Analysis
-
max time kernel
148s -
max time network
134s -
platform
windows10_x64 -
resource
win10 -
submitted
21-08-2020 08:34
Static task
static1
Behavioral task
behavioral1
Sample
Angebot bestellen.exe
Resource
win7
Behavioral task
behavioral2
Sample
Angebot bestellen.exe
Resource
win10
General
-
Target
Angebot bestellen.exe
-
Size
1.7MB
-
MD5
32165a044899184c6231b9a194d729e3
-
SHA1
2b1b1e1ef64c1e150ba43d8fb4d59ae9fd74e68e
-
SHA256
0823db6cc251f5500ccb441b6751132721b188a9b622d6fa859ee37149bff324
-
SHA512
cfd478382375a07d298d12775e7e66b3efbee9d5736f735e830e14520ece1b2215b3e2e392ad27a291bd2720981183cde40ef87af07f946dcba894286b7b75c7
Malware Config
Extracted
formbook
http://www.joomlas123.info/n7ak/
audereventur.com
huro14.com
wwwjinsha155.com
antiquevendor.com
samuraisoulfood.net
traffic4updates.download
hypersarv.com
rapport-happy-wedding.com
rokutechnosupport.online
allworljob.com
hanaleedossmann.com
kauai-marathon.com
bepbosch.com
kangen-international.com
zoneshopemenowz.com
belviderewrestling.com
ipllink.com
sellingforcreators.com
wwwswty6655.com
qtumboa.com
bazarmoney.net
librosdecienciaficcion.com
shopmomsthebomb.com
vanjacob.com
tgyaa.com
theporncollective.net
hydrabadproperties.com
brindesecologicos.com
sayagayrimenkul.net
4btoken.com
shycedu.com
overall789.top
maison-pierre-bayle.com
elitemediamasters.com
sharmasfabrics.com
hoshamp.com
myultimateleadgenerator.com
office4u.info
thaimart1.com
ultimatewindowusa.com
twoblazesartworks.com
airteloffer.com
shoupaizhao.com
741dakotadr.info
books4arab.net
artedelcioccolato.biz
tjqcu.info
teccoop.net
maturebridesdressguide.com
excelcapfunding.com
bitcoinak.com
profileorderflow.com
unbelievabowboutique.com
midlandshomesolutionsltd.com
healthywithhook.com
stirlingpiper.com
manfast.online
arikorin.com
texastrustedinsurance.com
moodandmystery.com
yh77808.com
s-immotanger.com
runzexd.com
meteoannecy.net
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook Payload 4 IoCs
resource yara_rule behavioral2/memory/2896-2-0x0000000010410000-0x000000001043D000-memory.dmp formbook behavioral2/memory/2896-2-0x0000000010410000-0x000000001043D000-memory.dmp formbook behavioral2/memory/3856-3-0x0000000000000000-mapping.dmp formbook behavioral2/memory/3776-4-0x0000000000000000-mapping.dmp formbook -
ModiLoader First Stage 2 IoCs
resource yara_rule behavioral2/memory/2896-0-0x0000000002370000-0x0000000002399000-memory.dmp modiloader_stage1 behavioral2/memory/2896-0-0x0000000002370000-0x0000000002399000-memory.dmp modiloader_stage1 -
ModiLoader Second Stage 2 IoCs
resource yara_rule behavioral2/memory/2896-1-0x0000000004CF0000-0x0000000004D50000-memory.dmp modiloader_stage2 behavioral2/memory/2896-1-0x0000000004CF0000-0x0000000004D50000-memory.dmp modiloader_stage2 -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmstp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XFRLG6 = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" cmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmstp.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3856 set thread context of 2984 3856 ieinstal.exe 56 PID 3776 set thread context of 2984 3776 cmstp.exe 56 -
description ioc Process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Angebot bestellen.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Angebot bestellen.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3856 ieinstal.exe 3856 ieinstal.exe 3856 ieinstal.exe 3856 ieinstal.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 3856 ieinstal.exe 3856 ieinstal.exe 3856 ieinstal.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe 3776 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 3856 ieinstal.exe Token: SeDebugPrivilege 3776 cmstp.exe Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE Token: SeShutdownPrivilege 2984 Explorer.EXE Token: SeCreatePagefilePrivilege 2984 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2896 wrote to memory of 3856 2896 Angebot bestellen.exe 67 PID 2896 wrote to memory of 3856 2896 Angebot bestellen.exe 67 PID 2896 wrote to memory of 3856 2896 Angebot bestellen.exe 67 PID 2896 wrote to memory of 3856 2896 Angebot bestellen.exe 67 PID 2896 wrote to memory of 3856 2896 Angebot bestellen.exe 67 PID 2896 wrote to memory of 3856 2896 Angebot bestellen.exe 67 PID 2984 wrote to memory of 3776 2984 Explorer.EXE 68 PID 2984 wrote to memory of 3776 2984 Explorer.EXE 68 PID 2984 wrote to memory of 3776 2984 Explorer.EXE 68 PID 3776 wrote to memory of 1800 3776 cmstp.exe 69 PID 3776 wrote to memory of 1800 3776 cmstp.exe 69 PID 3776 wrote to memory of 1800 3776 cmstp.exe 69 PID 3776 wrote to memory of 3772 3776 cmstp.exe 71 PID 3776 wrote to memory of 3772 3776 cmstp.exe 71 PID 3776 wrote to memory of 3772 3776 cmstp.exe 71
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\Angebot bestellen.exe"C:\Users\Admin\AppData\Local\Temp\Angebot bestellen.exe"2⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:1800
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3772
-
-