Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-07-2020 14:37
Static task
static1
Behavioral task
behavioral1
Sample
MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe
-
Size
546KB
-
MD5
72ae4f1b35063e90001879c372dca306
-
SHA1
1faf15f94b33ca63af933418205ef1b304dcbe94
-
SHA256
a030c2bf64a9ee2737aca5e34c9c89fa34c16ed61b16af1f0b9a8455fd6f4b1f
-
SHA512
37c168868e29d4120883d63bc70cfea591bafa10bbb74d209aaeb28ef98ea21b82b64dfe76679a870d1b41c804eaf6c5495397ea6cfc5023b3a33cf7a6885376
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Npwt = "C:\\Users\\Admin\\AppData\\Local\\Npwt\\Npwt.hta" MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exedescription pid process target process PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe PID 3692 wrote to memory of 1004 3692 MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe"C:\Users\Admin\AppData\Local\Temp\MORCOS OC CVE6535 _TVOP-MIO 10(C) 2020,pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵PID:1004