Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
29-04-2021 15:04
Static task
static1
Behavioral task
behavioral1
Sample
7824,pdf.exe
Resource
win7v20210410
General
-
Target
7824,pdf.exe
-
Size
827KB
-
MD5
b4ad29571c52c8c83925161e36f076f5
-
SHA1
379f84acd12f61dbfdbc560fe86206c7366893a9
-
SHA256
5acfc6aa1ccbdc619df590b1b8092e0c1687558b7f01a7015a20d2a146e60a7f
-
SHA512
5b4fa3fa489fb014af8320cfb391c4e84b08ab3ebafeacafc031a3d316a863034d7eddafb6d2215dcc3c0f0edead0a7c32ab9285345b1ff03acebd2afae9711f
Malware Config
Extracted
xloader
2.3
http://www.werealestatephotography.com/hw6d/
medicare101now.com
danahillathletics.com
realjobexpert.com
boulderhalle-hamburg.com
idoweddinghair.com
awdcompanies.com
thevillaflora.com
neutrasystems.com
allwest-originals.com
designtehengsg.com
thenewyorker.computer
ladybugtubs.com
silina-beauty24.com
mifangtu.com
fashionbranddeveloper.com
istanbulhookah.com
askyoyo.com
osaka-computer.net
conegenie.com
agteless.com
carsoncredittx.com
wellalytics.com
onjulitrading.com
thelocallawnmen.com
loanascustomboutique.com
ohcaftanmycaftan.com
ardor-fitness.com
benzinhayvancilik.com
apthaiproperty.com
maxim.technology
dfch18.com
davaoaffordablecondo.com
sueshemp.com
missmaltese.com
lakecountrydems.com
lastminuteminister.com
sofiascelebrations.com
socialaspecthouston.com
rechnung.pro
kathyscrabhouse.com
themusasoficial.com
reversemortgageloanmiami.com
vrventurebsp.com
whatalode.com
xh03.net
qiqihao.site
specstrii.com
organicfarmteam.com
codebinnovations.net
kizunaservice.com
lboclkchain.com
frorool.com
dpok.network
desafogados.com
vestblue.net
forguyshere.com
recordprosperity.info
theballoonbirds.com
adityabirla-loan.com
midgex.info
qishuxia.com
panopticop.com
gd-kangda.com
hotelbrainclub.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/616-65-0x0000000000000000-mapping.dmp xloader behavioral1/memory/616-67-0x0000000010410000-0x0000000010439000-memory.dmp xloader behavioral1/memory/268-73-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run NETSTAT.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\9RL8KTLH6NNL = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" NETSTAT.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run NETSTAT.EXE -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ieinstal.exeNETSTAT.EXEdescription pid process target process PID 616 set thread context of 1204 616 ieinstal.exe Explorer.EXE PID 268 set thread context of 1204 268 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 268 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
ieinstal.exeNETSTAT.EXEpid process 616 ieinstal.exe 616 ieinstal.exe 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE 268 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ieinstal.exeNETSTAT.EXEpid process 616 ieinstal.exe 616 ieinstal.exe 616 ieinstal.exe 268 NETSTAT.EXE 268 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ieinstal.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 616 ieinstal.exe Token: SeDebugPrivilege 268 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
7824,pdf.exeExplorer.EXEdescription pid process target process PID 788 wrote to memory of 616 788 7824,pdf.exe ieinstal.exe PID 788 wrote to memory of 616 788 7824,pdf.exe ieinstal.exe PID 788 wrote to memory of 616 788 7824,pdf.exe ieinstal.exe PID 788 wrote to memory of 616 788 7824,pdf.exe ieinstal.exe PID 788 wrote to memory of 616 788 7824,pdf.exe ieinstal.exe PID 788 wrote to memory of 616 788 7824,pdf.exe ieinstal.exe PID 788 wrote to memory of 616 788 7824,pdf.exe ieinstal.exe PID 788 wrote to memory of 616 788 7824,pdf.exe ieinstal.exe PID 788 wrote to memory of 616 788 7824,pdf.exe ieinstal.exe PID 788 wrote to memory of 616 788 7824,pdf.exe ieinstal.exe PID 1204 wrote to memory of 268 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 268 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 268 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 268 1204 Explorer.EXE NETSTAT.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7824,pdf.exe"C:\Users\Admin\AppData\Local\Temp\7824,pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-71-0x0000000000000000-mapping.dmp
-
memory/268-75-0x0000000001D70000-0x0000000001DFF000-memory.dmpFilesize
572KB
-
memory/268-74-0x0000000002040000-0x0000000002343000-memory.dmpFilesize
3.0MB
-
memory/268-73-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/268-72-0x0000000000200000-0x0000000000209000-memory.dmpFilesize
36KB
-
memory/616-65-0x0000000000000000-mapping.dmp
-
memory/616-68-0x00000000020B0000-0x00000000023B3000-memory.dmpFilesize
3.0MB
-
memory/616-69-0x0000000000180000-0x0000000000190000-memory.dmpFilesize
64KB
-
memory/616-67-0x0000000010410000-0x0000000010439000-memory.dmpFilesize
164KB
-
memory/616-66-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/788-59-0x0000000075551000-0x0000000075553000-memory.dmpFilesize
8KB
-
memory/788-62-0x00000000005E0000-0x00000000005FA000-memory.dmpFilesize
104KB
-
memory/788-60-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/1204-70-0x0000000006420000-0x0000000006595000-memory.dmpFilesize
1.5MB
-
memory/1204-76-0x0000000006ED0000-0x0000000006FDE000-memory.dmpFilesize
1.1MB