Overview

overview

10

Static

static

8

30bc4934d7...f0.exe

windows7-x64

6

338fdf3626...13.exe

windows7-x64

1

342933cb4c...20.exe

windows7-x64

9

343ace5874...03.exe

windows7-x64

8

34818CE171...49.dll

windows7-x64

8

360390_crypt.exe

windows7-x64

4

360390_tree.cmd

windows7-x64

7

3896f8a370...e_.exe

windows7-x64

7

3a061ee07d...8c.dll

windows7-x64

3

3af4fa2bff...d1.dll

windows7-x64

3

3bb691982d...21.exe

windows7-x64

9

3e3f980ab6...95.exe

windows7-x64

7

3e3f980ab6...26.exe

windows7-x64

7

3e75e8238a..._2.exe

windows7-x64

6

400cad56ff...9a.exe

windows7-x64

9

40b3cb2a21...0c.exe

windows7-x64

9

425c42d610...5F.exe

windows7-x64

7

425c42d610...FF.exe

windows7-x64

7

42d77128db...e7.exe

windows7-x64

7

4561647.exe

windows7-x64

9

457C9141EC...C8.exe

windows7-x64

10

46a9660c57...83.exe

windows7-x64

3

46ca6b1972...FB.exe

windows7-x64

7

46ca6b1972...FC.exe

windows7-x64

7

4e60f3c8ea...5b.exe

windows7-x64

8

4f0b660543...B3.exe

windows7-x64

7

4f0b660543...BB.exe

windows7-x64

7

4f5bff6416...09.exe

windows7-x64

7

Versamento...__.exe

windows7-x64

9

4fda5e7e8e...00.exe

windows7-x64

7

5 Rules for Snort.doc

windows7-x64

7

502de64ee4...c2.exe

windows7-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Batch_2.zip

  • Size

    6.0MB

  • Sample

    241122-ctbzbsykhq

  • MD5

    4b0434ee95a7ed21bd35a7824360f6e6

  • SHA1

    595bca71378490bd11db6237735c4ab524b43cc6

  • SHA256

    8b0f9d248e67199bb7f1a778a03e4caee7d267e61d8a7d70fa1c1f6d7944e96a

  • SHA512

    1b35d0d0304a52a13d41e0ed979fee45d1b238df7a0ab6d9ee590cda33da4c4bceb44c2bd567763eb54e893882853b81aff42a2386b8b1c05c7dcfc07173cf4c

  • SSDEEP

    196608:KpdJTVD7+Ts66FiucqX0gJqSrjj56onVjnqK1prd:cdJV7+AKucqEgMwXoshTprd

Score
10/10
modiloaderbootkitcollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactmacropersistenceransomwarespywarestealertrojanupx

Malware Config

Targets

    • Target

      30bc4934d7e29c8c4c4c9be0510fc7558fddf8db666a0343784c5cf1587b3af0.exe

    • Size

      184KB

    • MD5

      ee041688d36494fdddf710a3ddb873bd

    • SHA1

      1a93d78c2b2262c02e1fffd54d3f5f4aa8400b76

    • SHA256

      30bc4934d7e29c8c4c4c9be0510fc7558fddf8db666a0343784c5cf1587b3af0

    • SHA512

      c76e2b1bcdc179e358c159c87dde5c185cdec3659e7c33db686f04e3845547ef489ce600a51e99e10b26b0d33fbdca25edf2e1b9dbb81d4ed7f845c9167a17e0

    • SSDEEP

      3072:zsj3FGQtB/fDq/8QJ+mkkk9mADOS0WlbEJV1OaqpEZtBgoh1vErXhcKrWfyB:gj3cQtB/fFQJekHSLbAxpmcKrW

    Score
    6/10
    discovery

    • Drops desktop.ini file(s)

    behavioral1

    • Target

      338fdf3626aa4a48a5972f291aacf3d6172dd920fe16ac4da4dd6c5b999d2f13.exe

    • Size

      6KB

    • MD5

      f297544a20bda66ee6f98e3dc91060c6

    • SHA1

      3e140a5df3161ff5d3935b1139275e07903cfff5

    • SHA256

      338fdf3626aa4a48a5972f291aacf3d6172dd920fe16ac4da4dd6c5b999d2f13

    • SHA512

      3f626ba5a5153a0a0a0d7b09e810689f5c79e9d0d017bb639fbc18b3d0c052ad179bb994b4fb25f0030c06bb8b741819620e65622c6bc47584ca24e2520c78a7

