Analysis
-
max time kernel
140s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
16-03-2023 19:41
Behavioral task
behavioral1
Sample
HEUR-Trojan.Win32.Generic-47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.Win32.Generic-47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe
Resource
win10v2004-20230221-en
General
-
Target
HEUR-Trojan.Win32.Generic-47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe
-
Size
420KB
-
MD5
4c441e0f43f6ea1edf515e4a25ffcd24
-
SHA1
ca5021d2161664853eb3900a1d8c9874672c03f2
-
SHA256
47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f
-
SHA512
488166165f653f6d16c3d4bbd1ddeb547345396f38918481d72cc74da322d363782c6e5024a65b3193c7fe7102200aa76f7f699e3995ba1a0fbd5ca74290237f
-
SSDEEP
6144:Lq4/ZdjqF1Tov7yuTlb5251VnHgv+BrlkaWI0wQA:mIre+bQ5jnNlw5
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1524-54-0x0000000006310000-0x000000000637C000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1620 1524 WerFault.exe HEUR-Trojan.Win32.Generic-47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
HEUR-Trojan.Win32.Generic-47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exedescription pid process target process PID 1524 wrote to memory of 1620 1524 HEUR-Trojan.Win32.Generic-47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe WerFault.exe PID 1524 wrote to memory of 1620 1524 HEUR-Trojan.Win32.Generic-47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe WerFault.exe PID 1524 wrote to memory of 1620 1524 HEUR-Trojan.Win32.Generic-47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe WerFault.exe PID 1524 wrote to memory of 1620 1524 HEUR-Trojan.Win32.Generic-47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-47792144c9b440b3d2fbd422f68a23a8a8dfc16466d2a7430fc283a9d382826f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1602⤵
- Program crash
PID:1620
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1524-54-0x0000000006310000-0x000000000637C000-memory.dmpFilesize
432KB