Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 14:21
Static task
static1
Behavioral task
behavioral1
Sample
Recycled.scr
Resource
win7-20240708-en
General
-
Target
Recycled.scr
-
Size
2.7MB
-
MD5
9b48981c56a3b8f6cffc0477c7543f41
-
SHA1
2ca465a582bfe5d3880c74bd93e8ff8db7a62c17
-
SHA256
28b14700d77c28f992ae6490f9736587d82b365956618e91a0a9e4bb675a1491
-
SHA512
837d006b4190c746a52b7cf7c66e785941a4c25dea8a2f952424d31ddd663a1a7cfbb1b278448f064859cfbf2bb0c3aaffa4cf1e2a720e30fde775221387ba17
-
SSDEEP
49152:Mq8baVBRf0cz64DUxOruWwxWjjUNShc3TGoVfiMX+GX6oMpS3:Mq8+VBt0kHg0lINL3aoV2GXWp
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2200-3-0x0000000000400000-0x00000000009B4000-memory.dmp modiloader_stage2 behavioral1/memory/2200-7-0x0000000000400000-0x00000000009B4000-memory.dmp modiloader_stage2 behavioral1/memory/2200-5-0x0000000000400000-0x00000000009B4000-memory.dmp modiloader_stage2 -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Recycled.scr -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Wine Recycled.scr -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Recycled.scr -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2200 Recycled.scr -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~1\COMMON~1\MICROS~1\MSInfo\2010.txt Recycled.scr -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Recycled.scr -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2200 Recycled.scr -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2200 wrote to memory of 2808 2200 Recycled.scr 30 PID 2200 wrote to memory of 2808 2200 Recycled.scr 30 PID 2200 wrote to memory of 2808 2200 Recycled.scr 30 PID 2200 wrote to memory of 2808 2200 Recycled.scr 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Recycled.scr"C:\Users\Admin\AppData\Local\Temp\Recycled.scr" /S1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"2⤵PID:2808
-