Analysis
-
max time kernel
148s -
max time network
157s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 11:14
Static task
static1
Behavioral task
behavioral1
Sample
PI29081912419,pdf.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PI29081912419,pdf.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
PI29081912419,pdf.exe
-
Size
1.5MB
-
MD5
eb5b86aede1604b341d9196fc11c12df
-
SHA1
9f23656826a9f79625491476d86a4e3a6bcaf579
-
SHA256
b201c180da5e6cb1d70ae9e5a67bba023192f0024c69498876a960c58ed01ffd
-
SHA512
d0c0ea25c038d0a17aec15e79c7858b79d186cd04c65e0ff825b1fa3c6fa8e82bc5b8ba33cea40654381be98c2805dcad79bc94ed8d97b8492e5051f4c29f87e
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PI29081912419,pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Knme = "C:\\Users\\Admin\\AppData\\Local\\Knme\\Knme.hta" PI29081912419,pdf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
PI29081912419,pdf.exedescription pid process target process PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe PID 1496 wrote to memory of 1384 1496 PI29081912419,pdf.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI29081912419,pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI29081912419,pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵PID:1384