Analysis
-
max time kernel
42s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/09/2024, 12:33
Behavioral task
behavioral1
Sample
Bloxstrap-v2.7.0.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
BootstrapperV1.14.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
BootstrapperV1.14.exe
-
Size
421KB
-
MD5
17020d673c9355ed597bf69dddbd0b68
-
SHA1
b524e4e65526e8cf65b6ea60c080b60ad738a44c
-
SHA256
b70a30f72b328ae08926a668d94bbf15c45abc50e57667a3d9ab6d61fa4c417b
-
SHA512
ade8acdbb7a689351b57ed02d89aa03b9ed15b7dfff84b99fc5a7d365f34467a8f4f60ad82fc05ea0fc95aee99c5a00ada53bf1ce1f2bf7f0ee6d1ea7e98ffb4
-
SSDEEP
6144:hLy84u9nSO2GjZkD10BIY3rb1YfBdfpoZ3u/Ht52w6JSeiFPXouPhG:p+u9nx2GjMY3XKfd/H/9PrPhG
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 4 IoCs
resource yara_rule behavioral2/memory/820-1-0x0000000000400000-0x0000000000470000-memory.dmp modiloader_stage2 behavioral2/memory/820-3-0x0000000000400000-0x0000000000470000-memory.dmp modiloader_stage2 behavioral2/memory/820-4-0x0000000000400000-0x0000000000470000-memory.dmp modiloader_stage2 behavioral2/memory/820-5-0x0000000000400000-0x0000000000470000-memory.dmp modiloader_stage2 -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager BootstrapperV1.14.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys BootstrapperV1.14.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc BootstrapperV1.14.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power BootstrapperV1.14.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys BootstrapperV1.14.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc BootstrapperV1.14.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BootstrapperV1.14.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BootstrapperV1.14.exe" BootstrapperV1.14.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BootstrapperV1.14.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe 820 BootstrapperV1.14.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3040 explorer.exe Token: SeCreatePagefilePrivilege 3040 explorer.exe Token: SeShutdownPrivilege 3040 explorer.exe Token: SeCreatePagefilePrivilege 3040 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.14.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.14.exe"1⤵
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:820
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040