Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 08:49
Static task
static1
Behavioral task
behavioral1
Sample
149d29a68788c9cd599cba389698ed47.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
149d29a68788c9cd599cba389698ed47.exe
Resource
win10v2004-20220414-en
General
-
Target
149d29a68788c9cd599cba389698ed47.exe
-
Size
241KB
-
MD5
149d29a68788c9cd599cba389698ed47
-
SHA1
cad8135bbbee484b91b87df367631b9043c2f403
-
SHA256
b92800b4c8d2200d261f52287439016dc29ba57a73d428015ab05ee98a19c159
-
SHA512
6026a7692a4a745518f2c8404a1c4b4c08e8c66f2d6fe0c9385c73d8a125bb26bba8496b4f9a492d3c8bc73140ba2173d3583435318245fe5ea0004e51a916c7
Malware Config
Extracted
xloader
2.6
gqvv
keyclash.com
canadianinspiration.com
testmanagement.xyz
doxpunk.xyz
kodacult.com
snatchbra.net
313370955.com
sarochin.com
norozoto.xyz
nbpanthers.com
colombiaartesanias.com
m57hwtiuu7h.com
tsaerac.com
alugiare.com
elizeusomautomotivo.com
fgijjisdifsd.xyz
isecurewebsites.com
incomeviaonline.com
caribbeanbrunch.com
alveus-solarboote.com
huntercontrols.site
programma-2022rub-aprel.online
trendiddas.com
despinaandcorealty.com
buylifollowersreviews.com
hospitaldealblog.com
profitbuildingacademy.com
novagamesofficial.com
sanavspices.com
shoetain.com
hi-123.net
northcountrychamber.online
9827x.xyz
257tottenham.com
victoriasbnb.com
maps365.net
busstok.com
arizonacity.xyz
substantiall.net
jiehao.xyz
xinchengbohai.top
temzies.com
questionlifesfilms.rest
mujulingjian.com
othersidebroker.com
fgwzns.xyz
thirsty-monkey.com
axiomnexus.cloud
tamagorchi.guru
kldo.media
nionpay.com
lockhomes.com
sentiospa.com
airlikelab.com
mft029.com
jmaaffiliations.com
primary.quest
k8n7zg.club
sniwlktyvwhn.club
schoenesachen.net
kowkao.com
go2learning.com
secrty.store
curiobeauty.com
theguestacademy.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
ModiLoader Second Stage 39 IoCs
resource yara_rule behavioral2/memory/4708-140-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-141-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-142-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-143-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-144-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-145-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-146-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-147-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-148-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-149-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-150-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-151-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-153-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-152-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-154-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-156-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-155-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-158-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-157-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-159-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-160-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-161-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-162-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-163-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-164-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-165-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-170-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-169-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-171-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-172-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-173-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-180-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-181-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-182-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-183-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-184-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-185-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-186-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 behavioral2/memory/4708-187-0x0000000003900000-0x0000000003952000-memory.dmp modiloader_stage2 -
Xloader Payload 5 IoCs
resource yara_rule behavioral2/memory/4708-167-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/2252-168-0x0000000000000000-mapping.dmp xloader behavioral2/memory/2252-189-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/4888-195-0x0000000000F60000-0x0000000000F8B000-memory.dmp xloader behavioral2/memory/4888-201-0x0000000000F60000-0x0000000000F8B000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