    • SSDEEP

      96:lia+ERqIgNI9X6xIzKSnjeKk/GJi/T9oCN1GzNt:liauIq/SnjC/VpRQ

    Score
    1/10
    behavioral2

    • Target

      342933cb4cbb31a2c30ac1733afc318a6e5cd0226160a59197686d635ec71b20.exe

    • Size

      1.2MB

    • MD5

      a393b9536a1caa34914636d3da7378b5

    • SHA1

      5aced706d9f6a0bb6a95c8bdf1e123485219a123

    • SHA256

      342933cb4cbb31a2c30ac1733afc318a6e5cd0226160a59197686d635ec71b20

    • SHA512

      4ac4b2c2f87d305f3073f79136cec44cacca296f75451c6d67653b9de4a2b871409a11631e5ff5d76478c3043e5f47040e72e2f86db1536079f586c12ebd42de

    • SSDEEP

      12288:2CdOy3vVrKxR5CXbNjAOxK/j2n+4YG/6c1mFFja3mXgcjfRlgsUBgac9Q9bNHTQx:2Cdxte/80jYLT3U1jfsWakQpNHTQx

    Score
    9/10
    discoverypersistenceransomwarespywarestealer

    • Renames multiple (153) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral3

    • Target

      343ace5874a5854858e11e6c196007bffc045717ed29db9b03f23d01568e8303.exe

    • Size

      510KB

    • MD5

      565dacda99cc8d28d3e650b4d85e8d24

    • SHA1

      6c5f2ab498ae16332a3863e45d35e47e1aabe001

    • SHA256

      343ace5874a5854858e11e6c196007bffc045717ed29db9b03f23d01568e8303

    • SHA512

      534eeda2e7c99ffef2bf023aa3f68739953ecbdfabcd57ad41af08c8c563fe27f7f8be04e80bdc2904ed0632984968551ddb107917fbe6dfc7a0e704af313946

    • SSDEEP

      12288:M7iBDowvTfS6ublBri5g3D7eJit/mUZ5jI0B57g3l1TV0:/EkStbjfdteUZ+0BQ7TV

    Score
    8/10
    discoveryevasionpersistence

    • Disables Task Manager via registry modification

      evasion

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral4

    • Target

      34818CE171EA150B91429AC1DD6FBE49.exe

    • Size

      170KB

    • MD5

      34818ce171ea150b91429ac1dd6fbe49

    • SHA1

      765f7cea9ae6e126181e5a78b897304913530d4d

    • SHA256

      502386cb2288ce85af522da55916b5a05c71d9a32a80cec396bc4cdd0e0ac665

    • SHA512

      e44b009eef9710787ddf63d5038e15112969ef5ac952520f772b5ab78dfe57c42f7562044642f573c9480c76569ef9a7912cc5cd1b0472e4d61c25e79a03bfb0

    • SSDEEP

      3072:xUiScf7Taa44mVg6zMe4sfPZfE8dreM9aSW3OKojVbc7n4CRWLvSFlp6+qvv1:xUUm4mG6zwQLaM9aKjRg0SLlK1

    Score
    8/10
    discoveryevasion

    • Disables Task Manager via registry modification

      evasion
    behavioral5

    • Target

      360390_crypt.exe

    • Size

      2KB

    • MD5

      955fc65f54fa12afaa5199585d749e67

    • SHA1

      b4b401f7ce39cdc1444c7505206f22e2d8177336

    • SHA256

      286f57eb83302eaee7fda4836e4197136f7f9de0b6e4ff3df7649e3bf2f82389

    • SHA512

      d9b35e6e92af712586424228986b9a45dea5ac1b7e54bcaecc6b24d558589d4fb1976c66f11de591be2855b0900bfb0b111bad3b0c1e81f62387f1d3f725245a

