Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 15:08
Static task
static1
Behavioral task
behavioral1
Sample
Inv26619,pdf.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Inv26619,pdf.exe
Resource
win10v2004-20241007-en
General
-
Target
Inv26619,pdf.exe
-
Size
1.0MB
-
MD5
fd9e9a423b59e4e4261163b9cf69df3f
-
SHA1
280bc3a0c0f8ea0e9784830a4d85fa87549195f8
-
SHA256
f1721957f855e471c1ed489ed14a6ac5d74b532c3dee995ecc8e022a12102546
-
SHA512
42b71c54316a1c3ca908c18593161db1862faefbbfa69631008924319ea2c5d0f29e6252dfe78a357caf1f76516422dfbc876ced96d63b50c6eb31ce6b712dbe
-
SSDEEP
12288:nVCTeZF541To2ztd5/IEAHqDPD3PDQnA/g07SVllMweV+8YZqckawUNlY7RA5aR:nVCCa1Rzt0EAHqf36EFAKlujY/
Malware Config
Extracted
modiloader
https://cdn.discordapp.com/attachments/747123935576981508/770142837190033429/Tjwtaaa
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
ModiLoader First Stage 1 IoCs
resource yara_rule behavioral1/memory/2072-4-0x00000000005D0000-0x000000000060A000-memory.dmp modiloader_stage1 -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 2 discord.com -
Program crash 1 IoCs
pid pid_target Process procid_target 2732 2072 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inv26619,pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2732 2072 Inv26619,pdf.exe 32 PID 2072 wrote to memory of 2732 2072 Inv26619,pdf.exe 32 PID 2072 wrote to memory of 2732 2072 Inv26619,pdf.exe 32 PID 2072 wrote to memory of 2732 2072 Inv26619,pdf.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inv26619,pdf.exe"C:\Users\Admin\AppData\Local\Temp\Inv26619,pdf.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 14482⤵
- Program crash
PID:2732
-