Analysis
-
max time kernel
260s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-02-2024 14:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
DOCS.exe
Resource
win7-20240220-en
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
DOCS.exe
Resource
win10v2004-20240221-en
18 signatures
150 seconds
General
-
Target
DOCS.exe
-
Size
1.7MB
-
MD5
66ee88d4af34d989ba0ed48534667d00
-
SHA1
75fdf3a7393982d10fd236bdc328a81fda978bf3
-
SHA256
efafe5a6bf3f1a5bfb0ca236aaa8347ef8a960a701210dacfaa2c6b4a959ee33
-
SHA512
514688f5e6035a6ccb34b2b633c8b3339386d58500b67e7f6987af4da760854b52da60bd8dead34a77ec6892f3b368cb79843a81c72a6126ac0f4ea0675aeec4
-
SSDEEP
49152:2uLqn8Y6FlWZ0vH/k3mlXoQq7TuN58di8ewnXZCz:2uZp/k3mlXoQq+N58TXZCz
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2868-2-0x00000000036D0000-0x00000000046D0000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
pid pid_target Process procid_target 2544 2868 WerFault.exe 27 -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2868 DOCS.exe 2868 DOCS.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2868 DOCS.exe 2868 DOCS.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2544 2868 DOCS.exe 28 PID 2868 wrote to memory of 2544 2868 DOCS.exe 28 PID 2868 wrote to memory of 2544 2868 DOCS.exe 28 PID 2868 wrote to memory of 2544 2868 DOCS.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOCS.exe"C:\Users\Admin\AppData\Local\Temp\DOCS.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 7322⤵
- Program crash
PID:2544
-