    Score
    4/10
    discovery
    behavioral6

    • Target

      360390_tree.cmd

    • Size

      15KB

    • MD5

      49163792f3b8c4f62018670033e9fc82

    • SHA1

      f2d8da51a9371cebc0fd41cb3d86f3768e791fae

    • SHA256

      4637c6b332d640450e7cb3ae6a6b0d7d4451454770699acf364d855e28805267

    • SHA512

      2fd7a02da20ca41c27b30f272bbf3bb186187492fc927a9dc8c7ea36b22c9e8ac6906428cab27eb7f907a21f352a2c7ed6ce60e48e0d9c35238a71ee8be6efad

    • SSDEEP

      192:iJCJ+JGJ6JaJeJWJSJSJeJ2J2bJ6JeJGJiJiJ+JmJ6JaJeJWJSJSJ05:iIU8Ao8Ug4UMcbYM0goUcAIcUg4C5

    Score
    7/10
    persistencespywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral7

    • Target

      3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe

    • Size

      516KB

    • MD5

      b2b0e6184b82144f65389d39f1eadd0d

    • SHA1

      17311fb1fb33da5f303ae30ee7b4b60b80985d2e

    • SHA256

      3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db

    • SHA512

      d1abc2c74aa2bad9ac8a59c1552904e6d65717786ed7a193c4fcda23218371bcad0953848f1e1c5b9df50a86e2549c6da35c6e372366826dc25f042107a8babb

    • SSDEEP

      12288:j3nZMhJ+ubNmzdCanVtkEY70mOpFRxd/GAXl0xtiNe96bgRO:j3nZqfbkzkcvElOpPj/DA2+6ERO

    Score
    7/10
    bootkitdiscoverypersistencespywarestealer

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral8

    • Target

      3a061ee07d87a6bb13e613e000e9f685cbffb96bd7024a9e7b4cb0be9a4af38c.exe

    • Size

      831KB

    • MD5

      093e50c2d493f7300abcbfc4ed40c955

    • SHA1

      8ffa33374b41c1ff4a209de04badac2c51fcd081

    • SHA256

      3a061ee07d87a6bb13e613e000e9f685cbffb96bd7024a9e7b4cb0be9a4af38c

    • SHA512

      2e086b06c64c610971e804365394b6e1607eff7036ae43dca7f49104086c2a57e1a8360959e3ffce6efb034044a3326feb3ffa7331ee5993ceb92f8f1ccf1166

    • SSDEEP

      12288:DWvcsSHPUCdmmBeBCvxg1AcqY+4w5sZLZWp9VR3kb5L+s5ENOeQiV1Li/k6Xm:eummBqaJG7qRGLeYeXV1i/kS

    Score
    3/10
    discovery
    behavioral9

    • Target

      3af4fa2bffaab37fd557ae8146ae0a29ba0faf6d99ad8a1a8d5bf598ac9a23d1.exe

    • Size

      603KB

    • MD5

      1a81ed9b043c7bffb1177a4d13dd8065

    • SHA1

      c47711d08eaa7dea7299bc205b86e99dd3c40fcc

    • SHA256

      3af4fa2bffaab37fd557ae8146ae0a29ba0faf6d99ad8a1a8d5bf598ac9a23d1

    • SHA512

      b5842a22df1c77c49b86e348008b8eeb8f295d6b34f93c0ed8ea1b0edfdaeacb2446cf952de7b2fc7a5943e22495caf3f68f893809919376642e91103cfcd041

    • SSDEEP

      6144:QuML75oIlCGJPY2Z2AlptXbgz0+Q4odCGfTnpbEdd/fudqsa0jucQgBMacCGNoEx:koHEHblpWz0jPLhEfgP6WMDoEOYQwfE

    Score
    3/10
    discovery
    behavioral10

    • Target

      3bb691982de416a7a4e57b91211e80bea82dcca7b4bdbf25c0c80451dc138421.exe

    • Size

      205KB

    • MD5

      458c1cbd0ff849119214e739d8815f37

    • SHA1

      64d26b1614693f15bed6bd4f4d2a6a35b2c4bc9f

    • SHA256

      3bb691982de416a7a4e57b91211e80bea82dcca7b4bdbf25c0c80451dc138421

    • SHA512

      695f17ca034f7c894bb87bf04db20a2387f144ade77188f497870d3711d0871c721b86327769cd393366b162229ad649671e111aa5b5b80d676156f47ededd08

    • SSDEEP

      6144:JJOIZvsEy+fDjKSGXwLfjFU/coiqilMi:JJOIKEy+ffKerjFtoiLMi

    Score
    9/10
    credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral11

