Overview
overview
10Static
static
10Vk brute b...us.exe
windows7-x64
10Vk brute b...us.exe
windows10-2004-x64
10Vk brute b...us.exe
windows7-x64
10Vk brute b...us.exe
windows10-2004-x64
10Vk brute b...32.dll
windows7-x64
3Vk brute b...32.dll
windows10-2004-x64
3Vk brute b...71.dll
windows7-x64
3Vk brute b...71.dll
windows10-2004-x64
3Vk brute b...32.dll
windows7-x64
3Vk brute b...32.dll
windows10-2004-x64
3Vk brute b...y].exe
windows7-x64
10Vk brute b...y].exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2025 23:34
Behavioral task
behavioral1
Sample
Vk brute by Andrey/VK Brut by_andrey52rus.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
Vk brute by Andrey/VK Brut by_andrey52rus.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Vk brute by Andrey/VK Brut by_den52rus.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral4
Sample
Vk brute by Andrey/VK Brut by_den52rus.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Vk brute by Andrey/libeay32.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral6
Sample
Vk brute by Andrey/libeay32.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Vk brute by Andrey/msvcr71.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
Vk brute by Andrey/msvcr71.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Vk brute by Andrey/ssleay32.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
Vk brute by Andrey/ssleay32.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Vk brute by Andrey/vk_brut [By Andrey].exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral12
Sample
Vk brute by Andrey/vk_brut [By Andrey].exe
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
Vk brute by Andrey/vk_brut [By Andrey].exe
-
Size
397KB
-
MD5
92ba33c3dc55feb3526d3e9188f6d885
-
SHA1
7ea311bf86af94a7a85258b110e7763bf1359b51
-
SHA256
9119dbe59099d0af235897f4e2d117f7502cecbcaa132036894ed2036dba67c1
-
SHA512
2191cd09ab1536d80e63d81cb4d53f64f9f1cd655006dfa85b94fae1768ce93653d406b8c76a6771f9e91d3f1e8dcb11c8f81ebdf0916629e2c451791a53dde4
-
SSDEEP
6144:cLy84u9nSO2GjZkD10BIY3rb1YfBdfpoZ3u/Ht52w6JSeiFPX6PP:I+u9nx2GjMY3XKfd/H/9PMP
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral12/memory/744-1-0x0000000000400000-0x000000000046A000-memory.dmp modiloader_stage2 -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc vk_brut [By Andrey].exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager vk_brut [By Andrey].exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys vk_brut [By Andrey].exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc vk_brut [By Andrey].exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power vk_brut [By Andrey].exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys vk_brut [By Andrey].exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vk_brut [By Andrey].exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Vk brute by Andrey\\vk_brut [By Andrey].exe" vk_brut [By Andrey].exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vk_brut [By Andrey].exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe 744 vk_brut [By Andrey].exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 2052 explorer.exe Token: SeCreatePagefilePrivilege 2052 explorer.exe Token: SeShutdownPrivilege 2052 explorer.exe Token: SeCreatePagefilePrivilege 2052 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vk brute by Andrey\vk_brut [By Andrey].exe"C:\Users\Admin\AppData\Local\Temp\Vk brute by Andrey\vk_brut [By Andrey].exe"1⤵
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:744
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2052