Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 17:41
Behavioral task
behavioral1
Sample
cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe
Resource
win10v2004-20220812-en
General
-
Target
cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe
-
Size
192KB
-
MD5
2166e25a47e8a857d11aea01ed76165c
-
SHA1
059d286c7abcc67770f9193216c4824820515ecb
-
SHA256
cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c
-
SHA512
3865355cd565e09ef5a24fa16f7779e6b72e7ecd707e4762ac1538866999ab9f7cbb2c438c30c0884297dc08e4217d46da472aa2c5458512d006a9b4aa5151ae
-
SSDEEP
3072:cLCnfuc1nOOS2oKISOm7cn+egnbexRewFqj6YljhajIrD:cOnO6Os7cn+PqXe1ljkjW
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2012-55-0x0000000000010000-0x0000000000041000-memory.dmp modiloader_stage2 behavioral1/memory/2012-57-0x0000000000010000-0x0000000000041000-memory.dmp modiloader_stage2 behavioral1/memory/1148-59-0x0000000000010000-0x0000000000041000-memory.dmp modiloader_stage2 -
Processes:
resource yara_rule behavioral1/memory/2012-55-0x0000000000010000-0x0000000000041000-memory.dmp upx behavioral1/memory/2012-57-0x0000000000010000-0x0000000000041000-memory.dmp upx behavioral1/memory/1148-59-0x0000000000010000-0x0000000000041000-memory.dmp upx -
Suspicious behavior: RenamesItself 2 IoCs
Processes:
cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exeapocalyps32.exepid process 2012 cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe 1148 apocalyps32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exeapocalyps32.exedescription pid process target process PID 2012 wrote to memory of 1148 2012 cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe apocalyps32.exe PID 2012 wrote to memory of 1148 2012 cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe apocalyps32.exe PID 2012 wrote to memory of 1148 2012 cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe apocalyps32.exe PID 2012 wrote to memory of 1148 2012 cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe apocalyps32.exe PID 1148 wrote to memory of 2000 1148 apocalyps32.exe iexplore.exe PID 1148 wrote to memory of 2000 1148 apocalyps32.exe iexplore.exe PID 1148 wrote to memory of 2000 1148 apocalyps32.exe iexplore.exe PID 1148 wrote to memory of 2000 1148 apocalyps32.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe"C:\Users\Admin\AppData\Local\Temp\cd4915f5e417e98661b0bf65c4529b2bca1009952c4ac3d03d0b26ef1b4c108c.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Windows\apocalyps32.exe-bs2⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe-bs3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1148-56-0x0000000000000000-mapping.dmp
-
memory/1148-59-0x0000000000010000-0x0000000000041000-memory.dmpFilesize
196KB
-
memory/2012-54-0x0000000074B51000-0x0000000074B53000-memory.dmpFilesize
8KB
-
memory/2012-55-0x0000000000010000-0x0000000000041000-memory.dmpFilesize
196KB
-
memory/2012-57-0x0000000000010000-0x0000000000041000-memory.dmpFilesize
196KB