Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21/06/2022, 08:05

General

  • Target

    Order.exe

  • Size

    241KB

  • MD5

    bf5426f3ef54fb82433db41d5e8533a5

  • SHA1

    46b504f9d3b02ff66ae640167e5ae3d8737dd44f

  • SHA256

    d9af61c7590a4850ff8a8f021ad2b9f7536757d658b281e883e758065637bdd5

  • SHA512

    64f83ef542358da820ff6d91a1bbe09dae4dbb2580c9e566253ae7236eea12ca6ae1128e75b9b291b70574026dece42e7cc646b8c2035abb63b379ddd784d3f5

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

ne5f

Decoy

presentationmeetup.biz

mlune.com

smplsnoot.com

gatorlendingnearme.com

matsu-den.net

dac-nj.com

currentsea.rentals

peter-elst.com

hyo7jzsunsh6ad8rjwsa.com

5gsmartsales.xyz

medinfoedu.com

tenderstembroccoli.com

solicitglobal.com

lojashauren.com

constructionboots.online

hecsearc.com

tandemcoruna.com

ordinateam.com

heikyoum.xyz

segawa-kensetu.com

Signatures

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

  • Xloader

    Xloader is a rebranded version of Formbook malware.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

  • ModiLoader Second Stage 39 IoCs
  • Xloader Payload 5 IoCs
  • Adds policy Run key to start application 2 TTPs 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Users\Admin\AppData\Local\Temp\Order.exe
      "C:\Users\Admin\AppData\Local\Temp\Order.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4044
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\Rwooihhzlft.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Users\Public\Libraries\RwooihhzlfO.bat
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2004
          • C:\Windows\SysWOW64\net.exe
            net session
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1244
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 session
              6⤵
                PID:1320
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2520
        • C:\Users\Admin\AppData\Local\Temp\Order.exe
          C:\Users\Admin\AppData\Local\Temp\Order.exe
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1924
      • C:\Windows\SysWOW64\mstsc.exe
        "C:\Windows\SysWOW64\mstsc.exe"
        2⤵
        • Adds policy Run key to start application
        • Suspicious use of SetThreadContext
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Order.exe"
          3⤵
            PID:4084
          • C:\Windows\SysWOW64\cmd.exe
            /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
            3⤵
              PID:3440
            • C:\Windows\SysWOW64\cmd.exe
              /c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
              3⤵
                PID:1484
              • C:\Program Files\Mozilla Firefox\Firefox.exe
                "C:\Program Files\Mozilla Firefox\Firefox.exe"
                3⤵
                  PID:952

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\DB1

                    Filesize

                    40KB

                    MD5

                    b608d407fc15adea97c26936bc6f03f6

                    SHA1

                    953e7420801c76393902c0d6bb56148947e41571

                    SHA256

                    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

                    SHA512

                    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

                  • C:\Users\Admin\AppData\Local\Temp\DB1

                    Filesize

                    48KB

                    MD5

                    349e6eb110e34a08924d92f6b334801d

                    SHA1

                    bdfb289daff51890cc71697b6322aa4b35ec9169

                    SHA256

                    c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

                    SHA512

                    2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

                  • C:\Users\Public\Libraries\Cdex.bat

                    Filesize

                    155B

                    MD5

                    213c60adf1c9ef88dc3c9b2d579959d2

                    SHA1

                    e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021

                    SHA256

                    37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

                    SHA512

                    fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7

                  • C:\Users\Public\Libraries\RwooihhzlfO.bat

                    Filesize

                    1KB

                    MD5

                    df48c09f243ebcc8a165f77a1c2bf889

                    SHA1

                    455f7db0adcc2a58d006f1630fb0bd55cd868c07

                    SHA256

                    4ef9821678da07138c19405387f3fb95e409fbd461c7b8d847c05075facd63ca

                    SHA512

                    735838c7cca953697ded48adfcd037b7f198072a8962f5940ce12e1bb1c7dd8c1f257a829276f5f5456f776f5bd13342222dd6e0dfc8f18a23f464f2c8d8f1cc