    • Target

      3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458_Dumped_TDS=4FBA3695.exe

    • Size

      72KB

    • MD5

      facdc4646b7f1876349cf72d6490f1d4

    • SHA1

      27bfa893b2f73ed61764a2f2f3bfa0b03b5f76fa

    • SHA256

      fef9c6c514e2ee00b96f6d33026f91080e43ed854d3aff103826d5063c9e7778

    • SHA512

      8a8f08230ced45ed6e06351ee5c2ae5afe2e52a7a0284fbe74474cb9aab848a5e4226d041f4c3d50ab45c855d627e5e581a4fb66c43ace6c4ab092597985aa4a

    • SSDEEP

      768:Fchho/bbYYwktIZwTUtv3h12jG6hdYWnXAjpWTbBbIKP077hPsxPaq77tiy/r:KjoDMYwEINR8j/Yu2pqOd77hPxy

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral12

    • Target

      3e3f980ab668ccde6aafee60ce16e3c35cd91e9b59bff20ce1615d5fb362a458_TDS=4FBADA26.exe

    • Size

      52KB

    • MD5

      ca61cd4036c218e8197896c5b97515dc

    • SHA1

      26520452eda2e766052d35630e59ecf7ce8de629

    • SHA256

      9118d694540722bf703ae0b0e7fdfd5d04878fc289615bbed9aeea524535ec9c

    • SHA512

      4528291fe2a96ede9a886b579b40923d7d0951b59e6bc51a397db84c413854a213a68e0abe6c0a4aece80101167527f2b1cce0a08c5ba2539de9a0e0c1cb103f

    • SSDEEP

      768:lGUGWHeFkc68dT0Ju3GBZJBATs6lV3jWpG0R5Kb8AD:lBJeKO10JWKCIesPrK8

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral13

    • Target

      3e75e8238a6bbd8817164658696198af_72889f61171de37d6b4d59016c55ec52__2.exe

    • Size

      244KB

    • MD5

      3e75e8238a6bbd8817164658696198af

    • SHA1

      3c0246b41063f5ea26de9d96301774836270eff3

    • SHA256

      669ae51d73a3fac117ec39195efb969cb41a16fadecfe412ad83b767b25ae2ae

    • SHA512

      7e0ba0eac7395162c071fd21bd9b525de6df25067c01dbda28e1d33072159b9c4c40ec87e52e9abe1b186aaaef36f0de728f1849f566fb4c2d42a620da6d65af

    • SSDEEP

      3072:JrwLB3HRdkT9MyJHT+/PBuZqWq6aIDMVV3dWklykCbZx5:Jrw5HjkT9MyJHeBuZh3DMVNbykgZx

    Score
    6/10
    discovery

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral14

    • Target

      400cad56ff3d210346cf6c4795aeb607e5b211b3dc4a8421b9437621c254239a.exe

    • Size

      1.9MB

    • MD5

      b2db12c684763da2cba50c6346376ef5

    • SHA1

      f186ccba2d7566968b8d14552e7dd3e6898c35f4

    • SHA256

      400cad56ff3d210346cf6c4795aeb607e5b211b3dc4a8421b9437621c254239a

    • SHA512

      db2be27e5bc919bff1f8c58b9d66a9767f15731391cdc1a185755016b17461d8c7c77b62ecace75cc226011537a0dc3de6e9b38fef5a1f2db20d0bebc203abfa

    • SSDEEP

      12288:uNE0rbJMurexwCPEbA0RgxegWWDeNNU1TH1wd6PO:RxSb5REjSNIVwd6W

    Score
    9/10
    discoveryevasionpersistenceupx

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Adds Run key to start application

      persistence

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral15

    • Target

      40b3cb2a210fafdaabdebefe1430862bd1192a80fcde84f51ceb387136d1410c.exe

    • Size

      268KB

    • MD5

      12666b5054cc0cb62cf758736340c1bc

    • SHA1

      0f9ec608413918adef409e8e97612b6e71fd1bc7

    • SHA256

      40b3cb2a210fafdaabdebefe1430862bd1192a80fcde84f51ceb387136d1410c

    • SHA512

      df49dbcd1f2f0bf0d0129cb4e5dd343fc9fba1b46a7fc24db3e1fd560816ae86e79c360873ac06c62876051f622a9a54a327c3aa3019ecdad4a32f9dc9a68a77

