Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11/01/2022, 16:21
Static task
static1
Behavioral task
behavioral1
Sample
f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll
Resource
win10-en-20211208
General
-
Target
f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll
-
Size
269KB
-
MD5
2a4b62f495027dfb6f7549ca7ed7f47b
-
SHA1
47f6c5aea3b9724f143125f97bf9e8b72faf1a38
-
SHA256
f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f
-
SHA512
cc56c0448a138eca87a7fdce1cef67932ff868ea31ead0e342d3f265f92f4b9f91023d3fc01f7123149be469ccbaa2f2fdef950f9336557956ef10b4f36e4f9f
Malware Config
Extracted
xloader
2.5
n8rn
jlvip1066.com
gconsultingfirm.com
foundergomwef.xyz
bredaslo.com
ethereumpets.com
buddymerrillmusic.com
archdeylemmergay.com
particulares-es.icu
gb2022-club.com
babypasal.com
mlikew.com
mskindi.com
securewalletvalidate.com
billstrasse24.com
ritebet388.com
nuhive.net
nekomediphile.com
jaynelsonphotog.com
writerpilotpublishing.store
taquerialoteria.com
feetlover.online
buychryslers.com
duyol.com
theeppunday.com
slayfearlessly.com
padelthiene.com
falcongroupmanagement.com
security-paiemet.com
disfagiaresidencias.com
ragworkhouse.com
smplkindness.com
dartsearchengine.com
rapibest.com
lab-design.online
soflovrlnd.com
pandawan.club
purifybrush.com
grantopwincup.website
zenholisticstores.com
nomarcapital.com
thoughtultracruel.quest
excellentdefence.com
phillystore.net
egregore.club
waysgaming.com
boliden-ab.com
faxedfumnook.com
ecobook.club
ff4c75x4e.xyz
connect01.com
monascake.xyz
balaga-vacances.com
prill.quest
princessbuilt.com
islandresiliency.com
dimcreadev.tech
bspcanadaconnects.com
hotgurlmarket.com
spendbrasiltimebest.com
newelectricways.com
counterpokemon.com
beyerenterprisestreeservice.com
phorganicfoods.com
hermespros.com
mgav26.xyz
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral1/memory/1612-56-0x00000000001A0000-0x00000000001E8000-memory.dmp modiloader_stage2 -
Xloader Payload 2 IoCs
resource yara_rule behavioral1/memory/832-73-0x0000000072480000-0x00000000724AA000-memory.dmp xloader behavioral1/memory/1072-80-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wbjhzk = "C:\\Users\\Public\\Libraries\\\\kzhjbW.url" rundll32.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 832 set thread context of 1228 832 mobsync.exe 13 PID 1072 set thread context of 1228 1072 cmstp.exe 13 -
Modifies registry key 1 TTPs 3 IoCs
pid Process 980 reg.exe 1900 reg.exe 1040 reg.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 832 mobsync.exe 832 mobsync.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe 1072 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1228 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 832 mobsync.exe 832 mobsync.exe 832 mobsync.exe 1072 cmstp.exe 1072 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 832 mobsync.exe Token: SeDebugPrivilege 1072 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 1660 wrote to memory of 1612 1660 rundll32.exe 27 PID 1660 wrote to memory of 1612 1660 rundll32.exe 27 PID 1660 wrote to memory of 1612 1660 rundll32.exe 27 PID 1660 wrote to memory of 1612 1660 rundll32.exe 27 PID 1660 wrote to memory of 1612 1660 rundll32.exe 27 PID 1660 wrote to memory of 1612 1660 rundll32.exe 27 PID 1660 wrote to memory of 1612 1660 rundll32.exe 27 PID 1612 wrote to memory of 832 1612 rundll32.exe 28 PID 1612 wrote to memory of 832 1612 rundll32.exe 28 PID 1612 wrote to memory of 832 1612 rundll32.exe 28 PID 1612 wrote to memory of 832 1612 rundll32.exe 28 PID 1612 wrote to memory of 832 1612 rundll32.exe 28 PID 1612 wrote to memory of 832 1612 rundll32.exe 28 PID 1612 wrote to memory of 832 1612 rundll32.exe 28 PID 1612 wrote to memory of 268 1612 rundll32.exe 29 PID 1612 wrote to memory of 268 1612 rundll32.exe 29 PID 1612 wrote to memory of 268 1612 rundll32.exe 29 PID 1612 wrote to memory of 268 1612 rundll32.exe 29 PID 268 wrote to memory of 1036 268 cmd.exe 31 PID 268 wrote to memory of 1036 268 cmd.exe 31 PID 268 wrote to memory of 1036 268 cmd.exe 31 PID 268 wrote to memory of 1036 268 cmd.exe 31 PID 1036 wrote to memory of 980 1036 cmd.exe 33 PID 1036 wrote to memory of 980 1036 cmd.exe 33 PID 1036 wrote to memory of 980 1036 cmd.exe 33 PID 1036 wrote to memory of 980 1036 cmd.exe 33 PID 1036 wrote to memory of 1900 1036 cmd.exe 34 PID 1036 wrote to memory of 1900 1036 cmd.exe 34 PID 1036 wrote to memory of 1900 1036 cmd.exe 34 PID 1036 wrote to memory of 1900 1036 cmd.exe 34 PID 1036 wrote to memory of 1972 1036 cmd.exe 35 PID 1036 wrote to memory of 1972 1036 cmd.exe 35 PID 1036 wrote to memory of 1972 1036 cmd.exe 35 PID 1036 wrote to memory of 1972 1036 cmd.exe 35 PID 1228 wrote to memory of 1072 1228 Explorer.EXE 41 PID 1228 wrote to memory of 1072 1228 Explorer.EXE 41 PID 1228 wrote to memory of 1072 1228 Explorer.EXE 41 PID 1228 wrote to memory of 1072 1228 Explorer.EXE 41 PID 1228 wrote to memory of 1072 1228 Explorer.EXE 41 PID 1228 wrote to memory of 1072 1228 Explorer.EXE 41 PID 1228 wrote to memory of 1072 1228 Explorer.EXE 41 PID 1612 wrote to memory of 1548 1612 rundll32.exe 42 PID 1612 wrote to memory of 1548 1612 rundll32.exe 42 PID 1612 wrote to memory of 1548 1612 rundll32.exe 42 PID 1612 wrote to memory of 1548 1612 rundll32.exe 42 PID 1548 wrote to memory of 1040 1548 cmd.exe 44 PID 1548 wrote to memory of 1040 1548 cmd.exe 44 PID 1548 wrote to memory of 1040 1548 cmd.exe 44 PID 1548 wrote to memory of 1040 1548 cmd.exe 44
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll,#13⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\mobsync.exeC:\Windows\System32\mobsync.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Trast.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat5⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f6⤵
- Modifies registry key
PID:980
-
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "6⤵
- Modifies registry key
PID:1900
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I6⤵PID:1972
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\nest.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
PID:1040
-
-
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1516
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:976
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1872
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:396
-
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:820
-
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1072
-