Analysis
-
max time kernel
171s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 03:15
Behavioral task
behavioral1
Sample
9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exe
Resource
win10v2004-20220812-en
General
-
Target
9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exe
-
Size
98KB
-
MD5
3a82a74b9dd1213f67eb69561a7608c6
-
SHA1
697d9755157797d44472000d1cdafcd458f7895e
-
SHA256
9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f
-
SHA512
4ee3cfac47648337ddd135f6c77e33c99c77cd76fa1709ff52d43d5c6b545141d6eefe6cc70a8fd679fefeacf33a033883f5e19c697a0cb78fd2d2af1ea52a6a
-
SSDEEP
3072:l3quZotQEM0PN6HPEGvDYeSv2xR7RTwSeKVzMKv:9CtQEMTXYnv2xReSeKlMK
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5012-135-0x0000000000010000-0x0000000000036000-memory.dmp modiloader_stage2 behavioral2/memory/4696-137-0x0000000000010000-0x0000000000036000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
Processes:
apocalyps32.exepid process 4696 apocalyps32.exe -
Processes:
resource yara_rule C:\Windows\apocalyps32.exe upx C:\Windows\apocalyps32.exe upx behavioral2/memory/5012-135-0x0000000000010000-0x0000000000036000-memory.dmp upx behavioral2/memory/4696-137-0x0000000000010000-0x0000000000036000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
Processes:
9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exeapocalyps32.exedescription ioc process File created C:\Windows\apocalyps32.exe 9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exe File opened for modification C:\Windows\apocalyps32.exe 9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exe File created C:\Windows\apocalyps32.exe apocalyps32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exeapocalyps32.exedescription pid process target process PID 5012 wrote to memory of 4696 5012 9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exe apocalyps32.exe PID 5012 wrote to memory of 4696 5012 9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exe apocalyps32.exe PID 5012 wrote to memory of 4696 5012 9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exe apocalyps32.exe PID 4696 wrote to memory of 4600 4696 apocalyps32.exe msedge.exe PID 4696 wrote to memory of 4600 4696 apocalyps32.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exe"C:\Users\Admin\AppData\Local\Temp\9e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\apocalyps32.exe-bs2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe-bs3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\apocalyps32.exeFilesize
98KB
MD53a82a74b9dd1213f67eb69561a7608c6
SHA1697d9755157797d44472000d1cdafcd458f7895e
SHA2569e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f
SHA5124ee3cfac47648337ddd135f6c77e33c99c77cd76fa1709ff52d43d5c6b545141d6eefe6cc70a8fd679fefeacf33a033883f5e19c697a0cb78fd2d2af1ea52a6a
-
C:\Windows\apocalyps32.exeFilesize
98KB
MD53a82a74b9dd1213f67eb69561a7608c6
SHA1697d9755157797d44472000d1cdafcd458f7895e
SHA2569e0eb2f0e0da81ebe75996a3f5294f375ce15c84fc591b3497d2e73645b0de2f
SHA5124ee3cfac47648337ddd135f6c77e33c99c77cd76fa1709ff52d43d5c6b545141d6eefe6cc70a8fd679fefeacf33a033883f5e19c697a0cb78fd2d2af1ea52a6a
-
memory/4600-136-0x0000000000000000-mapping.dmp
-
memory/4696-132-0x0000000000000000-mapping.dmp
-
memory/4696-137-0x0000000000010000-0x0000000000036000-memory.dmpFilesize
152KB
-
memory/5012-135-0x0000000000010000-0x0000000000036000-memory.dmpFilesize
152KB