Analysis
-
max time kernel
141s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2023 08:35
Static task
static1
Behavioral task
behavioral1
Sample
Call For Price f.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Call For Price f.exe
Resource
win10v2004-20231023-en
General
-
Target
Call For Price f.exe
-
Size
1.8MB
-
MD5
95af57a740c5db3e1e52cdb5355daa28
-
SHA1
02fa230076b630be472086ffefa77a1a7a9a542c
-
SHA256
091fbd8d1a58a54f7d71cb449a3da0ccd6a845950017209d88e25d7b685a1bb7
-
SHA512
6fc5d5fb4274a262e0bec4306b67656ffe51020ce9902e1d8e9e979bf6d01dc4bb23cfa2a4fb8babea7b82709023b58a42e4461065b3244537471ed51da5ad71
-
SSDEEP
49152:bee0SeGwcSGQ3OvlzgzRlyYFT9xZdmPSw:blMGNQ3ywXFJQ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2976-3-0x0000000004860000-0x0000000005860000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Call For Price f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gnbqkrmu = "C:\\Users\\Public\\Gnbqkrmu.url" Call For Price f.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2436 2976 WerFault.exe Call For Price f.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Call For Price f.exepid process 2976 Call For Price f.exe 2976 Call For Price f.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SndVol.exepid process 1640 SndVol.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SndVol.exepid process 1640 SndVol.exe 1640 SndVol.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Call For Price f.exedescription pid process target process PID 2976 wrote to memory of 1640 2976 Call For Price f.exe SndVol.exe PID 2976 wrote to memory of 1640 2976 Call For Price f.exe SndVol.exe PID 2976 wrote to memory of 1640 2976 Call For Price f.exe SndVol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Call For Price f.exe"C:\Users\Admin\AppData\Local\Temp\Call For Price f.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1640 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 15362⤵
- Program crash
PID:2436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2976 -ip 29761⤵PID:2356