Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 01:10
Static task
static1
Behavioral task
behavioral1
Sample
a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe
Resource
win10v2004-20240508-en
General
-
Target
a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe
-
Size
1.5MB
-
MD5
026413bbfef5671928ad071ec2abb31a
-
SHA1
65d9c92d986961ea05431a937f75a193a09de3b0
-
SHA256
a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3
-
SHA512
d93cf780d1ad11519e21293254f779fc9fbc14f8fbdd4a86854ed00ce8d39c3bf4c08e7a1da887aeae350c5d3c0a02b9b4e39efd34dbf962ea2d61e3871107c3
-
SSDEEP
24576:Gb8mxc3aLtwdDxaSQnr9yceV8FCsKbX3bEyh5lMV/M6x:GRdiRgyrlMV/M6
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2916-55-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 behavioral1/memory/2916-57-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 -
Executes dropped EXE 3 IoCs
Processes:
cmd.pifcmd.pifjvzyuvzH.pifpid process 2636 cmd.pif 1296 cmd.pif 2916 jvzyuvzH.pif -
Loads dropped DLL 2 IoCs
Processes:
a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exepid process 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hzvuyzvj = "C:\\Users\\Public\\Hzvuyzvj.url" a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exedescription pid process target process PID 1936 set thread context of 2916 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe jvzyuvzH.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jvzyuvzH.pifpid process 2916 jvzyuvzH.pif 2916 jvzyuvzH.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
jvzyuvzH.pifdescription pid process Token: SeDebugPrivilege 2916 jvzyuvzH.pif -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exedescription pid process target process PID 1936 wrote to memory of 3040 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 3040 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 3040 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 3040 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 2380 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 2380 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 2380 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 2380 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 2280 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 2280 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 2280 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 2280 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe cmd.exe PID 1936 wrote to memory of 2600 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe extrac32.exe PID 1936 wrote to memory of 2600 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe extrac32.exe PID 1936 wrote to memory of 2600 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe extrac32.exe PID 1936 wrote to memory of 2600 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe extrac32.exe PID 1936 wrote to memory of 2916 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe jvzyuvzH.pif PID 1936 wrote to memory of 2916 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe jvzyuvzH.pif PID 1936 wrote to memory of 2916 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe jvzyuvzH.pif PID 1936 wrote to memory of 2916 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe jvzyuvzH.pif PID 1936 wrote to memory of 2916 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe jvzyuvzH.pif PID 1936 wrote to memory of 2916 1936 a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe jvzyuvzH.pif
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe"C:\Users\Admin\AppData\Local\Temp\a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "2⤵PID:3040
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows \System32"2⤵PID:2380
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\cmd.pif"2⤵PID:2280
-
C:\Windows \System32\cmd.pif"C:\\Windows \\System32\\cmd.pif"3⤵
- Executes dropped EXE
PID:2636 -
C:\Windows \System32\cmd.pif"C:\Windows \System32\cmd.pif"3⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\a9ab6ae9fb0198840b9309d04dfeff8cdacd81a4edcc6bc7c32879608ae765b3.exe C:\\Users\\Public\\Libraries\\Hzvuyzvj.PIF2⤵PID:2600
-
C:\Users\Public\Libraries\jvzyuvzH.pifC:\Users\Public\Libraries\jvzyuvzH.pif2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
Filesize
182KB
MD53776012e2ef5a5cae6935853e6ca79b2
SHA14fc81df94baaaa550473ac9d20763cfb786577ff
SHA2568e104cc58e62de0eab837ac09b01d30e85f79045cc1803fa2ef4eafbdbd41e8d
SHA51238811cb1431e8b7b07113ae54f1531f8992bd0e572d9daa1029cf8692396427285a4c089ffd56422ca0c6b393e9fca0856a5a5cd77062e7e71bf0a670843cfb8