Analysis
-
max time kernel
1801s -
max time network
1802s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
17-06-2024 14:39
General
-
Target
WinLocker Builder v1.4.exe
-
Size
699KB
-
MD5
81dd862410af80c9d2717af912778332
-
SHA1
8f1df476f58441db5973ccfdc211c8680808ffe1
-
SHA256
60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f
-
SHA512
8dd014b91fb1e2122d2e4da444db78dd551513c500d447bb1e94ceb7f2f8d45223a8a706e2156102f8c8850d2bb02ae6b8ea0c9282abd7baaa2c84130112af15
-
SSDEEP
12288:0L/xX5KVeOnuH/u1Wig295xsmVXf6AaQLmEc+pdmWSwIHUOS6Vp:0bxpUz13g27raQmEcomWSHHUD
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 9 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 49 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\WinLocker Builder v1.4.exe"C:\Users\Admin\AppData\Local\Temp\WinLocker Builder v1.4.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Upx.exe"C:\Users\Admin\AppData\Local\Temp\Upx.exe" "C:\Users\Admin\Desktop\123123.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Users\Admin\Desktop\123123.exe"C:\Users\Admin\Desktop\123123.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2152 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Upx.exeFilesize
283KB
MD5308f709a8f01371a6dd088a793e65a5f
SHA1a07c073d807ab0119b090821ee29edaae481e530
SHA256c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35
SHA512c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28
-
C:\Users\Admin\Desktop\123123.exeFilesize
387KB
MD57335fc512377e72533c3d6c182c7f109
SHA1a775ae9c569d590b6a5b26fc76a4d0f606ef68db
SHA25679b94a3e044f115fd41e2af3b885726054d82568e7871e92d34404feb1d7cf54
SHA5129132af7d45abf14baa9d2bb1e2c2dec85a4d8cfc45419be4914b03d24cb9e6483c12bf8931eb7e177708356aa1e6b4b29f3805455eebc13f249beb1078c7078e
-
C:\Users\Admin\Desktop\123123.exeFilesize
156KB
MD55db99ff87758e0b820d0bcc3ac1acea3
SHA11e450845af3a9a065345c97d6036f50104051645
SHA2565ce50208bfc92741fd650d5a99a3a08d9b6b3336472eb49153fc3d937b4f49f8
SHA512fe0ac4d1c43565cf8e8af353d0b34cfa99e41402612ab38cdbb01a010c342db2db7a3f3c9d37dd9e1d0f529d613c451f8f38c5fdd620a865da5aeffef116da29
-
memory/3140-59-0x0000000000400000-0x000000000057E000-memory.dmpFilesize
1.5MB
-
memory/3140-38-0x0000000000400000-0x000000000057E000-memory.dmpFilesize
1.5MB
-
memory/3256-4-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/3256-5-0x0000000000400000-0x0000000000545000-memory.dmpFilesize
1.3MB
-
memory/3256-0-0x0000000000400000-0x0000000000545000-memory.dmpFilesize
1.3MB
-
memory/3256-3-0x0000000000400000-0x0000000000545000-memory.dmpFilesize
1.3MB
-
memory/3256-2-0x0000000000400000-0x0000000000545000-memory.dmpFilesize
1.3MB
-
memory/3256-60-0x0000000000400000-0x0000000000545000-memory.dmpFilesize
1.3MB
-
memory/3256-1-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/4048-62-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4048-64-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/4048-66-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4048-69-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4048-71-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB
-
memory/4048-123-0x0000000000400000-0x000000000046B000-memory.dmpFilesize
428KB