    • SSDEEP

      6144:1AZMCVtysJu4wCZt953XCWSntmb6IEACyoO+:u2wXCBWLEA5n+

    Score
    9/10
    defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
    behavioral16

    • Target

      425c42d6108db6b6b5cbda7a5417b5f55225c47ac588f5f0a293c2b07a78d14b_Dumped_TDS=4F8C315F.exe

    • Size

      116KB

    • MD5

      50e3871f540b228941b8ef76ef0d543e

    • SHA1

      ba51fc4ecff55d7c504db666d970490118153afc

    • SHA256

      160e7c9806857f1dfae4191a338c4e9341f1f589b6ed72f4cf6e10db483e3af6

    • SHA512

      16acd834a04b43eed8954d74a884032ae73439ffaefaf51f043fa19a7af7a71cdcf19a752d67194f6b15df1272947bd5522895a266e971a3e241d34aea79bf7f

    • SSDEEP

      1536:df/SovFSSZtDgN+DpDkDEFtCw0YF8965L+vpCYC:J/zv0SZtDgN+Dp+Er0YF896WpTC

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral17

    • Target

      425c42d6108db6b6b5cbda7a5417b5f55225c47ac588f5f0a293c2b07a78d14b_TDS=4F9906FF.exe

    • Size

      63KB

    • MD5

      1303adf0a0aa3ff3b4a7c818c452853c

    • SHA1

      330994319ccf08918d0464006ae8221980e177ee

    • SHA256

      425c42d6108db6b6b5cbda7a5417b5f55225c47ac588f5f0a293c2b07a78d14b

    • SHA512

      18915a18963179ee6d5d32a3fc97b55f3073002c1ed9dd24f6fe539f72b9834411ccf6973c5009b6e1fd299465f5e7180b7bc4eb6054f5c4aacbc61c33c634b2

    • SSDEEP

      1536:24sx1uXJZg0vvIL66nqsD2JwAG9MMo5Vl4T/uWKVy6/849XL:2/O5ZzvvH6qsD2Djl4TWWKgghRL

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral18

    • Target

      42d77128db6bea33966478f01aecda1cf6c17bf9ab5d5782650c1b32cd63bae7.exe

    • Size

      107KB

    • MD5

      7d51abf861c7d1de546b7fddc1800e01

    • SHA1

      d6bbf02ec922ba035d863ec813221f15ab4c2bfb

    • SHA256

      42d77128db6bea33966478f01aecda1cf6c17bf9ab5d5782650c1b32cd63bae7

    • SHA512

      068893628cc9e46117866e2526bb57cea6c13f898e930c3366fcfab457807673270e3f9b4b8740b99c15f521adc775970d5d2a505f2270980805dfc705ddc7e6

    • SSDEEP

      3072:nAsj8MBX8s0oXJ4455EGag707Igl8BTs6bdr:nAsBZyyhaS07Igl8BTsYr

    Score
    7/10
    discoverypersistence

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral19

    • Target

      4561647.exe

    • Size

      7KB

    • MD5

      ebbc82f619471384f392efd5c4d05883

    • SHA1

      17d91b45c8615d0f09d1100d2be396cbcba21fde

    • SHA256

      e972af26d5261da3daa1e12e11f357e1e4ce19cd43997f6b7a925a5b9cc8614c

    • SHA512

      3e33bd22c440e9ab4a065d216467c1220780aa2a39a38ea4aec81d050d3e6048e87244341fbeac2cdefebae9fe987b713e0d4fcf34adf1390b5ccda6dd448241

    • SSDEEP

      96:uP/EuJO5ER8KDGrru1M2mIspl5SgOj9/xVKzAQTH1osaxnkK:unE5ORTD91M2mIGyxhp2AQRONkK

    Score
    9/10
    discoveryransomware

    • Renames multiple (980) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Deletes itself

