Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
12-04-2023 13:12
Static task
static1
Behavioral task
behavioral1
Sample
Fmywfytcpwdmvi.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Fmywfytcpwdmvi.exe
Resource
win10v2004-20230220-en
General
-
Target
Fmywfytcpwdmvi.exe
-
Size
707KB
-
MD5
3df32efa05c88263b4ab0001b5b86aca
-
SHA1
aa936331daad999b8561df9163f46c15be8272d4
-
SHA256
94aa407f90054e51d00b6c555ef7b566944290e990f3790bf18579afe0cf60b2
-
SHA512
6702cf703c845f411f34c742b8585ead12d76e7c01dfd075c77bd068a8585b438189b38331d1502d23cbab55aae1daa56afcffdd2242e5838dfd3291aa8cadd4
-
SSDEEP
12288:3lSLbFGyI6Lr4x6xsRzNgBlAU94uq43B2VrNoSv:VuL4xSsRzNgOuTx2VBv
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1044-135-0x0000000002290000-0x00000000022BC000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Fmywfytcpwdmvi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fmywfytc = "C:\\Users\\Public\\Libraries\\ctyfwymF.url" Fmywfytcpwdmvi.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Fmywfytcpwdmvi.exepid process 1044 Fmywfytcpwdmvi.exe 1044 Fmywfytcpwdmvi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Fmywfytcpwdmvi.exedescription pid process target process PID 1044 wrote to memory of 2164 1044 Fmywfytcpwdmvi.exe colorcpl.exe PID 1044 wrote to memory of 2164 1044 Fmywfytcpwdmvi.exe colorcpl.exe PID 1044 wrote to memory of 2164 1044 Fmywfytcpwdmvi.exe colorcpl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fmywfytcpwdmvi.exe"C:\Users\Admin\AppData\Local\Temp\Fmywfytcpwdmvi.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1044-133-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/1044-134-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1044-135-0x0000000002290000-0x00000000022BC000-memory.dmpFilesize
176KB
-
memory/1044-137-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1044-149-0x0000000030410000-0x000000003043F000-memory.dmpFilesize
188KB
-
memory/1044-150-0x0000000030410000-0x000000003043F000-memory.dmpFilesize
188KB