Malware Analysis Report

2024-08-06 14:13

Sample ID 240615-bwc4qsyakr
Target e5301b4327f48190ac46285e3f72669948ab296eea2fb812891d42b0133e7dac
SHA256 e5301b4327f48190ac46285e3f72669948ab296eea2fb812891d42b0133e7dac
Tags
modiloader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e5301b4327f48190ac46285e3f72669948ab296eea2fb812891d42b0133e7dac

Threat Level: Known bad

The file e5301b4327f48190ac46285e3f72669948ab296eea2fb812891d42b0133e7dac was found to be: Known bad.

Malicious Activity Summary

modiloader persistence spyware stealer trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Script User-Agent

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 01:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 01:29

Reported

2024-06-15 01:31

Platform

win7-20240611-en

Max time kernel

146s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\PO-565362627627.cmd"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Windows \System32\cmd.pif N/A
N/A N/A C:\Windows \System32\cmd.pif N/A
N/A N/A C:\Users\Public\Libraries\ariudkyR.pif N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rykduira = "C:\\Users\\Public\\Rykduira.url" C:\Users\Public\Libraries\Audio.pif N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\windows.exe" C:\Users\Public\Libraries\ariudkyR.pif N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2696 set thread context of 1472 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\ariudkyR.pif

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\ariudkyR.pif N/A
N/A N/A C:\Users\Public\Libraries\ariudkyR.pif N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\Libraries\ariudkyR.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 2236 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 2236 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 2236 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2236 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2236 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2940 wrote to memory of 2192 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2940 wrote to memory of 2192 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2940 wrote to memory of 2192 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2236 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2236 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2236 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2292 wrote to memory of 1204 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2292 wrote to memory of 1204 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2292 wrote to memory of 1204 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2236 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2236 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2236 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2600 wrote to memory of 2652 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2600 wrote to memory of 2652 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2600 wrote to memory of 2652 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2236 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2236 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2236 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2236 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2236 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2236 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2236 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2236 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2236 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2236 wrote to memory of 1036 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2696 wrote to memory of 2752 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2752 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2752 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2752 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2768 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2768 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2768 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2768 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2268 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2268 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2268 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 2268 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\cmd.exe
PID 2696 wrote to memory of 1984 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\extrac32.exe
PID 2696 wrote to memory of 1984 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\extrac32.exe
PID 2696 wrote to memory of 1984 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\extrac32.exe
PID 2696 wrote to memory of 1984 N/A C:\Users\Public\Libraries\Audio.pif C:\Windows\SysWOW64\extrac32.exe
PID 2696 wrote to memory of 1472 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\ariudkyR.pif
PID 2696 wrote to memory of 1472 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\ariudkyR.pif
PID 2696 wrote to memory of 1472 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\ariudkyR.pif
PID 2696 wrote to memory of 1472 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\ariudkyR.pif
PID 2696 wrote to memory of 1472 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\ariudkyR.pif
PID 2696 wrote to memory of 1472 N/A C:\Users\Public\Libraries\Audio.pif C:\Users\Public\Libraries\ariudkyR.pif

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\PO-565362627627.cmd"

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PO-565362627627.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PO-565362627627.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows "

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir "\\?\C:\Windows \System32"

C:\Windows\SysWOW64\cmd.exe

cmd /c "C:\\Windows \\System32\\cmd.pif"

C:\Windows \System32\cmd.pif

"C:\\Windows \\System32\\cmd.pif"

C:\Windows \System32\cmd.pif

"C:\Windows \System32\cmd.pif"

C:\Windows\SysWOW64\extrac32.exe

C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Rykduira.PIF

C:\Users\Public\Libraries\ariudkyR.pif

C:\Users\Public\Libraries\ariudkyR.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

\Users\Public\alpha.exe

MD5 5746bd7e255dd6a8afa06f7c42c1ba41
SHA1 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256 db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA512 3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

C:\Users\Public\kn.exe

MD5 ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1 ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA256 1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA512 4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

C:\Users\Public\Audio.mp4

MD5 eb6a7f256c8f499acbe890dc5cff775d
SHA1 9a70db1b2ac259c77deff82242f640185324acd0
SHA256 d2ad20db4d124137de977e37722776aa8ea45a544a6be5622c25c192bbd5db22
SHA512 8ead95d487540048c9aca857d4180d4287346dde701285bd9b9f533df89dc54bddc1708e11948802abd8d51d8d9f02235eecba249c65b88d74c036e5c013e67b

