Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 06:21 UTC
Behavioral task
behavioral1
Sample
6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe
Resource
win10v2004-20240802-en
General
-
Target
6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe
-
Size
130KB
-
MD5
08a59310c928f2706a19e864fca055e0
-
SHA1
79f36cf4745ae8b7b2aaec401e17e7f283d6d0a2
-
SHA256
6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4
-
SHA512
6105e834677b16a20e60b686bbfc881d1b3c42c3493be5cad7432726d37e63e1bdf11cfddd59e64b551a08867d0ed62f4340642b60a9b728d32db6c893a0a473
-
SSDEEP
1536:mH1ZaQvR1KiX3NK6I+hZhYrt/w5Q6G6IpiRYzz9qJHhhnm0yG5aP/5UROXTmNJn:6KQJcinxphkG5Q6GdpIOkJHhKRyOXKn
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 6 IoCs
resource yara_rule behavioral2/memory/3260-49-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/3260-54-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/3260-57-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/3260-53-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/3260-60-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 behavioral2/memory/3260-65-0x0000000000400000-0x0000000000411000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe -
Executes dropped EXE 3 IoCs
pid Process 244 Flaseher.exe 3624 Flaseher.exe 3260 Flaseher.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.Flasfh = "C:\\Users\\Admin\\AppData\\Roaming\\..Flash\\Flaseher.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 548 set thread context of 4268 548 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 85 PID 244 set thread context of 3624 244 Flaseher.exe 95 PID 244 set thread context of 3260 244 Flaseher.exe 96 -
resource yara_rule behavioral2/memory/548-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/548-6-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4268-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4268-14-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/4268-15-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/548-17-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4268-16-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x000700000002350c-33.dat upx behavioral2/memory/4268-44-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/244-43-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/244-45-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/244-46-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/244-61-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral2/memory/4268-62-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3624-64-0x0000000000400000-0x000000000040B000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaseher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe Token: SeDebugPrivilege 3624 Flaseher.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 548 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 4268 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 244 Flaseher.exe 3624 Flaseher.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 548 wrote to memory of 4268 548 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 85 PID 548 wrote to memory of 4268 548 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 85 PID 548 wrote to memory of 4268 548 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 85 PID 548 wrote to memory of 4268 548 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 85 PID 548 wrote to memory of 4268 548 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 85 PID 548 wrote to memory of 4268 548 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 85 PID 548 wrote to memory of 4268 548 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 85 PID 548 wrote to memory of 4268 548 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 85 PID 4268 wrote to memory of 4476 4268 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 87 PID 4268 wrote to memory of 4476 4268 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 87 PID 4268 wrote to memory of 4476 4268 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 87 PID 4476 wrote to memory of 4652 4476 cmd.exe 90 PID 4476 wrote to memory of 4652 4476 cmd.exe 90 PID 4476 wrote to memory of 4652 4476 cmd.exe 90 PID 4268 wrote to memory of 244 4268 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 91 PID 4268 wrote to memory of 244 4268 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 91 PID 4268 wrote to memory of 244 4268 6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe 91 PID 244 wrote to memory of 3624 244 Flaseher.exe 95 PID 244 wrote to memory of 3624 244 Flaseher.exe 95 PID 244 wrote to memory of 3624 244 Flaseher.exe 95 PID 244 wrote to memory of 3624 244 Flaseher.exe 95 PID 244 wrote to memory of 3624 244 Flaseher.exe 95 PID 244 wrote to memory of 3624 244 Flaseher.exe 95 PID 244 wrote to memory of 3624 244 Flaseher.exe 95 PID 244 wrote to memory of 3624 244 Flaseher.exe 95 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96 PID 244 wrote to memory of 3260 244 Flaseher.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe"C:\Users\Admin\AppData\Local\Temp\6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe"C:\Users\Admin\AppData\Local\Temp\6a08049a06a5b8bb7d667bb94cb66699e4ece7badb5a06afc9b3f163a94cafd4N.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKPUB.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v ".Flasfh" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4652
-
-
-
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3624
-
-
C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"C:\Users\Admin\AppData\Roaming\..Flash\Flaseher.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3260
-
-
-
Network
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request50.23.12.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request98.117.19.2.in-addr.arpaIN PTRResponse98.117.19.2.in-addr.arpaIN PTRa2-19-117-98deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN A
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Request48.229.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
Remote address:8.8.8.8:53Requestjustgonnatry.hopto.orgIN AResponse
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
50.23.12.20.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
98.117.19.2.in-addr.arpa
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
136 B 128 B 2 1
DNS Request
justgonnatry.hopto.org
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
72 B 158 B 1 1
DNS Request
48.229.111.52.in-addr.arpa
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
-
68 B 128 B 1 1
DNS Request
justgonnatry.hopto.org
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD5da0cbe87b720a79b294147ed6a4b98be
SHA1ebf0dc9efd7a12cb192e355cda87546acb4ab360
SHA2567ccfeff356fdccc9145bd1e263aa1c56360ca7b6552ed5a5665c596d02a627ed
SHA512f55c4a3d24d2f11db5eda3c816d1cd3b8804a171a7bf715b13d60788247fbb352eafaa5bd4e0a8086c1013396be0a48c7bdb904ab0f974fa0c75e81e3d365acc
-
Filesize
130KB
MD5a4b93c01752ec193654a751c17c44efe
SHA1f6565225e6776546c92522d8dcb042ef436c32d5
SHA256a6ce4a3b930faea7e7707fda2564511958dccb05de76c47510b593f0d888d435
SHA51281e5e81ab805b6acbe39a2a082202bef15fe5d2419cdc7690849c6dfc164c0add836391ee722664783cc8e9b9e0de352c2fcea668a10466b1423fcfd2c4ba809