Analysis
-
max time kernel
27s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-03-2021 17:03
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
file.exe
-
Size
748KB
-
MD5
0cac39b068b68966a00bc3739dd40653
-
SHA1
a1d7852b2287bc05e899e0d837d27452af4fe76f
-
SHA256
deabb312ade9d16c64ea491e5cf9477e1b98f2c5cda72ab2cb1b8b75af558d31
-
SHA512
ac110c2d46b93a69bc335f8cc9e043e616b2e4e4dcddaf083f78ab3dc4aa00f70db9a399f601e6477566f09e1cb9da942203754675dbcdbd87c42349584d0671
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dlfpsb = "C:\\Users\\Public\\Libraries\\bspflD.url" file.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
file.exedescription pid process target process PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe PID 792 wrote to memory of 896 792 file.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/792-2-0x00000000003B0000-0x00000000003B1000-memory.dmpFilesize
4KB
-
memory/896-5-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/896-3-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/896-4-0x0000000000000000-mapping.dmp
-
memory/896-7-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB
-
memory/896-8-0x0000000076861000-0x0000000076863000-memory.dmpFilesize
8KB
-
memory/896-13-0x0000000010550000-0x0000000010586000-memory.dmpFilesize
216KB
-
memory/896-14-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB