Analysis
-
max time kernel
173s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16/06/2022, 09:40
Static task
static1
Behavioral task
behavioral1
Sample
New Vendor Reg.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New Vendor Reg.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
QvtGA0YrRh9C60LAueGxzeA==?=.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
QvtGA0YrRh9C60LAueGxzeA==?=.xlsx
Resource
win10v2004-20220414-en
General
-
Target
New Vendor Reg.exe
-
Size
624KB
-
MD5
fa73660db11ef7248f0e196f091448c2
-
SHA1
aa3dab0877e44cdd6f801f6fec9e188834f5d2c4
-
SHA256
953b0847fa47498da29afaa85d3fc79f0569ef29b1553a2e7e6432105369aa63
-
SHA512
b03a039000f8180962cd27fbf077abf1ca8b09be844fd9ecc9b62c31e523af1962daa5bac0caae3864fcf7e2ca9e95abc0cba6628d4d5f060ea232d1d7e23d6e
Malware Config
Extracted
xloader
2.6
ne5f
presentationmeetup.biz
mlune.com
smplsnoot.com
gatorlendingnearme.com
matsu-den.net
dac-nj.com
currentsea.rentals
peter-elst.com
hyo7jzsunsh6ad8rjwsa.com
5gsmartsales.xyz
medinfoedu.com
tenderstembroccoli.com
solicitglobal.com
lojashauren.com
constructionboots.online
hecsearc.com
tandemcoruna.com
ordinateam.com
heikyoum.xyz
segawa-kensetu.com
chodkokowa.com
velovitasnapit.com
ironmandalorian.tech
tittle-tattle.store
pejoki.com
sportsloft.net
valheim.xyz
thensateam.com
continentalfinane.net
savorytoys.com
morningmiraclelabs.com
drew-energysolutions.com
serial-2021.com
impatientempowered.com
shrysw.com
reputationteem.com
shengyuejiahua.com
elite24studio.com
8i4ncc079k.com
shangarajive.net
burgerpawty.com
janamora.sbs
elementosete.com
rigbusters.net
artwork.photography
akretum.site
alphabullsmint.site
terracepile.online
floridafamilymortgageteam.com
posadiderevo.com
tkrbeauty.com
titangeloriginal.store
opoetafetado.com
hgrworld.xyz
sobrerodas.site
restauranteelcherro.com
sportskhemistry.com
mcmcasting.com
yolischildcare.net
designbybyte.com
judithzeichner.online
website33239.website
fastimporter.com
heftyghoul.online
huyueyq.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 39 IoCs
resource yara_rule behavioral2/memory/3752-140-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-141-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-143-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-142-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-145-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-146-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-147-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-144-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-148-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-149-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-150-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-151-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-153-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-152-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-155-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-158-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-159-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-157-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-156-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-160-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-161-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-162-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-154-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-164-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-165-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-163-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-183-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-184-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-185-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-186-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-187-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-194-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-195-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-196-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-197-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-198-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-199-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-200-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 behavioral2/memory/3752-201-0x00000000009C0000-0x0000000000A12000-memory.dmp modiloader_stage2 -
Xloader Payload 4 IoCs
resource yara_rule behavioral2/memory/3752-181-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/904-182-0x0000000000000000-mapping.dmp xloader behavioral2/memory/904-203-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/3376-210-0x00000000004A0000-0x00000000004CB000-memory.dmp xloader -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fjzoqantqx = "C:\\Users\\Public\\Libraries\\xqtnaqozjF.url" New Vendor Reg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 904 set thread context of 2148 904 DpiScaling.exe 38 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4468 powershell.exe 4468 powershell.exe 904 DpiScaling.exe 904 DpiScaling.exe 904 DpiScaling.exe 904 DpiScaling.exe 3376 help.exe 3376 help.exe 3376 help.exe 3376 help.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 904 DpiScaling.exe 904 DpiScaling.exe 904 DpiScaling.exe 3376 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4468 powershell.exe Token: SeDebugPrivilege 904 DpiScaling.exe Token: SeDebugPrivilege 3376 help.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3752 wrote to memory of 1916 3752 New Vendor Reg.exe 86 PID 3752 wrote to memory of 1916 3752 New Vendor Reg.exe 86 PID 3752 wrote to memory of 1916 3752 New Vendor Reg.exe 86 PID 1916 wrote to memory of 4144 1916 cmd.exe 88 PID 1916 wrote to memory of 4144 1916 cmd.exe 88 PID 1916 wrote to memory of 4144 1916 cmd.exe 88 PID 4144 wrote to memory of 4712 4144 cmd.exe 90 PID 4144 wrote to memory of 4712 4144 cmd.exe 90 PID 4144 wrote to memory of 4712 4144 cmd.exe 90 PID 4712 wrote to memory of 3136 4712 net.exe 91 PID 4712 wrote to memory of 3136 4712 net.exe 91 PID 4712 wrote to memory of 3136 4712 net.exe 91 PID 4144 wrote to memory of 4468 4144 cmd.exe 92 PID 4144 wrote to memory of 4468 4144 cmd.exe 92 PID 4144 wrote to memory of 4468 4144 cmd.exe 92 PID 3752 wrote to memory of 904 3752 New Vendor Reg.exe 94 PID 3752 wrote to memory of 904 3752 New Vendor Reg.exe 94 PID 3752 wrote to memory of 904 3752 New Vendor Reg.exe 94 PID 3752 wrote to memory of 904 3752 New Vendor Reg.exe 94 PID 3752 wrote to memory of 904 3752 New Vendor Reg.exe 94 PID 3752 wrote to memory of 904 3752 New Vendor Reg.exe 94 PID 2148 wrote to memory of 3376 2148 Explorer.EXE 95 PID 2148 wrote to memory of 3376 2148 Explorer.EXE 95 PID 2148 wrote to memory of 3376 2148 Explorer.EXE 95 PID 3376 wrote to memory of 2288 3376 help.exe 96 PID 3376 wrote to memory of 2288 3376 help.exe 96 PID 3376 wrote to memory of 2288 3376 help.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Vendor Reg.exe"C:\Users\Admin\AppData\Local\Temp\New Vendor Reg.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Fjzoqantqxt.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\FjzoqantqxO.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\net.exenet session4⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 session5⤵PID:3136
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
-
-
C:\Windows\SysWOW64\DpiScaling.exeC:\Windows\System32\DpiScaling.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:904
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\DpiScaling.exe"3⤵PID:2288
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
Filesize
1KB
MD5df48c09f243ebcc8a165f77a1c2bf889
SHA1455f7db0adcc2a58d006f1630fb0bd55cd868c07
SHA2564ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca
SHA512735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc
-
Filesize
59B
MD5cdb9fe60be50d2d73a643ca64ed81361
SHA1862db4dc945f4971577799f22e7cf5b5f4898ecf
SHA25624839a2754b03c272e939522acc69f9bc244dff22dbfa8098251984d6c8ac895
SHA51290b6d13f747a36af90961253722190ce2e07d5b6b4703e8553a11aae09f56d0082ca64ce513c41de734db43eb5883644f8262e0d3675f46d34ed3345fc090eef