Analysis
-
max time kernel
120s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 00:38
Behavioral task
behavioral1
Sample
3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
13 signatures
120 seconds
General
-
Target
3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe
-
Size
94KB
-
MD5
fb0dd103eb3d2de5f8dfea694b13938b
-
SHA1
fbd8954f0f05ee2dcae5751c413fe5ed0924ed07
-
SHA256
3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4
-
SHA512
90605d6ed49b0fa22ae8d5b186eb4bcdf5257b1d85ff0b93c4c6b744fb849810dfc59506f4e845036d64c7d68c467c07d01e84998da221cd83bd066765ade8c3
-
SSDEEP
1536:/pdyL9GjGiwA1z0PmVggNJKbFD2BBMx1RiwmPJr3raDk5BRf13KH9m2POE/d:/pdyLALwACPmV3NYaYLiwIt3raA5BRfe
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3116-50-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3116-52-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3116-51-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 behavioral2/memory/3116-59-0x0000000000400000-0x0000000000414000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe -
Executes dropped EXE 3 IoCs
Processes:
csrsll.execsrsll.execsrsll.exepid Process 5060 csrsll.exe 3392 csrsll.exe 3116 csrsll.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win Pdf = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrsll.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.execsrsll.exedescription pid Process procid_target PID 460 set thread context of 3740 460 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 83 PID 5060 set thread context of 3392 5060 csrsll.exe 91 PID 5060 set thread context of 3116 5060 csrsll.exe 92 -
Processes:
resource yara_rule behavioral2/memory/460-0-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3740-5-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3740-7-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/460-10-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3740-11-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/files/0x0008000000023c7b-27.dat upx behavioral2/memory/5060-37-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/5060-38-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3740-47-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3116-48-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3116-42-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3116-50-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3116-52-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/3116-51-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/5060-55-0x0000000000400000-0x0000000000456000-memory.dmp upx behavioral2/memory/3740-57-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3392-58-0x0000000000400000-0x000000000040B000-memory.dmp upx behavioral2/memory/3116-59-0x0000000000400000-0x0000000000414000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.execmd.exereg.execsrsll.execsrsll.execsrsll.exe3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrsll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrsll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrsll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
csrsll.exedescription pid Process Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe Token: SeDebugPrivilege 3392 csrsll.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.execsrsll.execsrsll.exepid Process 460 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 3740 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 5060 csrsll.exe 3392 csrsll.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.execmd.execsrsll.exedescription pid Process procid_target PID 460 wrote to memory of 3740 460 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 83 PID 460 wrote to memory of 3740 460 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 83 PID 460 wrote to memory of 3740 460 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 83 PID 460 wrote to memory of 3740 460 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 83 PID 460 wrote to memory of 3740 460 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 83 PID 460 wrote to memory of 3740 460 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 83 PID 460 wrote to memory of 3740 460 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 83 PID 460 wrote to memory of 3740 460 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 83 PID 3740 wrote to memory of 4160 3740 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 84 PID 3740 wrote to memory of 4160 3740 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 84 PID 3740 wrote to memory of 4160 3740 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 84 PID 4160 wrote to memory of 2340 4160 cmd.exe 87 PID 4160 wrote to memory of 2340 4160 cmd.exe 87 PID 4160 wrote to memory of 2340 4160 cmd.exe 87 PID 3740 wrote to memory of 5060 3740 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 90 PID 3740 wrote to memory of 5060 3740 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 90 PID 3740 wrote to memory of 5060 3740 3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe 90 PID 5060 wrote to memory of 3392 5060 csrsll.exe 91 PID 5060 wrote to memory of 3392 5060 csrsll.exe 91 PID 5060 wrote to memory of 3392 5060 csrsll.exe 91 PID 5060 wrote to memory of 3392 5060 csrsll.exe 91 PID 5060 wrote to memory of 3392 5060 csrsll.exe 91 PID 5060 wrote to memory of 3392 5060 csrsll.exe 91 PID 5060 wrote to memory of 3392 5060 csrsll.exe 91 PID 5060 wrote to memory of 3392 5060 csrsll.exe 91 PID 5060 wrote to memory of 3116 5060 csrsll.exe 92 PID 5060 wrote to memory of 3116 5060 csrsll.exe 92 PID 5060 wrote to memory of 3116 5060 csrsll.exe 92 PID 5060 wrote to memory of 3116 5060 csrsll.exe 92 PID 5060 wrote to memory of 3116 5060 csrsll.exe 92 PID 5060 wrote to memory of 3116 5060 csrsll.exe 92 PID 5060 wrote to memory of 3116 5060 csrsll.exe 92 PID 5060 wrote to memory of 3116 5060 csrsll.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe"C:\Users\Admin\AppData\Local\Temp\3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Users\Admin\AppData\Local\Temp\3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe"C:\Users\Admin\AppData\Local\Temp\3a2185fff1ea40d2eb980e084a42872a47668cdf18fd50d94a9e46a3bbce72b4.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WCUYT.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Win Pdf" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2340
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3392
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"C:\Users\Admin\AppData\Roaming\Microsoft\csrsll.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3116
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145B
MD54eb61ec7816c34ec8c125acadc57ec1b
SHA1b0015cc865c0bb1a027be663027d3829401a31cc
SHA25608375cdb2e9819391f67f71e9718c15b48d3eaa452c54bd8fdd1f6a42e899aff
SHA512f289f01d996dd643560370be8cdf8894e9a676ca3813f706c01ef5d705b9b18246c6cadf10d96edd433a616637b8a78fbd23c5738e76f1c4e671977b6d0cb6c1
-
Filesize
94KB
MD53b6fe98dd1bea6cef5382cc7fc50e1da
SHA1f5b13952d2dfdffb7823944916717b0b2484878e
SHA2563491839ef7823e09922c233614371462218d745842cc9e8d8cfce13e6fae37d7
SHA512f1a884ce906f6421dbb9d5f96f502301f53fedb61a930f396528298c73ab55abd2c10cacd426a48bfb5d91505930e1a4d48083e4b80d55cab3150306243b9d20