Analysis
-
max time kernel
91s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 08:13
Static task
static1
Behavioral task
behavioral1
Sample
48234a387e7777a7a284acb8f0bfef52.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
48234a387e7777a7a284acb8f0bfef52.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
48234a387e7777a7a284acb8f0bfef52.exe
-
Size
637KB
-
MD5
48234a387e7777a7a284acb8f0bfef52
-
SHA1
b34a895fe511e36af09231c1239577a565e380e6
-
SHA256
4a7f380de68e6969bcedffe6c7d5b01ac9ecd1f4df9f2bb79fb7fec94252e095
-
SHA512
e3f7fefb4ba37baeea23603a9a4c48197efb54495741d613f8eddc58074f8cbe20658406c949fff510730eed8dc000cd61550b7b69e2c668cc43f6b2cb60e546
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1976 created 2764 1976 WerFault.exe ieinstal.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
48234a387e7777a7a284acb8f0bfef52.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hgyoib = "C:\\Users\\Public\\Libraries\\bioygH.url" 48234a387e7777a7a284acb8f0bfef52.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1976 2764 WerFault.exe ieinstal.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
48234a387e7777a7a284acb8f0bfef52.exedescription pid process target process PID 3920 wrote to memory of 2764 3920 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 3920 wrote to memory of 2764 3920 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 3920 wrote to memory of 2764 3920 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 3920 wrote to memory of 2764 3920 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 3920 wrote to memory of 2764 3920 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 3920 wrote to memory of 2764 3920 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 3920 wrote to memory of 2764 3920 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 3920 wrote to memory of 2764 3920 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe PID 3920 wrote to memory of 2764 3920 48234a387e7777a7a284acb8f0bfef52.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\48234a387e7777a7a284acb8f0bfef52.exe"C:\Users\Admin\AppData\Local\Temp\48234a387e7777a7a284acb8f0bfef52.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 843⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash