Analysis
-
max time kernel
120s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20-11-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
bfa4be68ef1e15a7482b9626b86d0f8febc7447847bde94e9bd4381e50ec4f54.vbs
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bfa4be68ef1e15a7482b9626b86d0f8febc7447847bde94e9bd4381e50ec4f54.vbs
Resource
win10v2004-20241007-en
General
-
Target
bfa4be68ef1e15a7482b9626b86d0f8febc7447847bde94e9bd4381e50ec4f54.vbs
-
Size
1.3MB
-
MD5
c680c1fedc4beb93fe7bd21b677a0b62
-
SHA1
12c81e5f1b2b0fa156abd300fbb7ec244faab055
-
SHA256
bfa4be68ef1e15a7482b9626b86d0f8febc7447847bde94e9bd4381e50ec4f54
-
SHA512
7eecc96e5f74ab03ba2e9566a25bf75e315ab4c7d50a01ffd2b98db251740c4b60cfe46ae1033075bcfc67fd3acb5038bf21cf3b4edfc0058da47eb661dd1adf
-
SSDEEP
24576:WsVJZ8xRjK2rYoOPFe9nuBllKzEUj4YbTyfl1rJjtpyso5AjtagDc:tUDrYo4fllKHa/Bcgg
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader Second Stage 61 IoCs
resource yara_rule behavioral1/memory/2540-9-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-12-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-17-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-35-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-34-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-33-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-30-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-29-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-56-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-16-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-19-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-88-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-58-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-57-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-54-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-52-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-50-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-49-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-47-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-23-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-44-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-22-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-41-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-40-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-20-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-39-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-38-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-93-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-91-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-89-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-86-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-85-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-83-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-81-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-18-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-78-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-32-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-75-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-31-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-72-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-70-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-69-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-66-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-65-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-63-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-28-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-60-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-27-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-26-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-55-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-53-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-25-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-51-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-24-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-48-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-46-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-43-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-21-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-13-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-37-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 behavioral1/memory/2540-36-0x0000000003250000-0x0000000004250000-memory.dmp modiloader_stage2 -
Executes dropped EXE 1 IoCs
pid Process 2540 x.exe -
Loads dropped DLL 3 IoCs
pid Process 1488 WerFault.exe 1488 WerFault.exe 1488 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1488 2540 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3056 wrote to memory of 2540 3056 WScript.exe 30 PID 3056 wrote to memory of 2540 3056 WScript.exe 30 PID 3056 wrote to memory of 2540 3056 WScript.exe 30 PID 3056 wrote to memory of 2540 3056 WScript.exe 30 PID 2540 wrote to memory of 1488 2540 x.exe 32 PID 2540 wrote to memory of 1488 2540 x.exe 32 PID 2540 wrote to memory of 1488 2540 x.exe 32 PID 2540 wrote to memory of 1488 2540 x.exe 32
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfa4be68ef1e15a7482b9626b86d0f8febc7447847bde94e9bd4381e50ec4f54.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\x.exe"C:\Users\Admin\AppData\Local\Temp\x.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 7203⤵
- Loads dropped DLL
- Program crash
PID:1488
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD559ba0cc1d18d4b34451886be40191d84
SHA1cb5189f74590cb8f61def1c8020e902af5e17752
SHA2564f44dfc9d6bb49aca862ee705b56a567e227462594c56a2cacb8135dbf370777
SHA512d140683734ae115eb4dea4d5fe14471f4cd51b5d25e120ccbd9d74c3607003751789b6cd63bc5a104de0acf4e2c9eb699469d5e56ebbbc6906f999eb2e4e72e5