Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/03/2024, 02:44
Static task
static1
Behavioral task
behavioral1
Sample
a932316f192e4a8d361857aa3555cd6597b96364e9ce1fa379e419b8dd437edc.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a932316f192e4a8d361857aa3555cd6597b96364e9ce1fa379e419b8dd437edc.exe
Resource
win10v2004-20240226-en
General
-
Target
a932316f192e4a8d361857aa3555cd6597b96364e9ce1fa379e419b8dd437edc.exe
-
Size
1.0MB
-
MD5
1511c1ff371af5f37e1d5470c1d5caf1
-
SHA1
60296d0d34cf13621e5c749ef913c6fc234ee43b
-
SHA256
a932316f192e4a8d361857aa3555cd6597b96364e9ce1fa379e419b8dd437edc
-
SHA512
fe716743aab089e745e69a30748bc8bf5d5089cd4779c954bf717d76d505b1393429aff757fca7b379f4902f607555958f5046392a5c934c3fa762008551850b
-
SSDEEP
24576:+PF6DSSEvVi8ds05OTOfYIOBRaR6URr0GDp6esPEM:+PazuAOfh4RaR6URrNpI
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/2612-2-0x00000000031F0000-0x00000000041F0000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
pid pid_target Process procid_target 3000 2612 WerFault.exe 27 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2612 wrote to memory of 3000 2612 a932316f192e4a8d361857aa3555cd6597b96364e9ce1fa379e419b8dd437edc.exe 28 PID 2612 wrote to memory of 3000 2612 a932316f192e4a8d361857aa3555cd6597b96364e9ce1fa379e419b8dd437edc.exe 28 PID 2612 wrote to memory of 3000 2612 a932316f192e4a8d361857aa3555cd6597b96364e9ce1fa379e419b8dd437edc.exe 28 PID 2612 wrote to memory of 3000 2612 a932316f192e4a8d361857aa3555cd6597b96364e9ce1fa379e419b8dd437edc.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\a932316f192e4a8d361857aa3555cd6597b96364e9ce1fa379e419b8dd437edc.exe"C:\Users\Admin\AppData\Local\Temp\a932316f192e4a8d361857aa3555cd6597b96364e9ce1fa379e419b8dd437edc.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 7242⤵
- Program crash
PID:3000
-