                  • C:\Users\Public\Libraries\Rwooihhzlft.bat

                    Filesize

                    59B

                    MD5

                    c2a5d88b8a980ad8d3c68e0f1fbfc8eb

                    SHA1

                    6de3fabebf01d06116079418cb2843949e311c01

                    SHA256

                    0eeaa64d74922edce08e4cbe7ed752c8370ccb43f834bd4d9fa2c2be8eaf2bac

                    SHA512

                    8bb0e2e0728ea91b415e5dff5b8bb14288e1a5167a7ac10b50cbe2485f6cec833be1c6a6c6f988fabdca53528d1febfa847af7263f34dca10f5d0a37818acadd

                  • memory/960-220-0x0000000000A20000-0x0000000000A4B000-memory.dmp

                    Filesize

                    172KB

                  • memory/960-224-0x0000000000A20000-0x0000000000A4B000-memory.dmp

                    Filesize

                    172KB

                  • memory/960-222-0x00000000027F0000-0x0000000002880000-memory.dmp

                    Filesize

                    576KB

                  • memory/960-221-0x00000000029C0000-0x0000000002D0A000-memory.dmp

                    Filesize

                    3.3MB

                  • memory/960-219-0x00000000002A0000-0x00000000003DA000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/1924-215-0x00000000008B0000-0x00000000008C1000-memory.dmp

                    Filesize

                    68KB

                  • memory/1924-214-0x00000000029A0000-0x0000000002CEA000-memory.dmp

                    Filesize

                    3.3MB

                  • memory/1924-213-0x0000000010410000-0x000000001043B000-memory.dmp

                    Filesize

                    172KB

                  • memory/2520-181-0x000000006FBD0000-0x000000006FC1C000-memory.dmp

                    Filesize

                    304KB

                  • memory/2520-186-0x0000000007210000-0x00000000072A6000-memory.dmp

                    Filesize

                    600KB

                  • memory/2520-185-0x0000000007020000-0x000000000702A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2520-184-0x0000000006EE0000-0x0000000006EFA000-memory.dmp

                    Filesize

                    104KB

                  • memory/2520-183-0x0000000007660000-0x0000000007CDA000-memory.dmp

                    Filesize

                    6.5MB

                  • memory/2520-182-0x0000000006230000-0x000000000624E000-memory.dmp

                    Filesize

                    120KB

                  • memory/2520-180-0x0000000006250000-0x0000000006282000-memory.dmp

                    Filesize

                    200KB

                  • memory/2520-179-0x0000000005CB0000-0x0000000005CCE000-memory.dmp

                    Filesize

                    120KB

                  • memory/2520-188-0x00000000072D0000-0x00000000072EA000-memory.dmp

                    Filesize

                    104KB

                  • memory/2520-178-0x0000000005020000-0x0000000005086000-memory.dmp

                    Filesize

                    408KB

                  • memory/2520-187-0x00000000071D0000-0x00000000071DE000-memory.dmp

                    Filesize

                    56KB

                  • memory/2520-189-0x00000000072C0000-0x00000000072C8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2520-177-0x0000000004FB0000-0x0000000005016000-memory.dmp

                    Filesize

                    408KB

                  • memory/2520-176-0x0000000004E10000-0x0000000004E32000-memory.dmp

                    Filesize

                    136KB

                  • memory/2520-174-0x00000000027D0000-0x0000000002806000-memory.dmp

                    Filesize

                    216KB

                  • memory/2520-175-0x00000000050D0000-0x00000000056F8000-memory.dmp

                    Filesize

                    6.2MB

                  • memory/2640-223-0x0000000008B90000-0x0000000008C4D000-memory.dmp

                    Filesize

                    756KB

                  • memory/2640-216-0x0000000009260000-0x00000000093DA000-memory.dmp

                    Filesize

                    1.5MB

                  • memory/2640-225-0x0000000008B90000-0x0000000008C4D000-memory.dmp

                    Filesize

                    756KB

                  • memory/4044-159-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-210-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-165-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-164-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-162-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-161-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-140-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-160-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-158-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-191-0x0000000010410000-0x000000001043B000-memory.dmp

                    Filesize

                    172KB

                  • memory/4044-157-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-193-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-194-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-195-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-197-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-196-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-204-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-205-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-206-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-207-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-209-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-163-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-211-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-208-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-156-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-154-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-155-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-153-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-152-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-141-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-149-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-151-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-150-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-148-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-144-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-147-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-146-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-145-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-143-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB

                  • memory/4044-142-0x0000000003940000-0x0000000003992000-memory.dmp

                    Filesize

                    328KB