Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2023 23:52
Static task
static1
Behavioral task
behavioral1
Sample
Copie de plata bancara.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Copie de plata bancara.exe
Resource
win10v2004-20231023-en
General
-
Target
Copie de plata bancara.exe
-
Size
2.3MB
-
MD5
e37ea6abc23c1c71d528ef272f79f66f
-
SHA1
8e153efe15214296e26dd561bc1c7d25063b6b5d
-
SHA256
c6e6d9dd75af4dd8ec008e9dc75688b0325d31c822eef311783feaffff7c0dbb
-
SHA512
32a87b85e2e5bae44886c2a4d5c1396e173acccd2fea78771788510fcc1ec07c188dbfe387d9a8efb31f5e8d6b1be7d6414a620546c7bb6d176938aea19235a8
-
SSDEEP
49152:zmUjlGU/DDjqvOS6iy3iWOY+YLqaLOlTarbs69V/:zH3cy3im3L6cs69x
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2364-3-0x0000000004D60000-0x0000000005D60000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Copie de plata bancara.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Frpqwthn = "C:\\Users\\Public\\Frpqwthn.url" Copie de plata bancara.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1628 2364 WerFault.exe Copie de plata bancara.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Copie de plata bancara.exepid process 2364 Copie de plata bancara.exe 2364 Copie de plata bancara.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Copie de plata bancara.exedescription pid process target process PID 2364 wrote to memory of 1256 2364 Copie de plata bancara.exe colorcpl.exe PID 2364 wrote to memory of 1256 2364 Copie de plata bancara.exe colorcpl.exe PID 2364 wrote to memory of 1256 2364 Copie de plata bancara.exe colorcpl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Copie de plata bancara.exe"C:\Users\Admin\AppData\Local\Temp\Copie de plata bancara.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵PID:1256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 17962⤵
- Program crash
PID:1628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2364 -ip 23641⤵PID:1492