Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 23:34
Static task
static1
Behavioral task
behavioral1
Sample
73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe
Resource
win10v2004-20240508-en
General
-
Target
73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe
-
Size
112KB
-
MD5
78a5ea6b57d8b722d7c42b0c7ef3d1da
-
SHA1
9edcb82d629f6e58331e06a504916f24a19bb13f
-
SHA256
73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2
-
SHA512
fde35984361d1e02a81da4c1a8cc19b8b15e745cbaab245ca576cd7fae8f192b4998a4a078b7482c067fd93fda129032bbb7a0624def57fa05e77198a3f119bc
-
SSDEEP
1536:t2ovIa47CqIf2f3w41p7sDcX7juR/JSJw8EeNshUDGXJ:tVIr7zI+fAceoGxSKKo5
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Detects Windows executables referencing non-Windows User-Agents 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4488-59-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4488-58-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/4488-65-0x0000000000400000-0x0000000000414000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4488-59-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/4488-58-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/4488-65-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
UPX dump on OEP (original entry point) 15 IoCs
Processes:
resource yara_rule behavioral2/memory/764-9-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/764-12-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/764-13-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/4840-42-0x0000000000400000-0x000000000040C000-memory.dmp UPX behavioral2/memory/4840-49-0x0000000000400000-0x000000000040C000-memory.dmp UPX behavioral2/memory/4840-54-0x0000000000400000-0x000000000040C000-memory.dmp UPX behavioral2/memory/4488-59-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/764-63-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/4488-58-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/4488-57-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/4488-55-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/4840-46-0x0000000000400000-0x000000000040C000-memory.dmp UPX behavioral2/memory/4488-65-0x0000000000400000-0x0000000000414000-memory.dmp UPX behavioral2/memory/2684-67-0x0000000000400000-0x000000000040B000-memory.dmp UPX behavioral2/memory/4840-75-0x0000000000400000-0x000000000040C000-memory.dmp UPX -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe -
Executes dropped EXE 3 IoCs
Processes:
WAMain.exeWAMain.exeWAMain.exepid process 4944 WAMain.exe 2684 WAMain.exe 4488 WAMain.exe -
Processes:
resource yara_rule behavioral2/memory/764-9-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/764-12-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/764-13-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4488-59-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/764-63-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4488-58-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4488-57-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4488-55-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4488-65-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/2684-67-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows WA = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WAMain.exe" reg.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exeWAMain.exedescription pid process target process PID 856 set thread context of 3276 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe svchost.exe PID 856 set thread context of 764 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe PID 4944 set thread context of 4840 4944 WAMain.exe svchost.exe PID 4944 set thread context of 2684 4944 WAMain.exe WAMain.exe PID 4944 set thread context of 4488 4944 WAMain.exe WAMain.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1784 3276 WerFault.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe 4840 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WAMain.exedescription pid process Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe Token: SeDebugPrivilege 2684 WAMain.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exeWAMain.exesvchost.exeWAMain.exepid process 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe 764 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe 4944 WAMain.exe 4840 svchost.exe 2684 WAMain.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.execmd.exeWAMain.exedescription pid process target process PID 856 wrote to memory of 3276 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe svchost.exe PID 856 wrote to memory of 3276 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe svchost.exe PID 856 wrote to memory of 3276 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe svchost.exe PID 856 wrote to memory of 3276 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe svchost.exe PID 856 wrote to memory of 764 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe PID 856 wrote to memory of 764 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe PID 856 wrote to memory of 764 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe PID 856 wrote to memory of 764 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe PID 856 wrote to memory of 764 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe PID 856 wrote to memory of 764 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe PID 856 wrote to memory of 764 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe PID 856 wrote to memory of 764 856 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe PID 764 wrote to memory of 3040 764 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe cmd.exe PID 764 wrote to memory of 3040 764 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe cmd.exe PID 764 wrote to memory of 3040 764 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe cmd.exe PID 3040 wrote to memory of 4676 3040 cmd.exe reg.exe PID 3040 wrote to memory of 4676 3040 cmd.exe reg.exe PID 3040 wrote to memory of 4676 3040 cmd.exe reg.exe PID 764 wrote to memory of 4944 764 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe WAMain.exe PID 764 wrote to memory of 4944 764 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe WAMain.exe PID 764 wrote to memory of 4944 764 73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe WAMain.exe PID 4944 wrote to memory of 4840 4944 WAMain.exe svchost.exe PID 4944 wrote to memory of 4840 4944 WAMain.exe svchost.exe PID 4944 wrote to memory of 4840 4944 WAMain.exe svchost.exe PID 4944 wrote to memory of 4840 4944 WAMain.exe svchost.exe PID 4944 wrote to memory of 4840 4944 WAMain.exe svchost.exe PID 4944 wrote to memory of 4840 4944 WAMain.exe svchost.exe PID 4944 wrote to memory of 4840 4944 WAMain.exe svchost.exe PID 4944 wrote to memory of 4840 4944 WAMain.exe svchost.exe PID 4944 wrote to memory of 4840 4944 WAMain.exe svchost.exe PID 4944 wrote to memory of 2684 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 2684 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 2684 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 2684 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 2684 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 2684 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 2684 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 2684 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 4488 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 4488 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 4488 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 4488 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 4488 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 4488 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 4488 4944 WAMain.exe WAMain.exe PID 4944 wrote to memory of 4488 4944 WAMain.exe WAMain.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe"C:\Users\Admin\AppData\Local\Temp\73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵PID:3276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 843⤵
- Program crash
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe"C:\Users\Admin\AppData\Local\Temp\73b259c72cb2531e001a0eaa1c9d87d1a2c0385fb6073eb9f9782273db0903e2.exe"2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQRPX.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows WA" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe" /f4⤵
- Adds Run key to start application
PID:4676 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4840 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2684 -
C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"C:\Users\Admin\AppData\Roaming\Microsoft\WAMain.exe"4⤵
- Executes dropped EXE
PID:4488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3276 -ip 32761⤵PID:5096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148B
MD53a4614705555abb049c3298e61170b7f
SHA1c8686410756f346d9551256a5b878b04770950ba
SHA256cff0663c8cfadf83b80583a871c313ffc5d950cb503809cb4a482f400c5d846b
SHA51265ce6fec00e6934f21635e7ccd74757f31ed4b0ddb52bd80d3ea9abeba56340128d23151ef7d9f5daacb5d61e4a4cca50dbb3a43132e350522311ee06e829007
-
Filesize
112KB
MD532a8cab31a0f51fc9f36b26aa6e4cff6
SHA1c37bf457ee1a082b2e20cb6d7319189b555fe5a6
SHA256ff62d8cdc0463c3d5de3a99996503b243e0c67cc40bd1f4bf18bb592a06ddceb
SHA5121127f0099f3a556feb45a538f612ae94246b6fce3361b4e141457cf09107b1dbb665758f360738df4b9183d352f762e88b572235f76805ad976066dd2a475974