Analysis
-
max time kernel
140s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 19:27
Static task
static1
Behavioral task
behavioral1
Sample
PI and payment confirmed pdf.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
PI and payment confirmed pdf.exe
Resource
win10v2004-20240412-en
General
-
Target
PI and payment confirmed pdf.exe
-
Size
1.7MB
-
MD5
3d32d7f783925e54c44b19ad8167ae1f
-
SHA1
52f65cc9aad1b8add5e9716e0aa75a6acf95c5da
-
SHA256
3d3b84fce2eb18eaf184889627e9c4edb37daaa1fd28da7fffacf1869b3db93a
-
SHA512
9d647164b3749918afd7bedc9ac92cbe5a9c6222312f02bf547a426ef0194aeef51e6563a7688c391ee215eefffa742b2abab9011e712ddaf4aacfea9b0026bb
-
SSDEEP
24576:nwHjAU/NotOHNgMF6iKzAnMWZ9pFH749LgIv0dd87/lpvwHsexpJd3kg4eai:nwx/AiKsd7AZv0bmvwv7jmi
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/888-2-0x00000000031B0000-0x00000000041B0000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1412 888 WerFault.exe PI and payment confirmed pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
PI and payment confirmed pdf.exedescription pid process target process PID 888 wrote to memory of 1412 888 PI and payment confirmed pdf.exe WerFault.exe PID 888 wrote to memory of 1412 888 PI and payment confirmed pdf.exe WerFault.exe PID 888 wrote to memory of 1412 888 PI and payment confirmed pdf.exe WerFault.exe PID 888 wrote to memory of 1412 888 PI and payment confirmed pdf.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PI and payment confirmed pdf.exe"C:\Users\Admin\AppData\Local\Temp\PI and payment confirmed pdf.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 6762⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/888-0-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/888-1-0x00000000031B0000-0x00000000041B0000-memory.dmpFilesize
16.0MB
-
memory/888-2-0x00000000031B0000-0x00000000041B0000-memory.dmpFilesize
16.0MB
-
memory/888-4-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/888-5-0x0000000000400000-0x00000000005BC000-memory.dmpFilesize
1.7MB