Analysis
-
max time kernel
143s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2023 08:35
Static task
static1
Behavioral task
behavioral1
Sample
003786546788765.PDF.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
003786546788765.PDF.exe
Resource
win10v2004-20231025-en
General
-
Target
003786546788765.PDF.exe
-
Size
1.8MB
-
MD5
dd985ad6ff3a38972aa87834407f9e62
-
SHA1
980e4e4f22d48c0e336bbf9b5fca0e7320461720
-
SHA256
2159cbace070eda555164924c4bf646924d95a7dcbc3cf7ab44d2c918d0abe0b
-
SHA512
83f0695bce3f75431d8509d8770934adcc09a76ae46f01b03882657e333264d188fb4b25bca9aeb3da67437e3c3513044a841ee564eadd997ca9085ca4fb64a6
-
SSDEEP
49152:bee0SeGwcSGQuOvlzgzRlyYFT9xZdmPSw:blMGNQuywXFJQ
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4704-3-0x0000000004BF0000-0x0000000005BF0000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
003786546788765.PDF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ygolxkvk = "C:\\Users\\Public\\Ygolxkvk.url" 003786546788765.PDF.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2876 4704 WerFault.exe 003786546788765.PDF.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
003786546788765.PDF.exepid process 4704 003786546788765.PDF.exe 4704 003786546788765.PDF.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SndVol.exepid process 2964 SndVol.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SndVol.exepid process 2964 SndVol.exe 2964 SndVol.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
003786546788765.PDF.exedescription pid process target process PID 4704 wrote to memory of 2964 4704 003786546788765.PDF.exe SndVol.exe PID 4704 wrote to memory of 2964 4704 003786546788765.PDF.exe SndVol.exe PID 4704 wrote to memory of 2964 4704 003786546788765.PDF.exe SndVol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\003786546788765.PDF.exe"C:\Users\Admin\AppData\Local\Temp\003786546788765.PDF.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 14682⤵
- Program crash
PID:2876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4704 -ip 47041⤵PID:2320