Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
8d83768b151d2efde1fc4692e39b4a41.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8d83768b151d2efde1fc4692e39b4a41.exe
Resource
win10v2004-20231215-en
General
-
Target
8d83768b151d2efde1fc4692e39b4a41.exe
-
Size
609KB
-
MD5
8d83768b151d2efde1fc4692e39b4a41
-
SHA1
0b628b91474e43b17fa32ddb0a489b0050c8c730
-
SHA256
40a3268a8ea94299a2135fc021fe25b907694463c9380fbfbc6c7e834aa6294b
-
SHA512
8bc1bf8067409172668639a6587164f0af2beed9254b647b96627dba5f2817f2134fccd2682d13949ba415922074ff8b1ad1c760617579db010562c69d5b498b
-
SSDEEP
12288:uP0E0cVS+vHV6toWuOhbRuo4QF3Z4mxxG0MHoTAFbv:/u/Hst7hUopQmXGK8
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral2/memory/3592-27-0x0000000000400000-0x000000000056D000-memory.dmp modiloader_stage2 behavioral2/memory/4476-24-0x0000000000400000-0x000000000056D000-memory.dmp modiloader_stage2 behavioral2/memory/3592-28-0x0000000000400000-0x000000000056D000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 4476 Indxiwg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\Indxiwg.exe 8d83768b151d2efde1fc4692e39b4a41.exe File opened for modification C:\Windows\SysWOW64\Indxiwg.exe 8d83768b151d2efde1fc4692e39b4a41.exe File opened for modification C:\Windows\SysWOW64\Indxiwg.exe Indxiwg.exe File created C:\Windows\SysWOW64\Deleteme.bat 8d83768b151d2efde1fc4692e39b4a41.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 4436 3592 WerFault.exe 82 4860 4476 WerFault.exe 86 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3592 wrote to memory of 4476 3592 8d83768b151d2efde1fc4692e39b4a41.exe 86 PID 3592 wrote to memory of 4476 3592 8d83768b151d2efde1fc4692e39b4a41.exe 86 PID 3592 wrote to memory of 4476 3592 8d83768b151d2efde1fc4692e39b4a41.exe 86 PID 3592 wrote to memory of 4572 3592 8d83768b151d2efde1fc4692e39b4a41.exe 89 PID 3592 wrote to memory of 4572 3592 8d83768b151d2efde1fc4692e39b4a41.exe 89 PID 3592 wrote to memory of 4572 3592 8d83768b151d2efde1fc4692e39b4a41.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe"C:\Users\Admin\AppData\Local\Temp\8d83768b151d2efde1fc4692e39b4a41.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 3242⤵
- Program crash
PID:4436
-
-
C:\Windows\SysWOW64\Indxiwg.exeC:\Windows\system32\Indxiwg.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4476 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 3243⤵
- Program crash
PID:4860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\Deleteme.bat2⤵PID:4572
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3592 -ip 35921⤵PID:3172
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4476 -ip 44761⤵PID:3128
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
184B
MD576548ddbf2a885b58278b53bb642c3e2
SHA192fc8f271f6c18835a75b54510bba05dddb49cd6
SHA256092b5bffbb0210d17ba551a0aa234f264e4b72842e5e97bd55e33e6e141f5b7c
SHA51240820c5e2f9016fccd37832e4ee4f47fa55eead773624af548d8ddd7d0bea9cc006aa7ccb6723c4beb456c25585e58bf4b0af1a8319474f5ddbfe1f42729dbe0
-
Filesize
609KB
MD58d83768b151d2efde1fc4692e39b4a41
SHA10b628b91474e43b17fa32ddb0a489b0050c8c730
SHA25640a3268a8ea94299a2135fc021fe25b907694463c9380fbfbc6c7e834aa6294b
SHA5128bc1bf8067409172668639a6587164f0af2beed9254b647b96627dba5f2817f2134fccd2682d13949ba415922074ff8b1ad1c760617579db010562c69d5b498b