Analysis
-
max time kernel
59s -
max time network
59s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
20-09-2024 19:35
General
-
Target
9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe
-
Size
270KB
-
MD5
92224916dece7e83fe34e50756dc866b
-
SHA1
ce1221fd9fd4f2373d1b2a69bcff3480da35ad23
-
SHA256
9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef
-
SHA512
f7beb58ae58662eba921e3f0c82b225417f3ab2970ae58050630fd336fddc64b68350dc33ca99405157fa50711f08155dac590e1fe6cdf39b6a81fe3898424be
-
SSDEEP
6144:apFZywoS9KT/qXAtzF5jaaFqgDfZstH1Sb:8ZdPKXjaaFqist4b
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
ModiLoader Second Stage 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe"C:\Users\Admin\AppData\Local\Temp\9e21262444644ed806b67c9c21bb89e8e5579ab1ef596ad08632bf744784f2ef.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\Wifi Password Hack 2014.exe"C:\Users\Admin\AppData\Local\Temp\Wifi Password Hack 2014.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Extracted\Wifi.exe"C:\Extracted\Wifi.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 8244⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Extracted\Wifi Password Hack 2014.exe"C:\Extracted\Wifi Password Hack 2014.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
95KB
MD5ceb33e90bc90c8b6dad6e20d0756405d
SHA1d1bb29aa192f49e87824490f5afdbf1e2dffbe34
SHA256590213081e69fb24eceabb4947b939b9451f2ee87ae7c3a6441e970e3eff3979
SHA5129c04ed1e0bce4faf79627bafffa9c8c87ad20d0845903c52f51fad927e7237e88b468afe3c43fc64fc7f39e29484ed5bdabd5523641f2d62386ba99c868298ae
-
Filesize
69KB
MD5d890349dbb670a7fcd7e293f5e55b6a5
SHA1288ae6a90efad5da83dfa4fd3ce0d3981e267a96
SHA256fd25a7082c8623f4b2397ae4d090d1bd441fee5331b064ff002af3ec13bd77fa
SHA512b68c3a89482180f1bcc6b21f66e850e90ced6308d5e5618e33a09ff818686fc4c61706d28edefa44742dedc75630a3bee7bd7075828dae72916b82e29bd976aa
-
Filesize
23KB
MD52361cd0f4e2639717d64832700337e5b
SHA1990a35cc7012d4b6c3eb7bb7c167e113349ab6bd
SHA25643357bcafd427aaf96fdf3495bf38ba402090b7ac9b46ba13520381f5027d1ad
SHA5129d55edcc78e7547aea6f15b9439b6140adac6df2b1f3f0e45333a2337a9dffc9522525b1df27e25cfd56f451d3dcd8f44f5cd84a743fefc046467e170dbf2971
-
Filesize
217KB
MD527a51cbe1f0290b27b5e936356446b58
SHA1cfc304447b7f07774ede994ccecc9db69a95b978
SHA2568128299e7b54c80d097ea7ee65a47d78bc45a5ff99f98fe59195d58fd94dceed
SHA5121ded2a9b56565547b0280c8ef04db474e50adf3b030bbf12df88514781fb146afc38d0e87c66756bd654c5741c4f49ddacd041828a73213abcbf938edfb64112
-
Filesize
226B
MD56a313f19181d97d006898ad025d4ef6a
SHA1c090484def4c90eee1d0c974c38940c4f669d771
SHA2562cfc6311c0e60140a2b804b3bf5ebe2f6eac7e56c3c7c9cab97eba1e361178a6
SHA5122ed531365117e9e263ace01e8be9780bd9644e3fded528e8508172d08ead753152aff690592afc8143031a62d21537382735c9a1bce795a201873b82eda02021
-
Filesize
344KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
128KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
4.8MB
-
Filesize
1.2MB
-
Filesize
64KB
-
Filesize
300KB