Analysis

  • max time kernel
    136s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-06-2024 23:34

General

  • Target

    73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe

  • Size

    112KB

  • MD5

    78a5ea6b57d8b722d7c42b0c7ef3d1da

  • SHA1

    9edcb82d629f6e58331e06a504916f24a19bb13f

  • SHA256

    73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2

  • SHA512

    fde35984361d1e02a81da4c1a8cc19b8b15e745cbaab245ca576cd7fae8f192b4998a4a078b7482c067fd93fda129032bbb7a0624def57fa05e77198a3f119bc

  • SSDEEP

    1536:t2ovIa47CqIf2f3w41p7sDcX7juR/JSJw8EeNshUDGXJ:tVIr7zI+fAceoGxSKKo5

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Detects Windows executables referencing non-Windows User-Agents 3 IoCs
  • ModiLoader Second Stage 3 IoCs
  • UPX dump on OEP (original entry point) 15 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe
    "C:\Users\Admin\AppData\Local\Temp\73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      2⤵
        PID:3276
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 84
          3⤵
          • Program crash
          PID:1784
      • C:\Users\Admin\AppData\Local\Temp\73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe
        "C:\Users\Admin\AppData\Local\Temp\73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:764
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQRPX.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3040
          • C:\Windows\SysWOW64\reg.exe
            REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows WA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe" /f
            4⤵
            • Adds Run key to start application
            PID:4676
        • C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4944
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Windows\system32\svchost.exe"
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:4840
          • C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2684
          • C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"
            4⤵
            • Executes dropped EXE
            PID:4488
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3276 -ip 3276
      1⤵
        PID:5096

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\BQRPX.txt

        Filesize

        148B

        MD5

        3a4614705555abb049c3298e61170b7f

        SHA1

        c8686410756f346d9551256a5b878b04770950ba

        SHA256

        cff0663c8cfadf83b80583a871c313ffc5d950cb503809cb4a482f400c5d846b

        SHA512

        65ce6fec00e6934f21635e7ccd74757f31ed4b0ddb52bd80d3ea9abeba56340128d23151ef7d9f5daacb5d61e4a4cca50dbb3a43132e350522311ee06e829007

      • C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe

        Filesize

        112KB

        MD5

        32a8cab31a0f51fc9f36b26aa6e4cff6

        SHA1

        c37bf457ee1a082b2e20cb6d7319189b555fe5a6

        SHA256

        ff62d8cdc0463c3d5de3a99996503b243e0c67cc40bd1f4bf18bb592a06ddceb

        SHA512

        1127f0099f3a556feb45a538f612ae94246b6fce3361b4e141457cf09107b1dbb665758f360738df4b9183d352f762e88b572235f76805ad976066dd2a475974

      • memory/764-13-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

      • memory/764-9-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

      • memory/764-12-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

      • memory/764-63-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

      • memory/856-5-0x0000000002920000-0x0000000002922000-memory.dmp

        Filesize

        8KB

      • memory/856-6-0x0000000002A40000-0x0000000002A42000-memory.dmp

        Filesize

        8KB

      • memory/856-7-0x0000000002A70000-0x0000000002A72000-memory.dmp

        Filesize

        8KB

      • memory/856-10-0x0000000002BF0000-0x0000000002BF2000-memory.dmp

        Filesize

        8KB

      • memory/856-4-0x0000000002900000-0x0000000002902000-memory.dmp

        Filesize

        8KB

      • memory/856-2-0x00000000028C0000-0x00000000028C2000-memory.dmp

        Filesize

        8KB

      • memory/856-3-0x00000000028E0000-0x00000000028E2000-memory.dmp

        Filesize

        8KB

      • memory/2684-67-0x0000000000400000-0x000000000040B000-memory.dmp

        Filesize

        44KB

      • memory/4488-58-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/4488-59-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/4488-65-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/4488-57-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/4488-55-0x0000000000400000-0x0000000000414000-memory.dmp

        Filesize

        80KB

      • memory/4840-46-0x0000000000400000-0x000000000040C000-memory.dmp

        Filesize

        48KB

      • memory/4840-49-0x0000000000400000-0x000000000040C000-memory.dmp

        Filesize

        48KB

      • memory/4840-54-0x0000000000400000-0x000000000040C000-memory.dmp

        Filesize

        48KB

      • memory/4840-75-0x0000000000400000-0x000000000040C000-memory.dmp

        Filesize

        48KB

      • memory/4840-42-0x0000000000400000-0x000000000040C000-memory.dmp

        Filesize

        48KB

      • memory/4944-40-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/4944-52-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/4944-41-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/4944-39-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB

      • memory/4944-60-0x0000000000400000-0x000000000041F000-memory.dmp

        Filesize

        124KB