhqQK0TNhueSIfpzDx0J6Mml61EqIMiFNEnpIxI62:T1oQ1TbnRHclBIMiQpU2
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VirtualBox drivers on disk 2 TTPs 1 IoCs
-
ModiLoader Second Stage 57 IoCs
-
Contacts a large (1051) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\B44A8DBE40CF3D75A23D5B991246249B.exe"C:\Users\Admin\AppData\Local\Temp\B44A8DBE40CF3D75A23D5B991246249B.exe"1⤵
-
C:\Windows\system32\mshta.exe"C:\Windows\system32\mshta.exe" javascript:UPRsZx21="hvqyaq2";w9m=new%20ActiveXObject("WScript.Shell");P6GLjJ="aYm";C1Xac=w9m.RegRead("HKCU\\software\\boixilY0co\\1GAB5Nt9");iLke8L="6rPgGe";eval(C1Xac);Te25Rnz="UwWR30TC";1⤵
- Process spawned unexpected child process
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" iex $env:iacxx2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe3⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Deletes itself
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\9ef7501\7116554.batFilesize
70B
MD59255983da4c5cf3d687a35b0b3e03b0a
SHA158ba03ba64a74e2f9b8a026cfd5bfaf544d61160
SHA25646727d3c044a0dcab44b9d40c64fe146f675640fd72e965f7d8518ff68b61539
SHA512160c28bcd54e7650c1000513830ea8c446a5eb6a5b70d72a397f7a8714ed34a741c6dfd935da915fd1f96b413e6e81948cfaec28c9fe6088bc157fd3be07e72c
-
C:\Users\Admin\AppData\Local\9ef7501\f71faf7.344a8709Filesize
13KB
MD5023e5230dae3e4773f79021aca291be3
SHA12e6d608bf08f0a8ad93bc959383fcca0720c3000
SHA25627fb91132f08d9cc4762c321b4f2db71c6e5c97c3e21b903cc3c86d084433813
SHA512ae961d043a6666127b7d50fa8efa1ef895b43534772f54b746791eb86435cf89f7dff4ef217dfde098d9cf504292db4be957fc17f3add8b9d46bf61c47d41205
-
C:\Users\Admin\AppData\Local\Temp\TarD83D.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
memory/1544-68-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-61-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-64-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-66-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-72-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-70-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-73-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-62-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-63-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-65-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-67-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-69-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1544-71-0x00000000000D0000-0x000000000021A000-memory.dmpFilesize
1.3MB
-
memory/1900-33-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-22-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-50-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-52-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-49-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-48-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-47-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-46-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-39-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-38-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-37-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-36-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-35-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-15-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-32-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-30-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-29-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-28-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-40-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-18-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-26-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-25-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-34-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-51-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-31-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-23-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-21-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-20-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-19-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-41-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-27-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/1900-24-0x00000000000E0000-0x000000000022A000-memory.dmpFilesize
1.3MB
-
memory/2388-14-0x00000000061F0000-0x00000000062CC000-memory.dmpFilesize
880KB
-
memory/2388-17-0x00000000061F0000-0x00000000062CC000-memory.dmpFilesize
880KB
-
memory/2388-13-0x0000000002B20000-0x0000000002B21000-memory.dmpFilesize
4KB
-
memory/2924-8-0x00000000021C0000-0x000000000229C000-memory.dmpFilesize
880KB
-
memory/2924-0-0x0000000000455000-0x0000000000457000-memory.dmpFilesize
8KB
-
memory/2924-9-0x00000000021C0000-0x000000000229C000-memory.dmpFilesize
880KB
-
memory/2924-55-0x00000000021C0000-0x000000000229C000-memory.dmpFilesize
880KB
-
memory/2924-7-0x00000000021C0000-0x000000000229C000-memory.dmpFilesize
880KB
-
memory/2924-3-0x0000000000400000-0x0000000000467638-memory.dmpFilesize
413KB
-
memory/2924-4-0x00000000021C0000-0x000000000229C000-memory.dmpFilesize
880KB
-
memory/2924-5-0x00000000021C0000-0x000000000229C000-memory.dmpFilesize
880KB
-
memory/2924-6-0x00000000021C0000-0x000000000229C000-memory.dmpFilesize
880KB
-
memory/2924-2-0x00000000021C0000-0x000000000229C000-memory.dmpFilesize
880KB
-
memory/2924-1-0x0000000000400000-0x0000000000467638-memory.dmpFilesize
413KB