Analysis
-
max time kernel
83s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:46
Static task
static1
Behavioral task
behavioral1
Sample
offer order.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
offer order.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
offer order.exe
-
Size
1.7MB
-
MD5
10419c97cde1aa8bad4e33279a15f7f8
-
SHA1
b2942c499632593cface5c1fd18c12105656bf75
-
SHA256
aa840ddac1cbded575db7d3ee2d1e3102fd1c35d0a709f42209543f9913e438f
-
SHA512
c77bc2ead1869aced4a8e2955317c5cf99bbb68e35d54ec4d8794a6794bf3dda3b24764c8ce21bddf9ff09372565f08e3191a2c46fcbbfaaf649fa5f47bab0bc
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader First Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1836-56-0x00000000003A0000-0x00000000003B0000-memory.dmp modiloader_stage1 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 428 1836 WerFault.exe offer order.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
offer order.exedescription pid process target process PID 1836 wrote to memory of 428 1836 offer order.exe WerFault.exe PID 1836 wrote to memory of 428 1836 offer order.exe WerFault.exe PID 1836 wrote to memory of 428 1836 offer order.exe WerFault.exe PID 1836 wrote to memory of 428 1836 offer order.exe WerFault.exe