Analysis
-
max time kernel
139s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
invoice_2024-05-6577588494.cmd
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
invoice_2024-05-6577588494.cmd
Resource
win10v2004-20240611-en
General
-
Target
invoice_2024-05-6577588494.cmd
-
Size
3.5MB
-
MD5
ba2debbaec427ab4f654bccbe788d836
-
SHA1
2d0543aebec81e87cfbf8862060d73c4c7dac196
-
SHA256
94513f7783348cf8d403be267ab537ba7f4e02a215f28b90675b853d93b79948
-
SHA512
d4a0c89b0d749a1deb3b2cf47b235854fe6811c5c3e9826cc1ddf057b8ff19845a8f279cedc47b70f575e616114b4cf850cda359cd18e71efbb07dcc4a808d50
-
SSDEEP
49152:GA6PFw42qcCUt5GKGhqK6GgCYUMCJwUzun28HMA:r
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 29 IoCs
Processes:
resource yara_rule behavioral1/memory/980-92-0x000000004BDD0000-0x000000004BE2C000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-93-0x000000004BE30000-0x000000004BE8A000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-125-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-129-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-127-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-123-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-121-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-119-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-117-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-115-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-111-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-109-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-107-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-105-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-103-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-101-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-99-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-97-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-95-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-145-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-135-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-94-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-113-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-143-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-141-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-139-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-137-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-133-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/980-131-0x000000004BE30000-0x000000004BE84000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral1/memory/980-88-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 behavioral1/memory/980-90-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 -
Executes dropped EXE 11 IoCs
Processes:
alpha.exealpha.exekn.exealpha.exekn.exeAudio.pifalpha.exealpha.execmd.pifcmd.pifrzjnrxpH.pifpid process 2940 alpha.exe 2092 alpha.exe 2580 kn.exe 2692 alpha.exe 3040 kn.exe 3032 Audio.pif 2728 alpha.exe 2756 alpha.exe 1784 cmd.pif 2372 cmd.pif 980 rzjnrxpH.pif -
Loads dropped DLL 9 IoCs
Processes:
cmd.exealpha.exealpha.exeAudio.pifpid process 2016 cmd.exe 2016 cmd.exe 2092 alpha.exe 2016 cmd.exe 2692 alpha.exe 2016 cmd.exe 2016 cmd.exe 3032 Audio.pif 3032 Audio.pif -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rzjnrxpH.pifAudio.pifdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\windows.exe" rzjnrxpH.pif Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hpxrnjzr = "C:\\Users\\Public\\Hpxrnjzr.url" Audio.pif -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Audio.pifdescription pid process target process PID 3032 set thread context of 980 3032 Audio.pif rzjnrxpH.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
Audio.pifpid process 3032 Audio.pif -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rzjnrxpH.pifpid process 980 rzjnrxpH.pif 980 rzjnrxpH.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rzjnrxpH.pifdescription pid process Token: SeDebugPrivilege 980 rzjnrxpH.pif -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exeAudio.pifdescription pid process target process PID 2016 wrote to memory of 2040 2016 cmd.exe extrac32.exe PID 2016 wrote to memory of 2040 2016 cmd.exe extrac32.exe PID 2016 wrote to memory of 2040 2016 cmd.exe extrac32.exe PID 2016 wrote to memory of 2940 2016 cmd.exe alpha.exe PID 2016 wrote to memory of 2940 2016 cmd.exe alpha.exe PID 2016 wrote to memory of 2940 2016 cmd.exe alpha.exe PID 2940 wrote to memory of 2984 2940 alpha.exe extrac32.exe PID 2940 wrote to memory of 2984 2940 alpha.exe extrac32.exe PID 2940 wrote to memory of 2984 2940 alpha.exe extrac32.exe PID 2016 wrote to memory of 2092 2016 cmd.exe alpha.exe PID 2016 wrote to memory of 2092 2016 cmd.exe alpha.exe PID 2016 wrote to memory of 2092 2016 cmd.exe alpha.exe PID 2092 wrote to memory