Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11-01-2022 16:21

General

  • Target

    f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll

  • Size

    269KB

  • MD5

    2a4b62f495027dfb6f7549ca7ed7f47b

  • SHA1

    47f6c5aea3b9724f143125f97bf9e8b72faf1a38

  • SHA256

    f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f

  • SHA512

    cc56c0448a138eca87a7fdce1cef67932ff868ea31ead0e342d3f265f92f4b9f91023d3fc01f7123149be469ccbaa2f2fdef950f9336557956ef10b4f36e4f9f

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

n8rn

Decoy

jlvip1066.com

gconsultingfirm.com

foundergomwef.xyz

bredaslo.com

ethereumpets.com

buddymerrillmusic.com

archdeylemmergay.com

particulares-es.icu

gb2022-club.com

babypasal.com

mlikew.com

mskindi.com

securewalletvalidate.com

billstrasse24.com

ritebet388.com

nuhive.net

nekomediphile.com

jaynelsonphotog.com

writerpilotpublishing.store

taquerialoteria.com

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • ModiLoader Second Stage 1 IoCs
  • Xloader Payload 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies registry key 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:396
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8fc925d89baa140c9cb436f158ec91209789e9f8e82a0b7252f05587ce8e06f.bin.dll,#1
        3⤵
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3408
        • C:\Windows\SysWOW64\DpiScaling.exe
          C:\Windows\System32\DpiScaling.exe
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4092
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Trast.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3148
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4040
            • C:\Windows\SysWOW64\reg.exe
              reg delete hkcu\Environment /v windir /f
              6⤵
              • Modifies registry key
              PID:4312
            • C:\Windows\SysWOW64\reg.exe
              reg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "
              6⤵
              • Modifies registry key
              PID:4260
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I
              6⤵
                PID:4232
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Public\nest.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4352
            • C:\Windows\SysWOW64\reg.exe
              reg delete hkcu\Environment /v windir /f
              5⤵
              • Modifies registry key
              PID:784
      • C:\Windows\SysWOW64\mstsc.exe
        "C:\Windows\SysWOW64\mstsc.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4376

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\Trast.bat

      MD5

      4068c9f69fcd8a171c67f81d4a952a54

      SHA1

      4d2536a8c28cdcc17465e20d6693fb9e8e713b36

      SHA256

      24222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810

      SHA512

      a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d

    • C:\Users\Public\UKO.bat

      MD5

      eaf8d967454c3bbddbf2e05a421411f8

      SHA1

      6170880409b24de75c2dc3d56a506fbff7f6622c

      SHA256

      f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56

      SHA512

      fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9

    • C:\Users\Public\nest.bat

      MD5

      8ada51400b7915de2124baaf75e3414c

      SHA1

      1a7b9db12184ab7fd7fce1c383f9670a00adb081

      SHA256

      45aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7

      SHA512

      9afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68

    • memory/396-135-0x0000000006380000-0x0000000006528000-memory.dmp

      Filesize

      1.7MB

    • memory/396-144-0x0000000006000000-0x0000000006158000-memory.dmp

      Filesize

      1.3MB

    • memory/784-142-0x0000000000000000-mapping.dmp

    • memory/3148-123-0x0000000000000000-mapping.dmp

    • memory/3408-121-0x0000000072481000-0x00000000724A9000-memory.dmp

      Filesize

      160KB

    • memory/3408-120-0x0000000072480000-0x0000000072481000-memory.dmp

      Filesize

      4KB

    • memory/3408-118-0x0000000000000000-mapping.dmp

    • memory/3408-119-0x00000000040C0000-0x0000000004108000-memory.dmp

      Filesize

      288KB

    • memory/4040-125-0x0000000000000000-mapping.dmp

    • memory/4092-122-0x0000000000000000-mapping.dmp

    • memory/4092-127-0x0000000000600000-0x0000000000601000-memory.dmp

      Filesize

      4KB

    • memory/4092-132-0x00000000044B0000-0x00000000047D0000-memory.dmp

      Filesize

      3.1MB

    • memory/4092-131-0x0000000072480000-0x00000000724AA000-memory.dmp

      Filesize

      168KB

    • memory/4092-133-0x0000000072480000-0x00000000724AA000-memory.dmp

      Filesize

      168KB

    • memory/4092-134-0x0000000000B60000-0x0000000000B71000-memory.dmp

      Filesize

      68KB

    • memory/4232-130-0x0000000000000000-mapping.dmp

    • memory/4260-129-0x0000000000000000-mapping.dmp

    • memory/4312-128-0x0000000000000000-mapping.dmp

    • memory/4352-140-0x0000000000000000-mapping.dmp

    • memory/4376-138-0x00000000027A0000-0x00000000027C9000-memory.dmp

      Filesize

      164KB

    • memory/4376-137-0x0000000000080000-0x000000000037C000-memory.dmp

      Filesize

      3.0MB

    • memory/4376-139-0x0000000004680000-0x00000000049A0000-memory.dmp

      Filesize

      3.1MB

    • memory/4376-136-0x0000000000000000-mapping.dmp

    • memory/4376-143-0x00000000044E0000-0x0000000004570000-memory.dmp

      Filesize

      576KB