Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 08:13
Static task
static1
Behavioral task
behavioral1
Sample
48234a387e7777a7a284acb8f0bfef52.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
48234a387e7777a7a284acb8f0bfef52.exe
Resource
win10v20201028
General
-
Target
48234a387e7777a7a284acb8f0bfef52.exe
-
Size
637KB
-
MD5
48234a387e7777a7a284acb8f0bfef52
-
SHA1
b34a895fe511e36af09231c1239577a565e380e6
-
SHA256
4a7f380de68e6969bcedffe6c7d5b01ac9ecd1f4df9f2bb79fb7fec94252e095
-
SHA512
e3f7fefb4ba37baeea23603a9a4c48197efb54495741d613f8eddc58074f8cbe20658406c949fff510730eed8dc000cd61550b7b69e2c668cc43f6b2cb60e546
Malware Config
Extracted
remcos
alukoren.duckdns.org:9144
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
48234a387e7777a7a284acb8f0bfef52.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hgyoib = "C:\\Users\\Public\\Libraries\\bioygH.url" 48234a387e7777a7a284acb8f0bfef52.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
48234a387e7777a7a284acb8f0bfef52.exedescription pid process target process PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 1604 wrote to memory of 1456 1604 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48234a387e7777a7a284acb8f0bfef52.exe"C:\Users\Admin\AppData\Local\Temp\48234a387e7777a7a284acb8f0bfef52.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1456-66-0x0000000000000000-mapping.dmp
-
memory/1456-68-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1456-70-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1456-71-0x0000000010590000-0x000000001060C000-memory.dmpFilesize
496KB
-
memory/1456-72-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/1456-73-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1604-60-0x0000000076341000-0x0000000076343000-memory.dmpFilesize
8KB
-
memory/1604-61-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1604-63-0x0000000000900000-0x000000000091A000-memory.dmpFilesize
104KB