Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31-10-2024 09:37
Static task
static1
Behavioral task
behavioral1
Sample
ORDERREF47806798PSMCO.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ORDERREF47806798PSMCO.exe
Resource
win10v2004-20241007-en
General
-
Target
ORDERREF47806798PSMCO.exe
-
Size
1.0MB
-
MD5
0c30c6e44c595afef7d8e5209e6c21cd
-
SHA1
9ad384a291bcb187a770826c9b4524ded9d4ce33
-
SHA256
76af8cf5846c6addfc9049cde063bbee8c0353bc0870c5080ad37a41a9aab1a3
-
SHA512
2ecd6746865cb88457f3e60445fbb5a790a9df84ca1d00acdd5124eea986e17e61d2dbe6b236d7b40691c7ff3a2f473508bb7b4299575b14b6124e64b905d543
-
SSDEEP
24576:ZVb5KPAdOzVmG3zd+eIDT8Jf3pbV13Jks:ZVhOhd+eI8t5X
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 61 IoCs
Processes:
resource yara_rule behavioral1/memory/2568-2-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-7-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-16-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-15-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-14-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-39-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-38-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-35-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-32-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-29-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-17-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-79-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-76-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-73-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-70-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-67-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-64-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-60-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-57-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-54-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-51-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-48-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-44-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-41-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-36-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-33-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-30-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-27-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-24-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-23-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-21-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-20-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-18-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-78-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-74-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-71-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-68-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-65-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-61-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-58-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-55-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-53-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-50-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-47-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-45-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-42-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-40-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-37-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-34-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-31-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-28-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-26-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-25-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-22-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-19-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-13-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-12-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-11-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-10-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-9-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 behavioral1/memory/2568-8-0x0000000003290000-0x0000000004290000-memory.dmp modiloader_stage2 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2292 2568 WerFault.exe 29 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ORDERREF47806798PSMCO.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ORDERREF47806798PSMCO.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ORDERREF47806798PSMCO.exedescription pid Process procid_target PID 2568 wrote to memory of 2292 2568 ORDERREF47806798PSMCO.exe 31 PID 2568 wrote to memory of 2292 2568 ORDERREF47806798PSMCO.exe 31 PID 2568 wrote to memory of 2292 2568 ORDERREF47806798PSMCO.exe 31 PID 2568 wrote to memory of 2292 2568 ORDERREF47806798PSMCO.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe"C:\Users\Admin\AppData\Local\Temp\ORDERREF47806798PSMCO.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 6842⤵
- Program crash
PID:2292
-