Analysis
-
max time kernel
140s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
14-12-2023 07:26
Static task
static1
Behavioral task
behavioral1
Sample
PI and payment confirmed pdf.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
PI and payment confirmed pdf.exe
Resource
win10v2004-20231130-en
General
-
Target
PI and payment confirmed pdf.exe
-
Size
1.5MB
-
MD5
e7a6ceb1e92d347de7fc59f2bdaaa983
-
SHA1
cbb2980d5fefd1dc982ed46346150b401df81ab0
-
SHA256
76145dd8fc5f8c21d79d3fa02252e3006fc43d57a87cbc974e51b4975bc10d7e
-
SHA512
315feb761bb85df9fcb8f67519d602ba39cdaf9c979b8e54616a61d4f4c4045bda5f156d9fb76def2bdc78608611856d9d67764c83107e5c0210d5acd58ae7cb
-
SSDEEP
24576:raVRQ9cDptbr5YQrM+EOFQCX6QmBiv3aBELJhWEH7VkHG5GJtr:raXt2aM+EMQCvXL7VsG5WR
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2872-2-0x0000000003690000-0x0000000004690000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3032 2872 WerFault.exe PI and payment confirmed pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
PI and payment confirmed pdf.exedescription pid process target process PID 2872 wrote to memory of 3032 2872 PI and payment confirmed pdf.exe WerFault.exe PID 2872 wrote to memory of 3032 2872 PI and payment confirmed pdf.exe WerFault.exe PID 2872 wrote to memory of 3032 2872 PI and payment confirmed pdf.exe WerFault.exe PID 2872 wrote to memory of 3032 2872 PI and payment confirmed pdf.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI and payment confirmed pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI and payment confirmed pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 8042⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2872-0-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2872-1-0x0000000003690000-0x0000000004690000-memory.dmpFilesize
16.0MB
-
memory/2872-2-0x0000000003690000-0x0000000004690000-memory.dmpFilesize
16.0MB
-
memory/2872-4-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2872-5-0x0000000000400000-0x000000000057D000-memory.dmpFilesize
1.5MB