Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 12:45
Static task
static1
Behavioral task
behavioral1
Sample
BL.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
BL.exe
Resource
win10-en-20210920
General
-
Target
BL.exe
-
Size
807KB
-
MD5
655d846a65b27c02ed505b03a4c3bb5c
-
SHA1
9b0861b0e816878ba0293cbe7c2838ed6f1ab98b
-
SHA256
c6abf1c546a9bd38b2e156da3b3d13388a3f81cf1955f85f76792c6193e144a6
-
SHA512
0ce9e954e41771c8ee9d982798d659ac73e9880aa887541348e70ae9a4a880163145b1c3e1650f99a8e1ebb8b0177cb7ffab0daa41027a4dffeca5e0a4534bda
Malware Config
Extracted
xloader
2.3
angp
http://www.cartoonuniversetr.com/angp/
up24az.com
zeroveom.com
1digitalventures.com
forddongsaigon.com
ryota-mizusawa.com
quick-1k.com
startprofitsonline.com
thumbaycomforts.com
wigholes.website
makhariskloset.com
laranabcn.com
unseen.observer
multipliii.com
smartpod.tech
lightparis.com
reddetenis.com
forprosperliving.group
growingequityfund.com
youbuzc.com
kompromat.global
tvanchieta.com
zusbre.com
beijingban2.icu
beautybrowpen.com
broadwayvapeshops.com
securaproperty.com
398-genda.icu
karate-club-arbent.com
walkietalkiesforkids.com
watsonplumbingheating.com
automationagility.com
agaverealestateteam.com
thereprezentant.com
shrivastavwebsolutions.com
hydets.xyz
little-monsters.info
amorabeautygh.com
kuberabettingtip.com
cervezamaracaibo.com
diyblogphotos.com
upscalejob.com
osti-slim-001.host
tmcb2b.com
stuartdio.com
redemptionstorychurch.com
okinfocenter.com
activatemymind.com
dnadropnutrition.com
pietermaritzburgpower.com
fjxwddz.com
youngindwon.com
neworleanshemorrhoidcenter.com
blunss.info
thereglo.com
greeenshootsproductions.com
missasiasanfrancisco.com
oparinia.com
metroimportadores.com
thepremiumfreight.com
themodernthali.com
compallowshop.com
korsandroid.com
saqtrading.com
zhuanzhuana.club
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2788-119-0x0000000000000000-mapping.dmp xloader behavioral2/memory/2788-121-0x0000000010410000-0x0000000010439000-memory.dmp xloader behavioral2/memory/3776-127-0x0000000000980000-0x00000000009A9000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ZHG48T18OB = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run rundll32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ieinstal.exerundll32.exedescription pid process target process PID 2788 set thread context of 3040 2788 ieinstal.exe Explorer.EXE PID 3776 set thread context of 3040 3776 rundll32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
ieinstal.exerundll32.exepid process 2788 ieinstal.exe 2788 ieinstal.exe 2788 ieinstal.exe 2788 ieinstal.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe 3776 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ieinstal.exerundll32.exepid process 2788 ieinstal.exe 2788 ieinstal.exe 2788 ieinstal.exe 3776 rundll32.exe 3776 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ieinstal.exerundll32.exedescription pid process Token: SeDebugPrivilege 2788 ieinstal.exe Token: SeDebugPrivilege 3776 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
BL.exeExplorer.EXEdescription pid process target process PID 2276 wrote to memory of 2788 2276 BL.exe ieinstal.exe PID 2276 wrote to memory of 2788 2276 BL.exe ieinstal.exe PID 2276 wrote to memory of 2788 2276 BL.exe ieinstal.exe PID 2276 wrote to memory of 2788 2276 BL.exe ieinstal.exe PID 2276 wrote to memory of 2788 2276 BL.exe ieinstal.exe PID 2276 wrote to memory of 2788 2276 BL.exe ieinstal.exe PID 3040 wrote to memory of 3776 3040 Explorer.EXE rundll32.exe PID 3040 wrote to memory of 3776 3040 Explorer.EXE rundll32.exe PID 3040 wrote to memory of 3776 3040 Explorer.EXE rundll32.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BL.exe"C:\Users\Admin\AppData\Local\Temp\BL.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2276-115-0x0000000002220000-0x0000000002221000-memory.dmpFilesize
4KB
-
memory/2788-119-0x0000000000000000-mapping.dmp
-
memory/2788-121-0x0000000010410000-0x0000000010439000-memory.dmpFilesize
164KB
-
memory/2788-120-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/2788-122-0x00000000044F0000-0x0000000004810000-memory.dmpFilesize
3.1MB
-
memory/2788-123-0x0000000000EB0000-0x0000000000EC0000-memory.dmpFilesize
64KB
-
memory/3040-124-0x0000000006920000-0x0000000006A31000-memory.dmpFilesize
1.1MB
-
memory/3040-130-0x0000000002C40000-0x0000000002D2B000-memory.dmpFilesize
940KB
-
memory/3776-125-0x0000000000000000-mapping.dmp
-
memory/3776-126-0x0000000000A60000-0x0000000000A73000-memory.dmpFilesize
76KB
-
memory/3776-127-0x0000000000980000-0x00000000009A9000-memory.dmpFilesize
164KB
-
memory/3776-128-0x0000000004B60000-0x0000000004E80000-memory.dmpFilesize
3.1MB
-
memory/3776-129-0x0000000004920000-0x00000000049AF000-memory.dmpFilesize
572KB