Analysis
-
max time kernel
64s -
max time network
58s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-05-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe
Resource
win10v2004-20220414-en
General
-
Target
21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe
-
Size
833KB
-
MD5
8852e37e8b91c314b1f0a7cfb404baf4
-
SHA1
4dbcbeb9a4508f375fa445acfeb8cdc9de6d8391
-
SHA256
21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731
-
SHA512
55b09dbfcccf48f3f11fb12b55842f236db5035ece1bd4f7e9a63b4924639e57d531f19eeeb05d8a927c197bb27bbd8fdce1118439437320b88d6bf011ecf198
Malware Config
Extracted
modiloader
https://cdn.discordapp.com/attachments/752128569169281083/759306068374847508/Stvd123
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/924-56-0x00000000004E0000-0x000000000053C000-memory.dmp modiloader_stage1 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 600 924 WerFault.exe 21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exedescription pid process target process PID 924 wrote to memory of 600 924 21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe WerFault.exe PID 924 wrote to memory of 600 924 21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe WerFault.exe PID 924 wrote to memory of 600 924 21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe WerFault.exe PID 924 wrote to memory of 600 924 21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe"C:\Users\Admin\AppData\Local\Temp\21b1a3fbb83c460c9282177e1402c2c68402dafd3b086fc40f231ac5cad88731.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 7322⤵
- Program crash