Analysis
-
max time kernel
120s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 21:22
Static task
static1
Behavioral task
behavioral1
Sample
57c6b0ef0c613e7b89e75ba925cebe80N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
57c6b0ef0c613e7b89e75ba925cebe80N.exe
Resource
win10v2004-20240709-en
General
-
Target
57c6b0ef0c613e7b89e75ba925cebe80N.exe
-
Size
116KB
-
MD5
57c6b0ef0c613e7b89e75ba925cebe80
-
SHA1
2cc1808526af22ac1dd8a885735ad8a5e233d5c5
-
SHA256
fe74b4fc0b1b74f9b4659ac28f601990ee4b1e6b6e6cbb52e03e9300c1571ad8
-
SHA512
b4475ff5f368a83c591963f009164c81959acccfca82f9eefd6a8ae2eac47bfd8ca690b374fb63bdd7459c297cab1bafe902ef1b303e358bad4930bb63e0526e
-
SSDEEP
1536:JOH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5PxV1:JCKQJcinxphkG5Q6GdpIOkJHhKRf1
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3888-46-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/3888-54-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/3888-57-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/3888-60-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/3888-59-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/3888-62-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
57c6b0ef0c613e7b89e75ba925cebe80N.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 57c6b0ef0c613e7b89e75ba925cebe80N.exe -
Executes dropped EXE 3 IoCs
Processes:
Flaseher.exeFlaseher.exeFlaseher.exepid process 4524 Flaseher.exe 2420 Flaseher.exe 3888 Flaseher.exe -
Processes:
resource yara_rule behavioral2/memory/208-8-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/208-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/208-12-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/208-55-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2420-56-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/208-40-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/2420-61-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.Flasfh = "C:\\Users\\Admin\\AppData\\Roaming\\..Flash\\Flaseher.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
57c6b0ef0c613e7b89e75ba925cebe80N.exeFlaseher.exedescription pid process target process PID 3488 set thread context of 208 3488 57c6b0ef0c613e7b89e75ba925cebe80N.exe 57c6b0ef0c613e7b89e75ba925cebe80N.exe PID 4524 set thread context of 2420 4524 Flaseher.exe Flaseher.exe PID 4524 set thread context of 3888 4524 Flaseher.exe Flaseher.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
reg.exeFlaseher.exeFlaseher.exeFlaseher.exe57c6b0ef0c613e7b89e75ba925cebe80N.exe57c6b0ef0c613e7b89e75ba925cebe80N.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57c6b0ef0c613e7b89e75ba925cebe80N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 57c6b0ef0c613e7b89e75ba925cebe80N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Flaseher.exedescription pid process Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe Token: SeDebugPrivilege 2420 Flaseher.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
57c6b0ef0c613e7b89e75ba925cebe80N.exe57c6b0ef0c613e7b89e75ba925cebe80N.exeFlaseher.exeFlaseher.exepid process 3488 57c6b0ef0c613e7b89e75ba925cebe80N.exe 208 57c6b0ef0c613e7b89e75ba925cebe80N.exe 4524 Flaseher.exe 2420 Flaseher.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
57c6b0ef0c613e7b89e75ba925cebe80N.exe57c6b0ef0c613e7b89e75ba925cebe80N.execmd.exeFlaseher.exedescription pid process target process PID 3488 wrote to memory of 208 3488 57c6b0ef0c613e7b89e75ba925cebe80N.exe 57c6b0ef0c613e7b89e75ba925cebe80N.exe PID 3488 wrote to memory of 208 3488 57c6b0ef0c613e7b89e75ba925cebe80N.exe 57c6b0ef0c613e7b89e75ba925cebe80N.exe PID 3488 wrote to memory of 208 3488 57c6b0ef0c613e7b89e75ba925cebe80N.exe 57c6b0ef0c613e7b89e75ba925cebe80N.exe PID 3488 wrote to memory of 208 3488 57c6b0ef0c613e7b89e75ba925cebe80N.exe 57c6b0ef0c613e7b89e75ba925cebe80N.exe PID 3488 wrote to memory of 208 3488 57c6b0ef0c613e7b89e75ba925cebe80N.exe 57c6b0ef0c613e7b89e75ba925cebe80N.exe PID 3488 wrote to memory of 208 3488 57c6b0ef0c613e7b89e75ba925cebe80N.exe 57c6b0ef0c613e7b89e75ba925cebe80N.exe PID 3488 wrote to memory of 208 3488 57c6b0ef0c613e7b89e75ba925cebe80N.exe 57c6b0ef0c613e7b89e75ba925cebe80N.exe PID 3488 wrote to memory of 208 3488 57c6b0ef0c613e7b89e75ba925cebe80N.exe 57c6b0ef0c613e7b89e75ba925cebe80N.exe PID 208 wrote to memory of 4492 208 57c6b0ef0c613e7b89e75ba925cebe80N.exe cmd.exe PID 208 wrote to memory of 4492 208 57c6b0ef0c613e7b89e75ba925cebe80N.exe cmd.exe PID 208 wrote to memory of 4492 208 57c6b0ef0c613e7b89e75ba925cebe80N.exe cmd.exe PID 4492 wrote to memory of 896 4492 cmd.exe reg.exe PID 4492 wrote to memory of 896 4492 cmd.exe reg.exe PID 4492 wrote to memory of 896 4492 cmd.exe reg.exe PID 208 wrote to memory of 4524 208 57c6b0ef0c613e7b89e75ba925cebe80N.exe Flaseher.exe PID 208 wrote to memory of 4524 208 57c6b0ef0c613e7b89e75ba925cebe80N.exe Flaseher.exe PID 208 wrote to memory of 4524 208 57c6b0ef0c613e7b89e75ba925cebe80N.exe Flaseher.exe PID 4524 wrote to memory of 2420 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 2420 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 2420 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 2420 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 2420 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 2420 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 2420 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 2420 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe PID 4524 wrote to memory of 3888 4524 Flaseher.exe Flaseher.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\57c6b0ef0c613e7b89e75ba925cebe80N.exe"C:\Users\Admin\AppData\Local\Temp\57c6b0ef0c613e7b89e75ba925cebe80N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Users\Admin\AppData\Local\Temp\57c6b0ef0c613e7b89e75ba925cebe80N.exe"C:\Users\Admin\AppData\Local\Temp\57c6b0ef0c613e7b89e75ba925cebe80N.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PTFGD.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:896 -
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2420 -
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD5da0cbe87b720a79b294147ed6a4b98be
SHA1ebf0dc9efd7a12cb192e355cda87546acb4ab360
SHA2567ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed
SHA512f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc
-
Filesize
116KB
MD50c34429daebe35e160eab45d81970d25
SHA18f12d742be4aca0abdc865400f066bfadcd253a0
SHA2561bce0dfb020c9bed0a2216e124f0c4070e1e70ebbce5bef347cd4eaaab0c6b0d
SHA5126f1b33b21d6499fbad332640d9ac9a0d045ceb94b74143bf957ec3f78a4be13c2242c28fee500902231b501bf8f350003968e63d797fdc2e64ee88dc946fd16d