Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 08:06
Static task
static1
Behavioral task
behavioral1
Sample
Swift payment confirmation.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Swift payment confirmation.exe
Resource
win10v2004-20241007-en
General
-
Target
Swift payment confirmation.exe
-
Size
1009KB
-
MD5
92fdcc36be7b26d49f67f2f02fefbf07
-
SHA1
f84b37ff359f55cdfc1c60a640cc7081b523e5ce
-
SHA256
61cf08eac40229e089f7630d5412aa0a8282c01d6348763d92d68e2fcb92e24e
-
SHA512
51e32e91a5fa9545abfb822d36d9f5e6613b0a1f6919ffd84748cfd388333ebbb1760b52704fd2c44dd77fab81826e19b25efd260cdf4695b3890f1c8bcc7afb
-
SSDEEP
24576:HccTfHWId4iO+0SvkMVIDT8Jf3pbV13Jks:H3VHVI8t5X
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 61 IoCs
Processes:
resource yara_rule behavioral2/memory/1220-2-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-7-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-16-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-23-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-34-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-50-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-67-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-66-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-64-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-63-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-62-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-60-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-61-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-59-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-58-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-57-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-56-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-55-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-54-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-53-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-52-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-48-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-44-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-65-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-42-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-39-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-26-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-36-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-51-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-33-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-47-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-32-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-31-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-45-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-46-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-30-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-43-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-29-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-28-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-41-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-27-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-40-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-38-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-25-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-37-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-24-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-35-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-22-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-21-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-20-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-19-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-18-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-12-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-17-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-11-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-15-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-14-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-13-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-10-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-9-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 behavioral2/memory/1220-8-0x00000000032C0000-0x00000000042C0000-memory.dmp modiloader_stage2 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Swift payment confirmation.exeSndVol.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Swift payment confirmation.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SndVol.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Swift payment confirmation.exepid Process 1220 Swift payment confirmation.exe 1220 Swift payment confirmation.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SndVol.exepid Process 1448 SndVol.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SndVol.exepid Process 1448 SndVol.exe 1448 SndVol.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Swift payment confirmation.exedescription pid Process procid_target PID 1220 wrote to memory of 1448 1220 Swift payment confirmation.exe 94 PID 1220 wrote to memory of 1448 1220 Swift payment confirmation.exe 94 PID 1220 wrote to memory of 1448 1220 Swift payment confirmation.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Swift payment confirmation.exe"C:\Users\Admin\AppData\Local\Temp\Swift payment confirmation.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1448
-