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral20

    • Target

      457C9141ECDD9E9CFC61551FEA2BCB86AFF56CC8.exe

    • Size

      274KB

    • MD5

      d476d735ba41702724d7dd7f5d1c32c3

    • SHA1

      457c9141ecdd9e9cfc61551fea2bcb86aff56cc8

    • SHA256

      1fc62e423ea4522f559aebf7642efe2c83a563c6eeff0192432725efde096e1a

    • SHA512

      66337c6180d095d9b7447dcd0a4b9a3cce2e81f3c0ee3bf94e8cc0285f9395a045b8f250abb1fd82d0de1aefe20dc9353857f51201b722caf805c63661b39e20

    • SSDEEP

      6144:8AsBZW+83AjJJkjb8elFfnBhnjgGxuXUYMoRf1ThAIR:L+MAj94FpljjuXL/l12IR

    Score
    10/10
    modiloaderdiscoveryevasionexecutionpersistencetrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks for common network interception software

      Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VirtualBox drivers on disk

      evasion

    • ModiLoader Second Stage

    • Adds policy Run key to start application

      persistence

    • Contacts a large (541) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral21

    • Target

      46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883.exe

    • Size

      738KB

    • MD5

      7bb86f70896668026b6d4b5367286d6a

    • SHA1

      045a3418eb97c7f21bb13419e35f1d2e3e06bbc7

    • SHA256

      46a9660c57e244636a28df62e0879300a62552ab9b5cfd4708ff677af7453883

    • SHA512

      fbddb09cad41351b81e86546d4287c9b6d85fd5312bf4e31ba7ff32451097258e9724e2614a9049647c2c7057cf614f6810321d0b117d47d81127b85f3737f8e

    • SSDEEP

      12288:f0WNgzknmWB2idjljtvHTHiiXuMvCQPyiyX7rJVIaP0vQ5M0rirmgRcdalSjEQgC:MWmzVWNZPvHzXuuPyzteQ5LahGv3

    Score
    3/10
    discovery
    behavioral22

    • Target

      46ca6b1972c81eab77202146184afe95b797bd4e3788c59e8036e748b55fc28c_Dumped_TDS=4FB252FB.exe

    • Size

      72KB

    • MD5

      2f862bf4b81d28ad47473982828040bd

    • SHA1

      eae46ba66a32e1e6a2d25f7a6f59e3c7d5262133

    • SHA256

      e9e3c177d2985cde769b405789d1aa7cf8ed76de6da1d5f7bf89b8bc7d940bf6

    • SHA512

      6f1961e05266c16eaf4dc7f10749347c23970c08bc5b80457be347a60e4f0c2b85df56b6d1be702758f6d807fdf4c31ec1e4b9faa40574ac4c60585b45282790

    • SSDEEP

      768:e+X2MKhRw7+am7nx3h1OPG0H+l65Fuj0AjmWTbsbIK9QnjVP9xPao1X7tiHCQ+r:e4KIqamtRMPJQoh2mqxTnjVPqiQ

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral23

    • Target

      46ca6b1972c81eab77202146184afe95b797bd4e3788c59e8036e748b55fc28c_TDS=4FB566FC.exe

    • Size

      56KB

    • MD5

      a73ac649aebb5530a09b8fe03ec465e3

    • SHA1

      d1f1e3faec50e7eddffba2889a69c8601eb8dc07

    • SHA256

      46ca6b1972c81eab77202146184afe95b797bd4e3788c59e8036e748b55fc28c

    • SHA512

      445f0a3c71362671b0d2722a73934ada8ee0e3c6e953bd3be28672f21dcc72593b7d2d4c86a61cc5f9f5bdf57d8df360cfdaa7d42c6fcae8ca8985b20d8d8190

    • SSDEEP

      768:msLq/bYHR22nktR88rcBjjPkY5e2fD+x6LJ7hR5iSa:Tqzg2BtR8imvPkY5P+xcJ5iS

    Score
    7/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral24

    • Target

      4e60f3c8eaa0441d4ffdced18aa04153bb91b5470bc5441ba5878f7760ca9b5b.exe

    • Size

      168KB

    • MD5

      dbe78231174b03239eb262cc2d2d0900

    • SHA1

      fc472223cd9aee3cf912fc401bd47774569d07ac

    • SHA256

      4e60f3c8eaa0441d4ffdced18aa04153bb91b5470bc5441ba5878f7760ca9b5b

    • SHA512

      27561377d217c449e4730a0eab69cd1edd68480ea22e6b3c8fee0e76603acc36cbc420c204b3ecf98f0dde4cf731cad6937751c780c796c7192a84ad1823d2ba

