Analysis
-
max time kernel
130s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 14:40
Static task
static1
Behavioral task
behavioral1
Sample
9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe
Resource
win10v2004-20230220-en
General
-
Target
9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe
-
Size
924KB
-
MD5
8da3b607defa90b5500db1ee274f68c7
-
SHA1
cf853ceb8feffb9d3a2ce76cfc9b9e324c7fc9ee
-
SHA256
9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d
-
SHA512
375bab9d849f9f5ff0e47b8734372e55ac99eb7f5e2bbab485aa388429ee07c380682184dd75f91f58ae141e0697f64e2c14beb15967e4c9196048b0ded75b6b
-
SSDEEP
24576:5U5BEEVl6gwiCYi6Wq+VHcvf9eGqRSZqPLX3UHA2I:5U5G6lNxk0ZqPLX3UHA2I
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1344-54-0x0000000000270000-0x000000000029C000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 376 1344 WerFault.exe 9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exepid process 1344 9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe 1344 9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe 1344 9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exedescription pid process target process PID 1344 wrote to memory of 376 1344 9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe WerFault.exe PID 1344 wrote to memory of 376 1344 9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe WerFault.exe PID 1344 wrote to memory of 376 1344 9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe WerFault.exe PID 1344 wrote to memory of 376 1344 9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe"C:\Users\Admin\AppData\Local\Temp\9f8afb109c9b23b3b9645ecf1d44dd25d866472242239c766cac33a31d66a98d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 8842⤵
- Program crash