Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 09:10
Static task
static1
Behavioral task
behavioral1
Sample
New_PI.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
New_PI.exe
Resource
win10v2004-20220721-en
General
-
Target
New_PI.exe
-
Size
715KB
-
MD5
484023caa63a03b4f0483b62ecf09e2a
-
SHA1
064718bb184f76e999e4978812c9913973db5ea2
-
SHA256
aaad3f9720410e623a7081b425f1eb39fa230cfe90b0e5c6991ba17fc9d15cd0
-
SHA512
fe82ec2f1fb1e7e1a80861c18c60899a591815f6739de40d3fea79b9ca1548239ee524f46d2f600861b2337704aeefcc7fd1cd3d416173743a7e0aae746e581e
Malware Config
Extracted
formbook
4.1
e2e7
spicepano.site
17045.uk
pjkai.com
needamarketer.com
transformingjustice.report
westsideoccupationaltherapy.com
myhealthtrackr.com
happyfeetboca.com
goldenretrievertube.com
aresdevgroup.com
dosedspray.life
moxtun.online
togelmimpi.com
cdhkh.com
immagineallthe.com
stori-game.com
eco-tanques.com
thesagesky.com
aliaaestheticsllc.com
nayadesert-marrakech.com
power-beijing.com
microsysoman.com
diysecuritysystem.net
ytjhthrjrtjyrjj01.xyz
lastblackrockstar.com
rollingalong.store
citimedspharmacy.com
zosievents.com
thelifecoachapp.com
dmm100k.com
ksliangyi.com
karenamitfloral.com
etiennebugeja.digital
mar-o2.cloud
mykasy.com
mcdowellfitnesscenter.com
rhemagames.com
thepostoakclassic.com
perillamakarna.com
kdollazboutique.com
saimaanapu.info
khathia.com
weddingbootsmomo.com
galvanisefitness.com
bjttimage.com
ubuntuforfree.com
ebizpay.biz
pjsburgershack.com
brilliantretreats.com
phozs.com
blueonesystems.com
mirablast.com
vvincorestaffing.com
waxythings.com
cenapmil.com
alpl.site
northridgecommunications.com
capstonefilm.net
beau-loft.xyz
consertasmartrj.com
petopialearning.com
yourbookkeeper4.com
pharaohadventures.com
bofacali.com
yfyan.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4128-147-0x0000000050410000-0x000000005043F000-memory.dmp formbook behavioral2/memory/2124-187-0x0000000050410000-0x000000005043F000-memory.dmp formbook behavioral2/memory/2020-193-0x0000000000350000-0x000000000037F000-memory.dmp formbook behavioral2/memory/2020-198-0x0000000000350000-0x000000000037F000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
New_PI.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation New_PI.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
New_PI.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ybgfhxllz = "C:\\Users\\Public\\Libraries\\zllxhfgbY.url" New_PI.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cmd.execontrol.exedescription pid process target process PID 2124 set thread context of 2620 2124 cmd.exe Explorer.EXE PID 2020 set thread context of 2620 2020 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
New_PI.execmd.execontrol.exepid process 4128 New_PI.exe 4128 New_PI.exe 2124 cmd.exe 2124 cmd.exe 2124 cmd.exe 2124 cmd.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe 2020 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2620 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
cmd.execontrol.exepid process 2124 cmd.exe 2124 cmd.exe 2124 cmd.exe 2020 control.exe 2020 control.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
cmd.exeExplorer.EXEcontrol.exedescription pid process Token: SeDebugPrivilege 2124 cmd.exe Token: SeShutdownPrivilege 2620 Explorer.EXE Token: SeCreatePagefilePrivilege 2620 Explorer.EXE Token: SeShutdownPrivilege 2620 Explorer.EXE Token: SeCreatePagefilePrivilege 2620 Explorer.EXE Token: SeDebugPrivilege 2020 control.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
New_PI.exeExplorer.EXEcontrol.exedescription pid process target process PID 4128 wrote to memory of 2124 4128 New_PI.exe cmd.exe PID 4128 wrote to memory of 2124 4128 New_PI.exe cmd.exe PID 4128 wrote to memory of 2124 4128 New_PI.exe cmd.exe PID 4128 wrote to memory of 2124 4128 New_PI.exe cmd.exe PID 4128 wrote to memory of 2124 4128 New_PI.exe cmd.exe PID 4128 wrote to memory of 2124 4128 New_PI.exe cmd.exe PID 2620 wrote to memory of 2020 2620 Explorer.EXE control.exe PID 2620 wrote to memory of 2020 2620 Explorer.EXE control.exe PID 2620 wrote to memory of 2020 2620 Explorer.EXE control.exe PID 2020 wrote to memory of 772 2020 control.exe cmd.exe PID 2020 wrote to memory of 772 2020 control.exe cmd.exe PID 2020 wrote to memory of 772 2020 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New_PI.exe"C:\Users\Admin\AppData\Local\Temp\New_PI.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/772-194-0x0000000000000000-mapping.dmp
-
memory/2020-191-0x0000000000000000-mapping.dmp
-
memory/2020-196-0x0000000002250000-0x00000000022E3000-memory.dmpFilesize
588KB
-
memory/2020-198-0x0000000000350000-0x000000000037F000-memory.dmpFilesize
188KB
-
memory/2020-195-0x00000000023B0000-0x00000000026FA000-memory.dmpFilesize
3.3MB
-
memory/2020-193-0x0000000000350000-0x000000000037F000-memory.dmpFilesize
188KB
-
memory/2020-192-0x00000000002C0000-0x00000000002E7000-memory.dmpFilesize
156KB
-
memory/2124-145-0x0000000000000000-mapping.dmp
-
memory/2124-189-0x0000000001020000-0x0000000001034000-memory.dmpFilesize
80KB
-
memory/2124-187-0x0000000050410000-0x000000005043F000-memory.dmpFilesize
188KB
-
memory/2124-188-0x0000000001610000-0x000000000195A000-memory.dmpFilesize
3.3MB
-
memory/2620-190-0x00000000078D0000-0x0000000007A70000-memory.dmpFilesize
1.6MB
-
memory/2620-197-0x0000000002A60000-0x0000000002BAE000-memory.dmpFilesize
1.3MB
-
memory/2620-199-0x0000000002A60000-0x0000000002BAE000-memory.dmpFilesize
1.3MB
-
memory/4128-147-0x0000000050410000-0x000000005043F000-memory.dmpFilesize
188KB