Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 20:23
Behavioral task
behavioral1
Sample
8d433006b2019b7154b5f7672f1cb441.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8d433006b2019b7154b5f7672f1cb441.exe
Resource
win10v2004-20231222-en
General
-
Target
8d433006b2019b7154b5f7672f1cb441.exe
-
Size
106KB
-
MD5
8d433006b2019b7154b5f7672f1cb441
-
SHA1
db9e1a79b95b5172bd03c2c18189dbfc8ca76ec8
-
SHA256
a5d719f883bcc4a729915ef42ab58611f3bfd70d3d7140d402ee618f5e93baaf
-
SHA512
7f964b7375d43874e3e5df4d8af8afc504e5b1f75db84f502d3e262a905b31aea75266a4d14c3de0a2f60454ff8f698348a22e199bc4a2ff965441bb69f39cb3
-
SSDEEP
3072:YLCnfucgtnnOOS2oKISOm7cn+egnbexRew1S3:YHtnnO6Os7cn+Pqr
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 3 IoCs
resource yara_rule behavioral2/files/0x0009000000023217-2.dat modiloader_stage2 behavioral2/memory/4580-4-0x0000000000010000-0x0000000000031000-memory.dmp modiloader_stage2 behavioral2/memory/1196-5-0x0000000000010000-0x0000000000031000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 1196 apocalyps32.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\apocalyps32.exe 8d433006b2019b7154b5f7672f1cb441.exe File opened for modification C:\Windows\apocalyps32.exe 8d433006b2019b7154b5f7672f1cb441.exe File created C:\Windows\apocalyps32.exe apocalyps32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4580 wrote to memory of 1196 4580 8d433006b2019b7154b5f7672f1cb441.exe 84 PID 4580 wrote to memory of 1196 4580 8d433006b2019b7154b5f7672f1cb441.exe 84 PID 4580 wrote to memory of 1196 4580 8d433006b2019b7154b5f7672f1cb441.exe 84 PID 1196 wrote to memory of 4028 1196 apocalyps32.exe 85 PID 1196 wrote to memory of 4028 1196 apocalyps32.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d433006b2019b7154b5f7672f1cb441.exe"C:\Users\Admin\AppData\Local\Temp\8d433006b2019b7154b5f7672f1cb441.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\apocalyps32.exe-bs2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe-bs3⤵PID:4028
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD58d433006b2019b7154b5f7672f1cb441
SHA1db9e1a79b95b5172bd03c2c18189dbfc8ca76ec8
SHA256a5d719f883bcc4a729915ef42ab58611f3bfd70d3d7140d402ee618f5e93baaf
SHA5127f964b7375d43874e3e5df4d8af8afc504e5b1f75db84f502d3e262a905b31aea75266a4d14c3de0a2f60454ff8f698348a22e199bc4a2ff965441bb69f39cb3