    • SSDEEP

      1536:rBUzOE+2x+/m2x+kDgJF+2x+/m2x+kDgWGekNsGekNFuJGekNsGekNcl:wOE1+l+kcJF1+l+kctphpG

    Score
    8/10
    discoverypersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Drops desktop.ini file(s)

    behavioral25

    • Target

      4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0_Dumped_TDS=4F9911B3.exe

    • Size

      116KB

    • MD5

      5a580ab3f5b3806da853459e9ef7b368

    • SHA1

      df93c0f0dd694ab49646b539418b67d83eafccb5

    • SHA256

      5f60eed8e27867c843387fe7fece3af688586a40c8d3dd2c27647b23cc200fdc

    • SHA512

      91ecd8f00f4cd6c7d199eb365cb7cfa414bcab41b144fe7a5f43529e560201a81284cdb3a3d18d252e2eb4429a67f2db5718eacc8bf1eeb072958c0a4be20a3b

    • SSDEEP

      1536:tf/YvFSSZtDgN+DrDkDEFtCwbfF89lGL+vpCYC:Z/Yv0SZtDgN+Dr+ErbfF89llpTC

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral26

    • Target

      4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0_TDS=4FA6FBBB.exe

    • Size

      72KB

    • MD5

      1a66abe89c44b16736fa4d48f6cbffa3

    • SHA1

      3d7d129c053a6d000db9bcaba0e9974ec150965b

    • SHA256

      4f0b6605434c1355b10950024eaa9f695822278f57c29275706c0e5b29b369b0

    • SHA512

      d85ad8a0fd237e0e2e111d808fac15410b43e76917e28ccd4a5e5d8ca5e868629ef251e1e4e981f9ef347764ce1ef7749f63e65af315ed4d00b03250c58bcdad

    • SSDEEP

      1536:QQTenC7dlI+kmGR9sQQ9bPVBGDTz4FGTc:QGqdmGR9VQ2TzeU

    Score
    7/10
    discoverypersistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence
    behavioral27

    • Target

      4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309.exe

    • Size

      484KB

    • MD5

      0a7b70efba0aa93d4bc0857b87ac2fcb

    • SHA1

      01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

    • SHA256

      4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

    • SHA512

      2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

    • SSDEEP

      6144:lqHKx3YCgy8HmmjJpnVhvLqCO3bLinIz1wASx:lqHoyHNj/nVhvLcyII

    Score
    7/10
    discovery

    • Drops startup file

    behavioral28

    • Target

      Versamento.Pdf______________________________________________________________.exe

    • Size

      446KB

    • MD5

      93cbe4ed3d46abe732a124a41e7147a2

    • SHA1

      94a24be60d90479ce27f7787a86678472aabdc6e

    • SHA256

      89e71eb0a6403725d2f95cb9e6506b8b139a6948a61dc1c5cfedf18648241ec4

    • SHA512

      8f46af90d8a2d78da003a8a395fd7f74cc235595238ee3a3e4d87fee2aa4c8abf6ece403bb3726122d3825437f5d079ea1f8d6b275153bb76b3b0d75c243ef09

    • SSDEEP

      6144:XOOxeLzWoeNqagVRUvOWcTwlOcTeP8uENXIEQSdO8c/AVxYflxiW:txeHWoA/Wr0lfQ8BfLkIVxYfrd

    Score
    9/10
    collectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
    behavioral29

    • Target

      4fda5e7e8e682870e993f97ad26ba6b2.000.exe

    • Size

      363KB

    • MD5

      4fda5e7e8e682870e993f97ad26ba6b2

    • SHA1

      d1b17c351bafc899ba14c84e09b5cc258a2195bf

    • SHA256

      4c71d1e15287d7a90b0526c23dbe21400a65fe683eb75e88368696f1aa24ac21

    • SHA512

      4bad5099458b0dc4ad025793186abc0e446cf01dc8c926bf4315514badad9dd5a97d43645b2650b67c1cc0995b4b1a22f55b8d97fcc04353f394584944ea8e92

