Analysis
-
max time kernel
44s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 17:41
Behavioral task
behavioral1
Sample
9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe
Resource
win10v2004-20220812-en
General
-
Target
9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe
-
Size
152KB
-
MD5
e63a875caa7b47511cb52a5371c6aa43
-
SHA1
6449af87ee80d02f629dc011cd83adbd4c48fc95
-
SHA256
9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd
-
SHA512
27ba7a9685c591862fad016a2a52c9b06415feafbea66bac8799168dd2f82a8da5183f48f5839aa67ffc6f9e3f483867f80a64a6af13a3eb0b9d20459954a726
-
SSDEEP
3072:eLCnfucgnOOS2oKISOm7cn+egnbexRew6JiP0:e3nO6Os7cn+Pqqis
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2028-55-0x0000000000010000-0x0000000000037000-memory.dmp modiloader_stage2 behavioral1/memory/2028-57-0x0000000000010000-0x0000000000037000-memory.dmp modiloader_stage2 behavioral1/memory/2012-59-0x0000000000010000-0x0000000000037000-memory.dmp modiloader_stage2 -
Processes:
resource yara_rule behavioral1/memory/2028-55-0x0000000000010000-0x0000000000037000-memory.dmp upx behavioral1/memory/2028-57-0x0000000000010000-0x0000000000037000-memory.dmp upx behavioral1/memory/2012-59-0x0000000000010000-0x0000000000037000-memory.dmp upx -
Suspicious behavior: RenamesItself 2 IoCs
Processes:
9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exeapocalyps32.exepid process 2028 9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe 2012 apocalyps32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exeapocalyps32.exedescription pid process target process PID 2028 wrote to memory of 2012 2028 9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe apocalyps32.exe PID 2028 wrote to memory of 2012 2028 9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe apocalyps32.exe PID 2028 wrote to memory of 2012 2028 9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe apocalyps32.exe PID 2028 wrote to memory of 2012 2028 9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe apocalyps32.exe PID 2012 wrote to memory of 1620 2012 apocalyps32.exe iexplore.exe PID 2012 wrote to memory of 1620 2012 apocalyps32.exe iexplore.exe PID 2012 wrote to memory of 1620 2012 apocalyps32.exe iexplore.exe PID 2012 wrote to memory of 1620 2012 apocalyps32.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe"C:\Users\Admin\AppData\Local\Temp\9b2e5ec8736feba443110a25070c4067834adbb8c5a0ec671c17da6847ddf9bd.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\apocalyps32.exe-bs2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe-bs3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2012-56-0x0000000000000000-mapping.dmp
-
memory/2012-59-0x0000000000010000-0x0000000000037000-memory.dmpFilesize
156KB
-
memory/2028-54-0x00000000759F1000-0x00000000759F3000-memory.dmpFilesize
8KB
-
memory/2028-55-0x0000000000010000-0x0000000000037000-memory.dmpFilesize
156KB
-
memory/2028-57-0x0000000000010000-0x0000000000037000-memory.dmpFilesize
156KB