Analysis
-
max time kernel
1200s -
max time network
1150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/08/2024, 23:02
Behavioral task
behavioral1
Sample
1.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
1200 seconds
General
-
Target
1.exe
-
Size
397KB
-
MD5
f177be3bd8305a98a135ffd3cd43fbf5
-
SHA1
597fab615dd38df2eec29c5fc8248d826bf3c1f4
-
SHA256
7c07259d10913285d30ef773fef1beca21aed8d5da4995b91f1f4f19125f9d8b
-
SHA512
dc429ddd7a9f75a7c7367ee8260a5b6468287215f479e07145726ff934744287873324f2003a69142f10f6dcc345ebc98ea931b96636829da41c075cce069996
-
SSDEEP
6144:MLy84u9nSO2GjZkD10BIY3rb1YfBdfpoZ3u/Ht52w6JSeiFPXm47:Y+u9nx2GjMY3XKfd/H/9PX7
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral1/memory/2124-1-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 behavioral1/memory/2124-10-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys 1.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc 1.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager 1.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys 1.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc 1.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power 1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1.exe" 1.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe 2124 1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3440 explorer.exe Token: SeCreatePagefilePrivilege 3440 explorer.exe Token: SeShutdownPrivilege 3440 explorer.exe Token: SeCreatePagefilePrivilege 3440 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2124
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3440