C:\Users\Public\Libraries\Audio.pif

MD5 dd36e25502ab7c5a82a8cd1b648a4c0a
SHA1 461bf33b6ad324052de5250690e4df597f588224
SHA256 6c311507952d4c2abd1a762d30946f62ae5297c6cb8ac263cf7cdb6918a5a8b8
SHA512 0c4461822675ac0b80bc2a7757297f742a9d36f9d1b96d3433abe057fd717d8274f100d12bb1ed2ddf2a445a7121d1a97a6dbc1d5eed00af1bc83c483669a34d

memory/2696-33-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-35-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-37-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-36-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-34-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-38-0x0000000000400000-0x0000000000589000-memory.dmp

memory/2696-41-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-89-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-87-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-90-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-88-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-85-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-84-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-82-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-81-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-79-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-78-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-76-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-73-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-72-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-71-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-69-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-68-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-65-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-63-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-62-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-61-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-59-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-58-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-55-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-53-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-52-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-50-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-47-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-45-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-44-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-43-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-75-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-66-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-56-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-49-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-107-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-105-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-102-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-99-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-95-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-92-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-86-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-83-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-80-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-77-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-74-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-70-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-67-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-64-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-60-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-57-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-54-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-51-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-48-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-46-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-42-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-40-0x0000000003350000-0x0000000004350000-memory.dmp

memory/2696-39-0x0000000003350000-0x0000000004350000-memory.dmp

C:\Windows \System32\cmd.pif

MD5 869640d0a3f838694ab4dfea9e2f544d
SHA1 bdc42b280446ba53624ff23f314aadb861566832
SHA256 0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA512 6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

C:\Users\Public\Libraries\ariudkyR.pif

MD5 3776012e2ef5a5cae6935853e6ca79b2
SHA1 4fc81df94baaaa550473ac9d20763cfb786577ff
SHA256 8e104cc58e62de0eab837ac09b01d30e85f79045cc1803fa2ef4eafbdbd41e8d
SHA512 38811cb1431e8b7b07113ae54f1531f8992bd0e572d9daa1029cf8692396427285a4c089ffd56422ca0c6b393e9fca0856a5a5cd77062e7e71bf0a670843cfb8

memory/1472-484-0x0000000024080000-0x00000000240DC000-memory.dmp

memory/1472-485-0x0000000025A20000-0x0000000025A7A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 01:29

Reported

2024-06-15 01:31

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PO-565362627627.cmd"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\Libraries\Audio.pif N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 2024 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 2024 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2024 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4240 wrote to memory of 4588 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 4240 wrote to memory of 4588 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2024 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2024 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 3260 wrote to memory of 1912 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 3260 wrote to memory of 1912 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2024 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2024 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4528 wrote to memory of 4136 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 4528 wrote to memory of 4136 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2024 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2024 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2024 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\Audio.pif
PID 2024 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2024 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2024 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2024 wrote to memory of 4116 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\PO-565362627627.cmd"

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PO-565362627627.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\PO-565362627627.cmd" "C:\\Users\\Public\\Audio.mp4" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\Libraries\Audio.pif

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 drive.google.com udp

Files

C:\Users\Public\alpha.exe

MD5 8a2122e8162dbef04694b9c3e0b6cdee
SHA1 f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256 b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA512 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

C:\Users\Public\kn.exe

MD5 bd8d9943a9b1def98eb83e0fa48796c2
SHA1 70e89852f023ab7cde0173eda1208dbb580f1e4f
SHA256 8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA512 95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

C:\Users\Public\Audio.mp4

MD5 eb6a7f256c8f499acbe890dc5cff775d
SHA1 9a70db1b2ac259c77deff82242f640185324acd0
SHA256 d2ad20db4d124137de977e37722776aa8ea45a544a6be5622c25c192bbd5db22
SHA512 8ead95d487540048c9aca857d4180d4287346dde701285bd9b9f533df89dc54bddc1708e11948802abd8d51d8d9f02235eecba249c65b88d74c036e5c013e67b

C:\Users\Public\Libraries\Audio.pif

MD5 dd36e25502ab7c5a82a8cd1b648a4c0a
SHA1 461bf33b6ad324052de5250690e4df597f588224
SHA256 6c311507952d4c2abd1a762d30946f62ae5297c6cb8ac263cf7cdb6918a5a8b8
SHA512 0c4461822675ac0b80bc2a7757297f742a9d36f9d1b96d3433abe057fd717d8274f100d12bb1ed2ddf2a445a7121d1a97a6dbc1d5eed00af1bc83c483669a34d

memory/2204-29-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-31-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-32-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-30-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-28-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-34-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-35-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-36-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-38-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-40-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-43-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-46-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-51-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-59-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-70-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-85-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-91-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-90-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-89-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-88-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-87-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-86-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-84-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-83-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-82-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-81-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-79-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-77-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-76-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-73-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-72-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-71-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-69-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-68-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-67-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-80-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-66-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-78-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-65-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-64-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-63-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-75-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-74-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-61-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-62-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-60-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-58-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-57-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-55-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-54-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-53-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-52-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-50-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-49-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-56-0x0000000000400000-0x0000000000589000-memory.dmp

memory/2204-48-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-47-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-45-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-44-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-42-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-41-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-39-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-37-0x0000000002970000-0x0000000003970000-memory.dmp

memory/2204-33-0x0000000002970000-0x0000000003970000-memory.dmp