Analysis
-
max time kernel
21s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-03-2021 17:03
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
file.exe
-
Size
748KB
-
MD5
0cac39b068b68966a00bc3739dd40653
-
SHA1
a1d7852b2287bc05e899e0d837d27452af4fe76f
-
SHA256
deabb312ade9d16c64ea491e5cf9477e1b98f2c5cda72ab2cb1b8b75af558d31
-
SHA512
ac110c2d46b93a69bc335f8cc9e043e616b2e4e4dcddaf083f78ab3dc4aa00f70db9a399f601e6477566f09e1cb9da942203754675dbcdbd87c42349584d0671
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dlfpsb = "C:\\Users\\Public\\Libraries\\bspflD.url" file.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
file.exedescription pid process target process PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe PID 1192 wrote to memory of 2312 1192 file.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1192-2-0x00000000004D0000-0x00000000004D1000-memory.dmpFilesize
4KB
-
memory/2312-4-0x0000000000450000-0x0000000000451000-memory.dmpFilesize
4KB
-
memory/2312-5-0x0000000000000000-mapping.dmp
-
memory/2312-6-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/2312-8-0x0000000000570000-0x0000000000571000-memory.dmpFilesize
4KB
-
memory/2312-12-0x0000000010550000-0x0000000010586000-memory.dmpFilesize
216KB
-
memory/2312-13-0x0000000000D00000-0x0000000000D34000-memory.dmpFilesize
208KB