Overview

overview

10

Static

static

09388377278289.exe

windows7_x64

10

09388377278289.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    02-06-2022 08:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09388377278289.exe

  • Size

    727KB

  • MD5

    c444b2db28749565dba57b7e1557bb8d

  • SHA1

    8b03ed36d74de146e05842d9bc29efea72556f46

  • SHA256

    2311bbbd51e97a4c870c6b24f143b9e991755581e818965201b08c1c4901a588

  • SHA512

    501137b0cd94da86d1d1f0c41b28229bf45bb688453f9e16f3a12bbacfa53360e7088cebc315722e5dc08bcbdbe14d1dc93146cac6d8f09bca1ef3c58e46b058

Score
10/10
modiloaderxloaderuj3cloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • ModiLoader Second Stage 38 IoCs
  • Xloader Payload 6 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1376
    • C:\Users\Admin\AppData\Local\Temp\09388377278289.exe
      "C:\Users\Admin\AppData\Local\Temp\09388377278289.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Windows\SysWOW64\logagent.exe
        C:\Windows\System32\logagent.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:868
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1972
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\logagent.exe"
        3⤵
          PID:1400
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1368

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      4
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/868-93-0x0000000010410000-0x000000001043B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/868-124-0x0000000010410000-0x000000001043B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/868-121-0x00000000002A0000-0x00000000002B1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/868-108-0x0000000000260000-0x0000000000271000-memory.dmp
        Filesize

        68KB

        Download
      • memory/868-106-0x0000000002090000-0x0000000002393000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/868-104-0x0000000010410000-0x000000001043B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/868-95-0x0000000000000000-mapping.dmp
        Download
      • memory/1376-132-0x00000000062F0000-0x000000000645F000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1376-130-0x00000000062F0000-0x000000000645F000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1376-122-0x0000000005F30000-0x0000000006022000-memory.dmp
        Filesize

        968KB

        Download
      • memory/1376-119-0x0000000005DC0000-0x0000000005F25000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1400-125-0x0000000000000000-mapping.dmp
        Download
      • memory/1516-80-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-75-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-54-0x00000000755A1000-0x00000000755A3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1516-78-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-77-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-84-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-83-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-85-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-82-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-81-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-86-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-87-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-90-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-89-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-88-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-73-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-92-0x0000000010410000-0x000000001043B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/1516-74-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-96-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-97-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-98-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-99-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-100-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-79-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-76-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-69-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-111-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-112-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-113-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-115-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-116-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-117-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-118-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-70-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-72-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-71-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-65-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-66-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-67-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1516-68-0x00000000042E0000-0x0000000004332000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1972-127-0x0000000000300000-0x0000000000326000-memory.dmp
        Filesize

        152KB

        Download
      • memory/1972-128-0x0000000000070000-0x000000000009B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/1972-129-0x0000000002210000-0x00000000022A0000-memory.dmp
        Filesize

        576KB

        Download
      • memory/1972-126-0x0000000001F00000-0x0000000002203000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1972-131-0x0000000000070000-0x000000000009B000-memory.dmp
        Filesize

        172KB

        Download
      • memory/1972-123-0x0000000000000000-mapping.dmp
        Download