of 2580 2092 alpha.exe kn.exe PID 2092 wrote to memory of 2580 2092 alpha.exe kn.exe PID 2092 wrote to memory of 2580 2092 alpha.exe kn.exe PID 2016 wrote to memory of 2692 2016 cmd.exe alpha.exe PID 2016 wrote to memory of 2692 2016 cmd.exe alpha.exe PID 2016 wrote to memory of 2692 2016 cmd.exe alpha.exe PID 2692 wrote to memory of 3040 2692 alpha.exe kn.exe PID 2692 wrote to memory of 3040 2692 alpha.exe kn.exe PID 2692 wrote to memory of 3040 2692 alpha.exe kn.exe PID 2016 wrote to memory of 3032 2016 cmd.exe Audio.pif PID 2016 wrote to memory of 3032 2016 cmd.exe Audio.pif PID 2016 wrote to memory of 3032 2016 cmd.exe Audio.pif PID 2016 wrote to memory of 3032 2016 cmd.exe Audio.pif PID 2016 wrote to memory of 2728 2016 cmd.exe alpha.exe PID 2016 wrote to memory of 2728 2016 cmd.exe alpha.exe PID 2016 wrote to memory of 2728 2016 cmd.exe alpha.exe PID 2016 wrote to memory of 2756 2016 cmd.exe alpha.exe PID 2016 wrote to memory of 2756 2016 cmd.exe alpha.exe PID 2016 wrote to memory of 2756 2016 cmd.exe alpha.exe PID 3032 wrote to memory of 1716 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 1716 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 1716 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 1716 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 544 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 544 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 544 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 544 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 1688 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 1688 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 1688 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 1688 3032 Audio.pif cmd.exe PID 3032 wrote to memory of 2824 3032 Audio.pif extrac32.exe PID 3032 wrote to memory of 2824 3032 Audio.pif extrac32.exe PID 3032 wrote to memory of 2824 3032 Audio.pif extrac32.exe PID 3032 wrote to memory of 2824 3032 Audio.pif extrac32.exe PID 3032 wrote to memory of 980 3032 Audio.pif rzjnrxpH.pif PID 3032 wrote to memory of 980 3032 Audio.pif rzjnrxpH.pif PID 3032 wrote to memory of 980 3032 Audio.pif rzjnrxpH.pif PID 3032 wrote to memory of 980 3032 Audio.pif rzjnrxpH.pif PID 3032 wrote to memory of 980 3032 Audio.pif rzjnrxpH.pif PID 3032 wrote to memory of 980 3032 Audio.pif rzjnrxpH.pif
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\invoice_2024-05-6577588494.cmd"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:2040
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:2984
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\invoice_2024-05-6577588494.cmd" "C:\\Users\\Public\\Audio.mp4" 92⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\invoice_2024-05-6577588494.cmd" "C:\\Users\\Public\\Audio.mp4" 93⤵
- Executes dropped EXE
PID:2580 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 122⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 123⤵
- Executes dropped EXE
PID:3040 -
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵PID:1716
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows \System32"3⤵PID:544
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\cmd.pif"3⤵PID:1688
-
C:\Windows \System32\cmd.pif"C:\\Windows \\System32\\cmd.pif"4⤵
- Executes dropped EXE
PID:1784 -
C:\Windows \System32\cmd.pif"C:\Windows \System32\cmd.pif"4⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Hpxrnjzr.PIF3⤵PID:2824
-
C:\Users\Public\Libraries\rzjnrxpH.pifC:\Users\Public\Libraries\rzjnrxpH.pif3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2728 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD52f6760ed95e0a93dba8419dc5eabccbf
SHA1139239677e8a572c8caef3ce393737557756a172
SHA2566f322e181418d95f5a9fc12f9adbc5728b6173ac7b19b7bf8e346bfcce57c8bc
SHA5125ad72622de9d5b829a9c974a0b4f9b630ada38bce5d87b2e231f447b544f9da081be28073f844d595e9611d24824e772ff1dc602ec1a576be0105ee406bda81f
-
Filesize
1.3MB
MD5a38702206e839d7a2fed5dbbdf91d689
SHA1fd6477a5f7e81692ec8b8c245f2681ea5e2f24e5
SHA256f73eb6fb2423ef07681da6c0a3033faec6e645f23e561d7ede802a7c2c07ea0c
SHA512c285a1c70f08fe3205855513ef620888d2789f7f59837705948ace71338813db5b122533f7a613dc445319551f464e3937ef4f9408a79e6a88874d88e7b6e2e1
-
Filesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
Filesize
182KB
MD53776012e2ef5a5cae6935853e6ca79b2
SHA14fc81df94baaaa550473ac9d20763cfb786577ff
SHA2568e104cc58e62de0eab837ac09b01d30e85f79045cc1803fa2ef4eafbdbd41e8d
SHA51238811cb1431e8b7b07113ae54f1531f8992bd0e572d9daa1029cf8692396427285a4c089ffd56422ca0c6b393e9fca0856a5a5cd77062e7e71bf0a670843cfb8
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
1.1MB
MD5ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA2561e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA5124e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2