Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-10-2024 23:21

General

  • Target

    TheWarz-Crack.exe

  • Size

    1.2MB

  • MD5

    6b035800be70ccbedd9154a9ae57d03b

  • SHA1

    c7de2eba384c891723b4a17753ee00129f5fe973

  • SHA256

    e621a036413f70d0a00dbe48de5773dceea1429dc1864aebe90cb277583690de

  • SHA512

    1b41dc9bf8c040ca33d26da8986f346ff6be02bf2197b78c96b2c6dbb45ba19bf4b31d8eeb4e715c78507b78ea6d2b05d039fb28e11ec8750fc5080a42c318d7

  • SSDEEP

    24576:yzjh/FIFRPOUS01XpN4wEpv7I+CqSfhvuwGHEqPb2LxBxf3y:CKFNSEpN4NpvcAyBudHTCFq

Malware Config

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • njRAT/Bladabindi

    Widely used RAT written in .NET.

  • ModiLoader Second Stage 8 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack.exe
    "C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3860
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Users\Admin\AppData\Local\Temp\FB_72AF.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\FB_72AF.tmp.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1412
          • C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe
            "C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe"
            5⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2596
            • C:\Windows\SysWOW64\netsh.exe
              netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\TheWarz-Crack-1.exe" "TheWarz-Crack-1.exe" ENABLE
              6⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:432
        • C:\Users\Admin\AppData\Local\Temp\FB_7475.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\FB_7475.tmp.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3296
          • C:\Users\Admin\AppData\Roaming\Wrnia.exe
            "C:\Users\Admin\AppData\Roaming\Wrnia.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            PID:3680
        • C:\Users\Admin\AppData\Local\Temp\FB_7486.tmp.exe
          "C:\Users\Admin\AppData\Local\Temp\FB_7486.tmp.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FB_72AF.tmp.exe

    Filesize

    29KB

    MD5

    614ee07b628e4994d4d7f1b9beda6ece

    SHA1

    0171581e8d76d2d922027f4f072cff8215c55abb

    SHA256

    b4458b76c0ade6678ac78a74dfa38dff4125d39210717b2c2bdd271bdd733cef

    SHA512

    c279ff78b25f40bde2f64ab33ba5a2b9b4046e68a4e2089121118173930eaab813f48e8a30f569b25a316c79cc4e42df18df8c219a258096d5ce9359f007e001

  • C:\Users\Admin\AppData\Local\Temp\FB_7475.tmp.exe

    Filesize

    36KB

    MD5

    bc31fb751e47491430d909c72c5529c9

    SHA1

    c1a5925786cf7729d04f765cd1cd47fab5ddcf95

    SHA256

    aecbf1535c7be968369ce966f8478cc55dd311f122565f5ee7d627cd302f4921

    SHA512

    03af1955cd15bf239a1e3ec768f66320b17a84e06d977fa3aa1aa1e1b7c03db78e10a6e8d94ffa504b56fc649722a3fd6dcbec95335d888d20c2ade989a8355d

  • C:\Users\Admin\AppData\Local\Temp\FB_7486.tmp.exe

    Filesize

    723KB

    MD5

    ca554c5962d17073e7ce0e65e505158c

    SHA1

    5d09fe7bac713a0e03b3b1322019f86dd10a2c9e

    SHA256

    448565c452f2c88c73061548aa46c1dbdc281567dffc2abec39e7eb177f230cb

    SHA512

    969408b0975c6e0288b3bd5e5521fa092712d8cc9fe23f9166751d0f1e2f5c570712bc91c8602c0474dd0c6a2ef52975b06736295dca7f9d9fbb7a8da2fc8b27

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_

    Filesize

    851KB

    MD5

    4c687cafefcab325c62847a3910c71a9

    SHA1

    882409e2d437758967ffbe8d9740dd35a86e95c6

    SHA256

    fb635a07236ad5395238b0e18ba87f60264d93bc8a2e13805b661f528a185793

    SHA512

    97b730f00751df1a41670b079c1f784709f8ce79b3eaece05be0007ddb8f8566876a93b21be459dbb9f91e265b45c88565dda3a1e7501a4f63b2b7255a9cd5de

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

    Filesize

    716KB

    MD5

    aa8a27f555ba52a3057d1ebd59e51193

    SHA1

    fbc1b0916e428969d2e7e11f2a0c5bd6449ad05f

    SHA256

    09cd260d8a7a59b6e123b59d1d7ccdb289d56ccf7be4952451768bbafee305d2

    SHA512

    04bbf4d273bebd851725b5b4cae007413983cdb7efef56f8d88995493f5c8d0afa29accd7d8135ac686acbde8c8f7507c23969b4f5315409dedc2e4d34fdcfb3

  • C:\Windows\SysWOW64\accessibilitycpI.dll

    Filesize

    302KB

    MD5

    0d313a81c8b3b25e58ea49359242bea4

    SHA1

    7d9e242e418a982f248f9981b10b64830d67d802

    SHA256

    3000f91791e0b3331ccc130d0bc5d94b2ae5fc529b3924a2e97002e3251d926b

    SHA512

    63f9bef6ad11372b241b5e679c63c2164e21073f8a99b7442d89e301b017e5e2f0c344ef3df0227506837816c86e7539899a9c1499cefa0b18c257f8f87837a7

  • memory/1788-74-0x0000000005280000-0x00000000052D6000-memory.dmp

    Filesize

    344KB

  • memory/1788-73-0x0000000005080000-0x000000000508A000-memory.dmp

    Filesize

    40KB

  • memory/1788-56-0x0000000000640000-0x00000000006FA000-memory.dmp

    Filesize

    744KB

  • memory/1788-64-0x0000000005090000-0x0000000005122000-memory.dmp

    Filesize

    584KB

  • memory/1788-58-0x0000000004F30000-0x0000000004FCC000-memory.dmp

    Filesize

    624KB

  • memory/1788-62-0x00000000055A0000-0x0000000005B44000-memory.dmp

    Filesize

    5.6MB

  • memory/3296-61-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/3680-126-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

  • memory/4460-19-0x0000000000400000-0x00000000052E8000-memory.dmp

    Filesize

    78.9MB

  • memory/4460-51-0x0000000000400000-0x00000000004CA000-memory.dmp

    Filesize

    808KB

  • memory/4460-47-0x0000000000400000-0x00000000052E8000-memory.dmp

    Filesize

    78.9MB

  • memory/4460-21-0x0000000000400000-0x00000000052E8000-memory.dmp

    Filesize

    78.9MB

  • memory/4460-17-0x0000000000400000-0x00000000052E8000-memory.dmp

    Filesize

    78.9MB

  • memory/4756-15-0x0000000002330000-0x0000000002335000-memory.dmp

    Filesize

    20KB

  • memory/4756-7-0x0000000002310000-0x0000000002312000-memory.dmp

    Filesize

    8KB