Analysis
-
max time kernel
130s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-05-2023 02:00
Static task
static1
Behavioral task
behavioral1
Sample
Siparis onayi proforma Fatura.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Siparis onayi proforma Fatura.exe
Resource
win10v2004-20230220-en
General
-
Target
Siparis onayi proforma Fatura.exe
-
Size
805KB
-
MD5
dab7cc983ca9542bd96062d675128a57
-
SHA1
13d832f3e6a884dfee1b05c4fe9ab7f754c8607c
-
SHA256
e399bdc24cb76e8ebdfef7bba94b18031fe0b4fd3664fcad763e77b1e4b2da86
-
SHA512
de268296462fe12039fc316b4674b4bc20e4ad4140e198ea5f8fc38d42e7434c8ba4e47b76b5cebad4b692e828a7d0423f1b01ebf7cefbb7abfc52f05f0697e3
-
SSDEEP
12288:29Id6OrPwqTQAwBTTvY0Z3l9+P/bnqvPPOmWnADUcHjNEU:29XyTFwtTpZ1E32POM7m
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-54-0x0000000001FE0000-0x0000000002012000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1864 2032 WerFault.exe Siparis onayi proforma Fatura.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 2 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Siparis onayi proforma Fatura.exedescription pid process target process PID 2032 wrote to memory of 1864 2032 Siparis onayi proforma Fatura.exe WerFault.exe PID 2032 wrote to memory of 1864 2032 Siparis onayi proforma Fatura.exe WerFault.exe PID 2032 wrote to memory of 1864 2032 Siparis onayi proforma Fatura.exe WerFault.exe PID 2032 wrote to memory of 1864 2032 Siparis onayi proforma Fatura.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Siparis onayi proforma Fatura.exe"C:\Users\Admin\AppData\Local\Temp\Siparis onayi proforma Fatura.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 6922⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
62KB
MD5b5fcc55cffd66f38d548e8b63206c5e6
SHA179db08ababfa33a4f644fa8fe337195b5aba44c7
SHA2567730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1
SHA512aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649
-
memory/2032-54-0x0000000001FE0000-0x0000000002012000-memory.dmpFilesize
200KB
-
memory/2032-56-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2032-57-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB