Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 01:27
Static task
static1
Behavioral task
behavioral1
Sample
00a73e4c400158b2ba8d4ed4e8a8e67f.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
00a73e4c400158b2ba8d4ed4e8a8e67f.exe
Resource
win10v2004-20240611-en
General
-
Target
00a73e4c400158b2ba8d4ed4e8a8e67f.exe
-
Size
698KB
-
MD5
00a73e4c400158b2ba8d4ed4e8a8e67f
-
SHA1
fc3d64f1354c566e91d02f4e6c73d70c60025146
-
SHA256
a73432797d1ccd59095844b1fd6e7ecac6641013ee9503cc0d60dd58711f0008
-
SHA512
fb5734903af6078ef39baad55639b77d75db5f7626b3ed9d7575e30ace52d3767159f5201cea0c28dcbd97dbba687cbf6ccaa131e51818ae4bf39da9d96a5420
-
SSDEEP
12288:kccbpSnXCnZ6dPvsOA1hw1dcCU0vvrlaQ4WzE1OnGb3VmVt:vcdHnZ6dPvsOA1y1lbvv5hzE4GLVat
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2256-3-0x0000000000400000-0x00000000004C4200-memory.dmp modiloader_stage2 -
Drops file in Program Files directory 1 IoCs
Processes:
00a73e4c400158b2ba8d4ed4e8a8e67f.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\MSINFO\SetupWay.TXT 00a73e4c400158b2ba8d4ed4e8a8e67f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
00a73e4c400158b2ba8d4ed4e8a8e67f.exedescription pid process target process PID 2256 wrote to memory of 1728 2256 00a73e4c400158b2ba8d4ed4e8a8e67f.exe IEXPLORE.EXE PID 2256 wrote to memory of 1728 2256 00a73e4c400158b2ba8d4ed4e8a8e67f.exe IEXPLORE.EXE PID 2256 wrote to memory of 1728 2256 00a73e4c400158b2ba8d4ed4e8a8e67f.exe IEXPLORE.EXE PID 2256 wrote to memory of 1728 2256 00a73e4c400158b2ba8d4ed4e8a8e67f.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\00a73e4c400158b2ba8d4ed4e8a8e67f.exe"C:\Users\Admin\AppData\Local\Temp\00a73e4c400158b2ba8d4ed4e8a8e67f.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\program files\internet explorer\IEXPLORE.EXE"C:\program files\internet explorer\IEXPLORE.EXE"2⤵PID:1728