Analysis
-
max time kernel
94s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 14:50
Behavioral task
behavioral1
Sample
bb679977c59acacdc404c2195721de2aa70c234780141e005bf91a59837fa82f.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bb679977c59acacdc404c2195721de2aa70c234780141e005bf91a59837fa82f.dll
Resource
win10v2004-20220812-en
General
-
Target
bb679977c59acacdc404c2195721de2aa70c234780141e005bf91a59837fa82f.dll
-
Size
60KB
-
MD5
1b988960df618c44ffdfa55d90fe9f9d
-
SHA1
8ab976f59685db92803299767fbf56db0a02d9d1
-
SHA256
bb679977c59acacdc404c2195721de2aa70c234780141e005bf91a59837fa82f
-
SHA512
546f7c4c6824a03772a1d56f62c358722a1688e48eaf7dd9a2bc6baa2b3624d4893919f7f4b878b6ac198f9e89f00b52770864a459c44b38b564a9cb26faf916
-
SSDEEP
768:0C7IqdStQUw5CITcYgUAuLTnnzNppkIW:DEqYtQZ5CIPzNHk3
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3824-133-0x0000000000400000-0x000000000040F000-memory.dmp modiloader_stage2 behavioral2/memory/3824-134-0x0000000000400000-0x000000000040F000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1648 3824 WerFault.exe rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
rundll32.exepid process 3824 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 5040 wrote to memory of 3824 5040 rundll32.exe rundll32.exe PID 5040 wrote to memory of 3824 5040 rundll32.exe rundll32.exe PID 5040 wrote to memory of 3824 5040 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb679977c59acacdc404c2195721de2aa70c234780141e005bf91a59837fa82f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bb679977c59acacdc404c2195721de2aa70c234780141e005bf91a59837fa82f.dll,#12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 6323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3824 -ip 38241⤵