pid Process 2576 c8tplrsv14i08.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation c8tplrsv14i08.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5JJLQX18RV = "C:\\Program Files (x86)\\Sfzl\\c8tplrsv14i08.exe" mstsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bovfeygedf = "C:\\Users\\Public\\Libraries\\fdegyefvoB.url" 149d29a68788c9cd599cba389698ed47.exe Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mstsc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2252 set thread context of 2684 2252 DpiScaling.exe 52 PID 4888 set thread context of 2684 4888 mstsc.exe 52 PID 4888 set thread context of 5116 4888 mstsc.exe 97 -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Sfzl\c8tplrsv14i08.exe mstsc.exe File opened for modification C:\Program Files (x86)\Sfzl Explorer.EXE File created C:\Program Files (x86)\Sfzl\c8tplrsv14i08.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Sfzl\c8tplrsv14i08.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\SplashScreen Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!m = f401000040010000 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 50 IoCs
pid Process 2252 DpiScaling.exe 2252 DpiScaling.exe 2252 DpiScaling.exe 2252 DpiScaling.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2684 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
pid Process 2252 DpiScaling.exe 2252 DpiScaling.exe 2252 DpiScaling.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe 4888 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2252 DpiScaling.exe Token: SeDebugPrivilege 4888 mstsc.exe Token: SeShutdownPrivilege 2684 Explorer.EXE Token: SeCreatePagefilePrivilege 2684 Explorer.EXE Token: SeShutdownPrivilege 2684 Explorer.EXE Token: SeCreatePagefilePrivilege 2684 Explorer.EXE Token: SeShutdownPrivilege 2684 Explorer.EXE Token: SeCreatePagefilePrivilege 2684 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2684 Explorer.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4708 wrote to memory of 2252 4708 149d29a68788c9cd599cba389698ed47.exe 85 PID 4708 wrote to memory of 2252 4708 149d29a68788c9cd599cba389698ed47.exe 85 PID 4708 wrote to memory of 2252 4708 149d29a68788c9cd599cba389698ed47.exe 85 PID 4708 wrote to memory of 2252 4708 149d29a68788c9cd599cba389698ed47.exe 85 PID 4708 wrote to memory of 2252 4708 149d29a68788c9cd599cba389698ed47.exe 85 PID 4708 wrote to memory of 2252 4708 149d29a68788c9cd599cba389698ed47.exe 85 PID 2684 wrote to memory of 4888 2684 Explorer.EXE 86 PID 2684 wrote to memory of 4888 2684 Explorer.EXE 86 PID 2684 wrote to memory of 4888 2684 Explorer.EXE 86 PID 4888 wrote to memory of 3760 4888 mstsc.exe 87 PID 4888 wrote to memory of 3760 4888 mstsc.exe 87 PID 4888 wrote to memory of 3760 4888 mstsc.exe 87 PID 4888 wrote to memory of 528 4888 mstsc.exe 90 PID 4888 wrote to memory of 528 4888 mstsc.exe 90 PID 4888 wrote to memory of 528 4888 mstsc.exe 90 PID 4888 wrote to memory of 4816 4888 mstsc.exe 92 PID 4888 wrote to memory of 4816 4888 mstsc.exe 92 PID 4888 wrote to memory of 4816 4888 mstsc.exe 92 PID 4888 wrote to memory of 1396 4888 mstsc.exe 94 PID 4888 wrote to memory of 1396 4888 mstsc.exe 94 PID 4888 wrote to memory of 1396 4888 mstsc.exe 94 PID 2684 wrote to memory of 2576 2684 Explorer.EXE 95 PID 2684 wrote to memory of 2576 2684 Explorer.EXE 95 PID 2684 wrote to memory of 2576 2684 Explorer.EXE 95 PID 2576 wrote to memory of 2692 2576 c8tplrsv14i08.exe 96 PID 2576 wrote to memory of 2692 2576 c8tplrsv14i08.exe 96
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\AppData\Local\Temp\149d29a68788c9cd599cba389698ed47.exe"C:\Users\Admin\AppData\Local\Temp\149d29a68788c9cd599cba389698ed47.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\DpiScaling.exeC:\Windows\System32\DpiScaling.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\DpiScaling.exe"3⤵PID:3760
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:528
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:4816
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1396
-
-
-
C:\Program Files (x86)\Sfzl\c8tplrsv14i08.exe"C:\Program Files (x86)\Sfzl\c8tplrsv14i08.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" ms-settings:display3⤵PID:2692
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵PID:5116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD5d44d3a0f5e53f6ecc5c6232930cfcc5e
SHA1d42b4fc663fb0328a2307ec7c8f56f220872d953
SHA256fa1dd224289d1c39c49cb5dd2896fa19a3091ce650d6b665626d5d30b65dee9e
SHA512a4104e8abb58d17d6565a410a5e4653280827d2291bfedb59201e368dce475b43b79fdd3087dce46c8e0a95cad78afb15e0c1fb351babd7168e39e26ef861af6
-
Filesize
75KB
MD5d44d3a0f5e53f6ecc5c6232930cfcc5e
SHA1d42b4fc663fb0328a2307ec7c8f56f220872d953
SHA256fa1dd224289d1c39c49cb5dd2896fa19a3091ce650d6b665626d5d30b65dee9e
SHA512a4104e8abb58d17d6565a410a5e4653280827d2291bfedb59201e368dce475b43b79fdd3087dce46c8e0a95cad78afb15e0c1fb351babd7168e39e26ef861af6
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574