Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 16:05
Static task
static1
Behavioral task
behavioral1
Sample
8cc16cd979d382d8b921fd6b9cdbd4e1.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8cc16cd979d382d8b921fd6b9cdbd4e1.exe
Resource
win10v2004-20231215-en
General
-
Target
8cc16cd979d382d8b921fd6b9cdbd4e1.exe
-
Size
645KB
-
MD5
8cc16cd979d382d8b921fd6b9cdbd4e1
-
SHA1
9264a2b0a2d8e63010e374f1dc812760769741d1
-
SHA256
f3c5d9789dc463722b0d81101676331f8d59acb8acd87cae6a56b48346554092
-
SHA512
45239fa941b67c0cf6183da7f2d854f336cd22489487a74ffe32d212960cfafd000fecb83b83ea5e698ae9445979c08455bee2643529a8e23527f8d8ca09e5c1
-
SSDEEP
12288:QZYG+424aG4m0ETaJY6BXZWmfQF3Z4mxxDuxm1EZi9XxF9E2AGZx:Q6G+e4bEczBJWmfQQmX6w1wi9D9E2Awx
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2932-22-0x0000000000400000-0x000000000060A000-memory.dmp modiloader_stage2 behavioral1/memory/2932-18-0x0000000000400000-0x000000000060A000-memory.dmp modiloader_stage2 behavioral1/memory/2932-25-0x0000000000400000-0x000000000060A000-memory.dmp modiloader_stage2 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\paramstr.txt 8cc16cd979d382d8b921fd6b9cdbd4e1.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2372 2932 WerFault.exe 1 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2932 wrote to memory of 2356 2932 8cc16cd979d382d8b921fd6b9cdbd4e1.exe 28 PID 2932 wrote to memory of 2356 2932 8cc16cd979d382d8b921fd6b9cdbd4e1.exe 28 PID 2932 wrote to memory of 2356 2932 8cc16cd979d382d8b921fd6b9cdbd4e1.exe 28 PID 2932 wrote to memory of 2356 2932 8cc16cd979d382d8b921fd6b9cdbd4e1.exe 28 PID 2932 wrote to memory of 2372 2932 8cc16cd979d382d8b921fd6b9cdbd4e1.exe 29 PID 2932 wrote to memory of 2372 2932 8cc16cd979d382d8b921fd6b9cdbd4e1.exe 29 PID 2932 wrote to memory of 2372 2932 8cc16cd979d382d8b921fd6b9cdbd4e1.exe 29 PID 2932 wrote to memory of 2372 2932 8cc16cd979d382d8b921fd6b9cdbd4e1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8cc16cd979d382d8b921fd6b9cdbd4e1.exe"C:\Users\Admin\AppData\Local\Temp\8cc16cd979d382d8b921fd6b9cdbd4e1.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"2⤵PID:2356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 3122⤵
- Program crash
PID:2372
-