Analysis
-
max time kernel
149s -
max time network
177s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 16:09
Static task
static1
Behavioral task
behavioral1
Sample
18e38eae3d407418b879271c9b5736bd.exe
Resource
win7v20210408
General
-
Target
18e38eae3d407418b879271c9b5736bd.exe
-
Size
664KB
-
MD5
18e38eae3d407418b879271c9b5736bd
-
SHA1
922687da4673862f203b62884ac6a2cfb49790d3
-
SHA256
38ba862149962bc5a10825a2b818391624cda439fcb3f6212b75d84eeeb4f70c
-
SHA512
2ece524bd152c58d42cc12331f218abb5f60f3e4a9d41e7927d2e76d72a07061aa07fb18d90d329a072734bf39334171ec16e2ba0005f468f8b27a14269a71c9
Malware Config
Extracted
xloader
2.3
http://www.naturalresourcesmgt.com/bsk9/
ignitedennys.com
theawslearn.net
tuningyan.wiki
professionalboom.com
btt3d.online
ceyaqua.com
knightslunarius.com
zc168sl.com
girlsnightclasses.com
tcsalud.com
homecottagestudio.com
92gwb.com
stainlesslion.com
arunkapur.com
chalkwithkristi.com
yourmidastouch.com
wijayashaw.com
roofingcompanyinchattanooga.com
sdbadatong.com
tombison.com
artstudio888.com
designtechnician.com
eskarosproperty.com
sadilife.com
kevops.xyz
carpanter.com
texttalktv.com
abbiescottdesigns.com
zqroc.com
sirnawanews.com
bearbrickstore.com
cnyplk.com
fijuridico.com
postyachtforsale.info
penglikj.com
fsllguys.com
brightimewatches.com
66eebb.com
petsjoyfulsmile.com
mycupofteainnovations.com
ds-117.com
nandedzilla.com
midtransport.com
careerkc.com
lobsterlikeabout.com
dampproofcourselondon.com
dogultimate.com
kapresecbdcoffee.com
excitemal.com
taejongcni.com
altjrhvrk.icu
hptproof.com
bidensbrownshirts.com
thehustleandcashflow.com
nzv68.com
ormusgreen.com
abrosnm3.com
2cutsenterprises.com
arominer.com
forevernaturel.com
forbiddendolls.com
melitalifestyle.com
mediasham.com
django-fashion.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1636-61-0x0000000000000000-mapping.dmp xloader behavioral1/memory/1636-63-0x0000000010410000-0x0000000010438000-memory.dmp xloader behavioral1/memory/1872-69-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run netsh.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run netsh.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\YNE8IXJ0ANY = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" netsh.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ieinstal.exenetsh.exedescription pid process target process PID 1636 set thread context of 1208 1636 ieinstal.exe Explorer.EXE PID 1872 set thread context of 1208 1872 netsh.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
ieinstal.exenetsh.exepid process 1636 ieinstal.exe 1636 ieinstal.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe 1872 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ieinstal.exenetsh.exepid process 1636 ieinstal.exe 1636 ieinstal.exe 1636 ieinstal.exe 1872 netsh.exe 1872 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ieinstal.exenetsh.exedescription pid process Token: SeDebugPrivilege 1636 ieinstal.exe Token: SeDebugPrivilege 1872 netsh.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
18e38eae3d407418b879271c9b5736bd.exeExplorer.EXEdescription pid process target process PID 1652 wrote to memory of 1636 1652 18e38eae3d407418b879271c9b5736bd.exe ieinstal.exe PID 1652 wrote to memory of 1636 1652 18e38eae3d407418b879271c9b5736bd.exe ieinstal.exe PID 1652 wrote to memory of 1636 1652 18e38eae3d407418b879271c9b5736bd.exe ieinstal.exe PID 1652 wrote to memory of 1636 1652 18e38eae3d407418b879271c9b5736bd.exe ieinstal.exe PID 1652 wrote to memory of 1636 1652 18e38eae3d407418b879271c9b5736bd.exe ieinstal.exe PID 1652 wrote to memory of 1636 1652 18e38eae3d407418b879271c9b5736bd.exe ieinstal.exe PID 1652 wrote to memory of 1636 1652 18e38eae3d407418b879271c9b5736bd.exe ieinstal.exe PID 1652 wrote to memory of 1636 1652 18e38eae3d407418b879271c9b5736bd.exe ieinstal.exe PID 1652 wrote to memory of 1636 1652 18e38eae3d407418b879271c9b5736bd.exe ieinstal.exe PID 1652 wrote to memory of 1636 1652 18e38eae3d407418b879271c9b5736bd.exe ieinstal.exe PID 1208 wrote to memory of 1872 1208 Explorer.EXE netsh.exe PID 1208 wrote to memory of 1872 1208 Explorer.EXE netsh.exe PID 1208 wrote to memory of 1872 1208 Explorer.EXE netsh.exe PID 1208 wrote to memory of 1872 1208 Explorer.EXE netsh.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18e38eae3d407418b879271c9b5736bd.exe"C:\Users\Admin\AppData\Local\Temp\18e38eae3d407418b879271c9b5736bd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1208-66-0x0000000007340000-0x00000000074CD000-memory.dmpFilesize
1.6MB
-
memory/1208-72-0x0000000003D40000-0x0000000003E74000-memory.dmpFilesize
1.2MB
-
memory/1636-62-0x00000000000A0000-0x00000000000A1000-memory.dmpFilesize
4KB
-
memory/1636-64-0x0000000000CB0000-0x0000000000FB3000-memory.dmpFilesize
3.0MB
-
memory/1636-63-0x0000000010410000-0x0000000010438000-memory.dmpFilesize
160KB
-
memory/1636-65-0x0000000000240000-0x0000000000250000-memory.dmpFilesize
64KB
-
memory/1636-61-0x0000000000000000-mapping.dmp
-
memory/1652-59-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1652-60-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1872-67-0x0000000000000000-mapping.dmp
-
memory/1872-69-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/1872-68-0x0000000001240000-0x000000000125B000-memory.dmpFilesize
108KB
-
memory/1872-70-0x0000000000C30000-0x0000000000F33000-memory.dmpFilesize
3.0MB
-
memory/1872-71-0x0000000000520000-0x00000000005AF000-memory.dmpFilesize
572KB