Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
03/02/2024, 20:23
Behavioral task
behavioral1
Sample
8d433006b2019b7154b5f7672f1cb441.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8d433006b2019b7154b5f7672f1cb441.exe
Resource
win10v2004-20231222-en
General
-
Target
8d433006b2019b7154b5f7672f1cb441.exe
-
Size
106KB
-
MD5
8d433006b2019b7154b5f7672f1cb441
-
SHA1
db9e1a79b95b5172bd03c2c18189dbfc8ca76ec8
-
SHA256
a5d719f883bcc4a729915ef42ab58611f3bfd70d3d7140d402ee618f5e93baaf
-
SHA512
7f964b7375d43874e3e5df4d8af8afc504e5b1f75db84f502d3e262a905b31aea75266a4d14c3de0a2f60454ff8f698348a22e199bc4a2ff965441bb69f39cb3
-
SSDEEP
3072:YLCnfucgtnnOOS2oKISOm7cn+egnbexRew1S3:YHtnnO6Os7cn+Pqr
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral1/memory/2032-5-0x0000000000010000-0x0000000000031000-memory.dmp modiloader_stage2 behavioral1/files/0x0010000000012247-4.dat modiloader_stage2 behavioral1/memory/2200-8-0x0000000000010000-0x0000000000031000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2200 apocalyps32.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\apocalyps32.exe 8d433006b2019b7154b5f7672f1cb441.exe File opened for modification C:\Windows\apocalyps32.exe 8d433006b2019b7154b5f7672f1cb441.exe File created C:\Windows\apocalyps32.exe apocalyps32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2032 wrote to memory of 2200 2032 8d433006b2019b7154b5f7672f1cb441.exe 28 PID 2032 wrote to memory of 2200 2032 8d433006b2019b7154b5f7672f1cb441.exe 28 PID 2032 wrote to memory of 2200 2032 8d433006b2019b7154b5f7672f1cb441.exe 28 PID 2032 wrote to memory of 2200 2032 8d433006b2019b7154b5f7672f1cb441.exe 28 PID 2200 wrote to memory of 1980 2200 apocalyps32.exe 29 PID 2200 wrote to memory of 1980 2200 apocalyps32.exe 29 PID 2200 wrote to memory of 1980 2200 apocalyps32.exe 29 PID 2200 wrote to memory of 1980 2200 apocalyps32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d433006b2019b7154b5f7672f1cb441.exe"C:\Users\Admin\AppData\Local\Temp\8d433006b2019b7154b5f7672f1cb441.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\apocalyps32.exe-bs2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Program Files\Internet Explorer\iexplore.exe-bs3⤵PID:1980
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD58d433006b2019b7154b5f7672f1cb441
SHA1db9e1a79b95b5172bd03c2c18189dbfc8ca76ec8
SHA256a5d719f883bcc4a729915ef42ab58611f3bfd70d3d7140d402ee618f5e93baaf
SHA5127f964b7375d43874e3e5df4d8af8afc504e5b1f75db84f502d3e262a905b31aea75266a4d14c3de0a2f60454ff8f698348a22e199bc4a2ff965441bb69f39cb3