Analysis
-
max time kernel
97s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-08-2021 06:11
Static task
static1
Behavioral task
behavioral1
Sample
290321 de bon de commande,pdf.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
290321 de bon de commande,pdf.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
290321 de bon de commande,pdf.exe
-
Size
689KB
-
MD5
efa94719f0d14b3f8f330e5c7949dd2f
-
SHA1
6232070998c6d992941b4a5be9008efaf4af2370
-
SHA256
98f868900b27ba82ac18f919dc551ea15dc310813eb1538ebf2d0ab3afaa8328
-
SHA512
084f16cb4697e46744442c482c40a79f67262b2887087f3d21994aa24106d843ff7f4ecedfd4296e2922ccbcdfddb029a3130c6c493dfb1aa5b843e84f56acca
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
290321 de bon de commande,pdf.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nudxspy = "C:\\Users\\Public\\Libraries\\ypsxduN.url" 290321 de bon de commande,pdf.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
290321 de bon de commande,pdf.exedescription pid process target process PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe PID 784 wrote to memory of 1476 784 290321 de bon de commande,pdf.exe ieinstal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\290321 de bon de commande,pdf.exe"C:\Users\Admin\AppData\Local\Temp\290321 de bon de commande,pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/784-114-0x0000000000610000-0x0000000000611000-memory.dmpFilesize
4KB
-
memory/1476-115-0x0000000000000000-mapping.dmp
-
memory/1476-117-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/1476-116-0x0000000000E70000-0x0000000000E71000-memory.dmpFilesize
4KB
-
memory/1476-118-0x0000000010550000-0x0000000010586000-memory.dmpFilesize
216KB
-
memory/1476-119-0x0000000000BB0000-0x0000000000BB1000-memory.dmpFilesize
4KB
-
memory/1476-120-0x0000000000400000-0x0000000000434000-memory.dmpFilesize
208KB