Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16/06/2022, 09:41

General

  • Target

    03214426728.exe

  • Size

    732KB

  • MD5

    6597a0fbd9b2ee3bcf4a801fe4b69ae0

  • SHA1

    6f5bd5f70bc21389c4d9ba4870bb8d4f97983a06

  • SHA256

    57023cbc586b92ef899c3299c174c2689ba5b5e6e970976adde29d9977be9ddb

  • SHA512

    377ed8daa7d35792babd744f3065db6cc92f6f4c352fab595b9f01598b43796183d635234cc49dcac88188a1816fdede39bb8c06efd515e1158170f5947ec3b4

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • ModiLoader Second Stage 39 IoCs
  • Xloader Payload 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Users\Admin\AppData\Local\Temp\03214426728.exe
      "C:\Users\Admin\AppData\Local\Temp\03214426728.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\SysWOW64\DpiScaling.exe
        C:\Windows\System32\DpiScaling.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:400
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:4436
      • C:\Windows\SysWOW64\help.exe
        "C:\Windows\SysWOW64\help.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\SysWOW64\DpiScaling.exe"
          3⤵
            PID:1336

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/400-196-0x0000000010410000-0x000000001043B000-memory.dmp

              Filesize

              172KB

            • memory/400-193-0x0000000003060000-0x0000000003071000-memory.dmp

              Filesize

              68KB

            • memory/400-192-0x0000000010410000-0x000000001043B000-memory.dmp

              Filesize

              172KB

            • memory/400-190-0x0000000002BD0000-0x0000000002BE1000-memory.dmp

              Filesize

              68KB

            • memory/400-189-0x0000000002CF0000-0x000000000303A000-memory.dmp

              Filesize

              3.3MB

            • memory/892-203-0x0000000008050000-0x000000000813A000-memory.dmp

              Filesize

              936KB

            • memory/892-194-0x00000000029F0000-0x0000000002AE3000-memory.dmp

              Filesize

              972KB

            • memory/892-191-0x0000000002550000-0x000000000264E000-memory.dmp

              Filesize

              1016KB

            • memory/1960-155-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-180-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-153-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-154-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-140-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-156-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-152-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-158-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-159-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-157-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-160-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-161-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-162-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-164-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-165-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-163-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-167-0x0000000010410000-0x000000001043B000-memory.dmp

              Filesize

              172KB

            • memory/1960-151-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-169-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-170-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-171-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-172-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-173-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-148-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-181-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-182-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-183-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-185-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-186-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-187-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-184-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-150-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-149-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-144-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-147-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-146-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-145-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-141-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-142-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/1960-143-0x0000000000660000-0x00000000006B2000-memory.dmp

              Filesize

              328KB

            • memory/2576-198-0x0000000001530000-0x000000000187A000-memory.dmp

              Filesize

              3.3MB

            • memory/2576-200-0x0000000000E30000-0x0000000000E5B000-memory.dmp

              Filesize

              172KB

            • memory/2576-199-0x0000000000A30000-0x0000000000A37000-memory.dmp

              Filesize

              28KB

            • memory/2576-202-0x0000000001360000-0x00000000013F0000-memory.dmp

              Filesize

              576KB

            • memory/2576-201-0x0000000000E30000-0x0000000000E5B000-memory.dmp

              Filesize

              172KB