    • SSDEEP

      6144:vB7I+/9sgTC0yFRQy6gntOtq7mjfYQqbJoCulex5BuqZ1Cfejt9KftlT03cmvfH/:vK+/NTdgCqazYQeoCSEZZX85Y3vfHF

    Score
    7/10
    discoveryspywarestealer

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral30

    • Target

      5 Rules for Snort.doc

    • Size

      49KB

    • MD5

      62136f5df0820cc715dd2588c1449393

    • SHA1

      56a93d6cd44a612c054522c3adcb77f3b117b300

    • SHA256

      2e1136a2bfddb108cd3b3a60761113797265b281085ae35e185a4233d2e75d8e

    • SHA512

      e34504e3f131c0209c55da3411ec25380737e3d08a1021a9cde31691f5a533f60f1a3a0ccc364ef7b6a2e4c68d3edd0e5485559d1e0de899a9f6d2754fd1740d

    • SSDEEP

      384:K6nw8jaXLGkMFtv/2Su1Y5xAEO3QG9yhB+m9VvK2m6aj0jphRG:K64bG5xp89yz2jGh

    Score
    7/10
    discovery

    • Deletes itself

    behavioral31

    • Target

      502de64ee4fe0133a1ea5efa4919c03bbca1adc2.exe

    • Size

      377KB

    • MD5

      09963f553929ef4cced4c44e8ec4e9c2

    • SHA1

      502de64ee4fe0133a1ea5efa4919c03bbca1adc2

    • SHA256

      fcf187d75ec63c7bea8a45b18c558418bc0d1502cf01bbee76928e122c5db6b8

    • SHA512

      84cb5fa5e485f07703008c2da9de45654b750df9457752c584270c979f4c06d097efda3920007184f672f309ba909c9e801cb3399ba58f385e4598fa195d3d3a

    • SSDEEP

      6144:ILsgG5ppzgGwDdGtfssKkz+LLf8LRaLGYeCHs4pmGnu0mfLQwsDMc9aPtb88fm5W:MDZXx/msXmjxa1aPNWVqJKoplb

    Score
    9/10
    defense_evasiondiscoveryexecutionimpactransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Sets desktop wallpaper using registry

      ransomware
    behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

2
T1546

Change Default File Association

1
T1546.001

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

9
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Virtualization/Sandbox Evasion

4
T1497

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

File and Directory Discovery

1
T1083

Network Service Discovery

1
T1046

Network Share Discovery

1
T1135

Peripheral Device Discovery

2
T1120

Query Registry

10
T1012

Remote System Discovery

1
T1018

Software Discovery

1
T1518

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Virtualization/Sandbox Evasion

4
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

2
T1114

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks

static1

upxmacro
Score
8/10

behavioral1

discovery
Score
6/10

behavioral2

Score
1/10

behavioral3

discoverypersistenceransomwarespywarestealer
Score
9/10

behavioral4

discoveryevasionpersistence
Score
8/10

behavioral5

discoveryevasion
Score
8/10

behavioral6

discovery
Score
4/10

behavioral7

persistencespywarestealer
Score
7/10

behavioral8

bootkitdiscoverypersistencespywarestealer
Score
7/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

credential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealer
Score
9/10

behavioral12

Score
7/10

behavioral13

discovery
Score
7/10

behavioral14

discovery
Score
6/10

behavioral15

discoveryevasionpersistenceupx
Score
9/10

behavioral16

defense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral17

discoverypersistence
Score
7/10

behavioral18

discoverypersistence
Score
7/10

behavioral19

discoverypersistence
Score
7/10

behavioral20

discoveryransomware
Score
9/10

behavioral21

modiloaderdiscoveryevasionexecutionpersistencetrojan
Score
10/10

behavioral22

discovery
Score
3/10

behavioral23

Score
7/10

behavioral24

discovery
Score
7/10

behavioral25

discoverypersistence
Score
8/10

behavioral26

discoverypersistence
Score
7/10

behavioral27

discoverypersistence
Score
7/10

behavioral28

discovery
Score
7/10

behavioral29

collectiondefense_evasiondiscoveryevasionexecutionimpactpersistenceransomwaretrojan
Score
9/10

behavioral30

discoveryspywarestealer
Score
7/10

behavioral31

discovery
Score
7/10

behavioral32

defense_evasiondiscoveryexecutionimpactransomwarespywarestealer
Score
9/10