Analysis
-
max time kernel
150s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 21:20
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe
Resource
win10v2004-20240426-en
General
-
Target
VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe
-
Size
290KB
-
MD5
1ecb75f61811c8ba509fcecb959fc960
-
SHA1
ff350f0885fd1bf43b3649c5e10bd7c6b8c63c93
-
SHA256
f22e1cfd78acc5c944dbfa4b4333349c603536637b3f10ed8022719832abff1c
-
SHA512
2a808a060a288713cd0b95e4c490ea956caa1824a134ed26547af13fc77f2e95af8e6b2dff3e8d6bf1b79f2730dcee148003c69c100ff761cc4365476b1c6914
-
SSDEEP
6144:DVU3YK6TaVsZuR2gdELS8YazyamrwNXEjtEHgZVcoMiVejeuSN0teQBw2B:q3bVVDuLJBBWwN8W8KoISN0w0w2B
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exe modiloader_stage2 behavioral2/memory/2148-15-0x0000000000400000-0x000000000046B000-memory.dmp modiloader_stage2 -
Modifies Installed Components in the registry 2 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
VirusShare_1ecb75f61811c8ba509fcecb959fc960.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe -
Executes dropped EXE 1 IoCs
Processes:
winlocker_builder V0.4.exepid process 2148 winlocker_builder V0.4.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winlocker_builder V0.4.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlocker_builder V0.4.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\winlocker_builder V0.4.exe" winlocker_builder V0.4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1324 taskkill.exe 1144 taskkill.exe 1856 taskkill.exe 2004 taskkill.exe 2108 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
winlocker_builder V0.4.exepid process 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe 2148 winlocker_builder V0.4.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
explorer.exedescription pid process Token: SeShutdownPrivilege 3480 explorer.exe Token: SeCreatePagefilePrivilege 3480 explorer.exe Token: SeShutdownPrivilege 3480 explorer.exe Token: SeCreatePagefilePrivilege 3480 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
VirusShare_1ecb75f61811c8ba509fcecb959fc960.execmd.exedescription pid process target process PID 4820 wrote to memory of 4472 4820 VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe cmd.exe PID 4820 wrote to memory of 4472 4820 VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe cmd.exe PID 4820 wrote to memory of 4472 4820 VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe cmd.exe PID 4820 wrote to memory of 2148 4820 VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe winlocker_builder V0.4.exe PID 4820 wrote to memory of 2148 4820 VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe winlocker_builder V0.4.exe PID 4820 wrote to memory of 2148 4820 VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe winlocker_builder V0.4.exe PID 4472 wrote to memory of 2108 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 2108 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 2108 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 1324 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 1324 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 1324 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 1144 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 1144 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 1144 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 1856 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 1856 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 1856 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 2004 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 2004 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 2004 4472 cmd.exe taskkill.exe PID 4472 wrote to memory of 2884 4472 cmd.exe reg.exe PID 4472 wrote to memory of 2884 4472 cmd.exe reg.exe PID 4472 wrote to memory of 2884 4472 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_1ecb75f61811c8ba509fcecb959fc960.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Build.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im /f chrome.exe3⤵
- Kills process with taskkill
PID:2108 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im /f ie.exe3⤵
- Kills process with taskkill
PID:1324 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im /f firefox.exe3⤵
- Kills process with taskkill
PID:1144 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im /f opera.exe3⤵
- Kills process with taskkill
PID:1856 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im /f safari.exe3⤵
- Kills process with taskkill
PID:2004 -
C:\Windows\SysWOW64\reg.exeReg Delete HKLM\System\CurrentControlSet\Control\SafeBoot\*.*3⤵
- Modifies registry key
PID:2884 -
C:\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exe"C:\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2148
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Suspicious use of AdjustPrivilegeToken
PID:3480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Build.batFilesize
2KB
MD5a30dc826f8671456185b51426255788a
SHA1bbd1505ca5479d159db89539beff034581feaa1c
SHA256155a86cf988ef9304630b6845f14d8774e80126ec77ccb9f8fcdfadef46375d1
SHA5123641df71589c645b4c3b4f1c5a0c9e6d978c667ea1c4862658102a461e59d2d22c1adb67d22027d34397829c4fca2d6e42be122f66e9fb5cae357a53cfe34ed3
-
C:\Users\Admin\AppData\Local\Temp\winlocker_builder V0.4.exeFilesize
401KB
MD5d81707fcd4e2b83c4a1371603ffd8fbc
SHA1e10b7c05a89a57e753873a013745ff4cba11f347
SHA25663f97cbd440b5f8d31a2d6bf7ca628624e0d24b6b96ae429fdb8a8b85ffce384
SHA512035685c60bf5875eaafed99daf3d6041d995d295452a1253ed5ab7ad73d25ef6a247fd50ef2c2a278c2378bb45e840bce9897a43dba8b93ad40c8c5b83d235f8
-
memory/2148-13-0x0000000001FE0000-0x0000000001FE1000-memory.dmpFilesize
4KB
-
memory/2148-15-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB