Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-11-2024 01:43
General
-
Target
0161d30defee14b9bdac49068c63a344320c11330acdfc10952c025637684adb.exe
-
Size
1.2MB
-
MD5
53f0663219e6091cecd600c59389711f
-
SHA1
f1986a61c2cb0107444fbd3e8075a25e21fb26ca
-
SHA256
0161d30defee14b9bdac49068c63a344320c11330acdfc10952c025637684adb
-
SHA512
9d466680cc90f57ada29495e32592084ec6daf37cdc53f2776a720d66f0284b09c619a25c9ede8e73e91b8c20d2a7ab5dfee0504ba7454389ce842afd27962a1
-
SSDEEP
24576:KdKnJlmwhG7vohKM4br2gza6HR2zlPQxL/F99UljJes8lSnQ:KCl70YOLSes8lSQ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 61 IoCs
-
Executes dropped EXE 16 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in System32 directory 9 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Modifies data under HKEY_USERS 5 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0161d30defee14b9bdac49068c63a344320c11330acdfc10952c025637684adb.exe"C:\Users\Admin\AppData\Local\Temp\0161d30defee14b9bdac49068c63a344320c11330acdfc10952c025637684adb.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\aymtmquJ.cmd" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o3⤵
-
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o3⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 103⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\xpha.pifC:\\Users\\Public\\xpha.pif 127.0.0.1 -n 104⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows \SysWOW64\per.exe"C:\\Windows \\SysWOW64\\per.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\esentutl.exeesentutl /y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe /d C:\\Users\\Public\\pha.pif /o4⤵
-
-
C:\Users\Public\pha.pifC:\\Users\\Public\\pha.pif -WindowStyle hidden -Command Add-MpPreference -ExclusionPath 'C:\Users'4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW643⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Public\alpha.pifC:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\esentutl.exeC:\\Windows\\System32\\esentutl.exe /y C:\Users\Admin\AppData\Local\Temp\0161d30defee14b9bdac49068c63a344320c11330acdfc10952c025637684adb.exe /d C:\\Users\\Public\\Libraries\\Juqmtmya.PIF /o2⤵
-
-
C:\Users\Public\Libraries\aymtmquJ.pifC:\Users\Public\Libraries\aymtmquJ.pif2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 4843⤵
- Program crash
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3524 -ip 35241⤵
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD594737b2267b56167c9686182be6fd077
SHA116bef30eb3b0d9fd5d4deb0bb593c0afbbe19d28
SHA2561a348ac02d5c2e2aff32a136350a7084e86e7bf34cc35c900a215211064070c7
SHA512bb94169167f3b5a9298152a2a74c134449a53df5b219b77c214e0844ed15603a5d988f9ce7e62a87fee1654e2df51710f57917eacd58e21144c0baad0fcb4246
-
Filesize
1.3MB
MD5f04a2f75d4cebe46cdf6c58e5611555c
SHA17c3f4553017704856089c87c57f83208adf779f6
SHA256ce6d8b6256e9f5c7d6145de85a3d0a3a6565a1206f21ba007161954e79996fad
SHA5122d8e6fd953134693a78b5c10ab3a7a4eed696add0509d7509d5b72136d1edb47daa008ece098752283c5ec7d6871312fbc9c46eb81056db095c2419d59471b7e
-
Filesize
1.3MB
MD55010b3dd6dd26448bd1f7fea14a79dcb
SHA152896915e7eacc837b8898c628d6a0324c4c5995
SHA256be81d0f1621e35cea615e2ab20d3e361df1e69d91f28a1dfa60014b4db91d09b
SHA5122dc670832b0a5ac0356f2e725ec43da40b28a6daf202b15cb2e6d2f27b5003c734246cf5b74c071c5e04b94252b23dfadceb71e7a884bb98493c1f8883d5d730
-
Filesize
2.1MB
MD5de52fdae060c494accdb4e58919e0680
SHA18e92eb02ef9e63ebdca163cb157fc9ef6cc4b36a
SHA256e5d21f439382e540e18ce7dfce0bd8f3355e9667f1f1b2cc55003da873a94790
SHA512326943b5c771be79b93add4cdb9786b463600b9fae9813f5ee4048cc2a4d71f230b64f1bb0ee17946262e312737272194b7f1bd7a4552f1c61bcffb79f16aa04
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
60KB
MD5b87f096cbc25570329e2bb59fee57580
SHA1d281d1bf37b4fb46f90973afc65eece3908532b2
SHA256d08ccc9b1e3acc205fe754bad8416964e9711815e9ceed5e6af73d8e9035ec9e
SHA51272901adde38f50cf6d74743c0a546c0fea8b1cd4a18449048a0758a7593a176fc33aad1ebfd955775eefc2b30532bcc18e4f2964b3731b668dd87d94405951f7
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
231KB
MD5d0fce3afa6aa1d58ce9fa336cc2b675b
SHA14048488de6ba4bfef9edf103755519f1f762668f
SHA2564d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA51280e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
18KB
MD5b3624dd758ccecf93a1226cef252ca12
SHA1fcf4dad8c4ad101504b1bf47cbbddbac36b558a7
SHA2564aaa74f294c15aeb37ada8185d0dead58bd87276a01a814abc0c4b40545bf2ef
SHA512c613d18511b00fa25fc7b1bdde10d96debb42a99b5aaab9e9826538d0e229085bb371f0197f6b1086c4f9c605f01e71287ffc5442f701a95d67c232a5f031838
-
Filesize
115KB
MD5fc9b64a2b1006891bf39ebf395b4eba8
SHA10e98ba291d77ff8a57b5ebe198ff0c2e6c2bea00
SHA2561093d0809ed5223c8ea2d723032c0ee2bfd1d971ad6ac69904983ec545000b3d
SHA5129d5a9716b71b436dd465cdf8ed8471747828420cec7c5dad3406072e53f8de6e31253968e55ef49dc19a8245993b00164f193a3752cc16fce3887c4737db906d
-
Filesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
Filesize
1.2MB
MD5cf2478349b10949e6674ec0996a867e0
SHA1fb6fc20a1caf1d60892da1dc2bb7af3208a225dc
SHA256114fa0a57ef876bc641cd57bd5a65a64a28282638447d0e0bc95aeec2fb489e2
SHA51263ca9f83f0ed93029f2f1be4138d8e8e1fe1a3a826d29d7f67c52b4b04ad959ad501deb8f378697e7ebf5ac43c662446dca5e0f0ad17a23876e8bff2e105b560
-
Filesize
1.2MB
MD5a64a9932e563295907a101933180816b
SHA132eaac81c0392b0c289381ff0d84bcef5e8eb1ad
SHA256507a3d0f370df92b7490aca30b5483aef53436b750af9f4aa017d654d3257c95
SHA5129e60f96462e7064af9c411b35ad5b9ec78fed7f023d3d2e300071c2c6623026bdf4ce48cf05280d57c2dc0821ca6ef6e97438572704f358a342a193c3bf12437
-
Filesize
1.2MB
MD5a0310bd1cd3af787a89b4da114261e82
SHA1251b6cdf9bce185d12cc16c6abdde804ec20289a
SHA2563dbfba6b2b9111fa858822b7328f46087602e55b824feb7e9edbf36adcf21276
SHA512baee6f84360aa9663278119923ee22026ba085cbbd25f3c79c1ae216465dd94f25cb44f6a94adae2790fd43666c8ce44b8d66f8c0f20c9e7841a5f91441b27e1
-
Filesize
1.3MB
MD5be859870d8ce8728abc8a9b4cffb3e61
SHA17231c58c1a89b78d00be56e9d7fe3332aeb7fcb6
SHA25603144f3aa68fdb4698c2e9f7f477a869f0c36d00ee0f2b38ba080624172c61c2
SHA51243ea465ba93e518ac485717a359a2477160e513d481d2ecb09291140ef022b764631058158cbf525325d1166118cd1f472675353300be4cf37adbc827816c535
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
2.0MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
1.2MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
136KB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
2.2MB
-
Filesize
2.2MB