Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2022 12:07
Static task
static1
Behavioral task
behavioral1
Sample
NEW PO.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
NEW PO.exe
Resource
win10v2004-20220722-en
General
-
Target
NEW PO.exe
-
Size
1.1MB
-
MD5
5b9d5dd439a7ed7bfc4fb62a17d04b4d
-
SHA1
ee8ac089fbf4f09861dc06b2298469eca12a9ac7
-
SHA256
7d5c7b03dcc7496b6dfb7f5726b3901d48da7ed3dd8e6d171db278e7ba9902b0
-
SHA512
a17b947492ecd61d20cb49015d445a9a88b588f6333f2841a64da1040a0cf949035e0e452c9a945fffa46baa61ad3a2eae17c13093f1c5fd7c58cd3e7caba74b
Malware Config
Extracted
formbook
4.1
d27e
lilysbusride.com
cloud-sechs.com
danpro.co.uk
wendoortech.com
playgroundrebellion.com
betventures.xyz
digimediasolution.net
abrahambetrayedus.com
whinefree.com
realeurolicence.com
makelovetrip.com
damediaagency.com
pinaralsan.com
5bobitw.com
shootingkarelia.online
website-staging.pro
manassadhvi.online
bathroomandkitcenking.com
realtormarket.net
dfysupport.com
class-flow.com
migstrip.online
qnacontracting.com
namaste-events.com
yestifications.com
indigoartandclothing.com
resultedu.com
digitalworldp.com
phase7assured.com
hirejar.site
leadstosuccessdental.com
ebooksonline4u.com
prosperbags.com
binarytreetech.com
jenpetronellatattoos.com
purpleduckdesign.net
merceriasen.xyz
shinnadesign.online
perubahantariftransaksi.website
jhanca.site
tacoslawera.com
majorappliancepros.com
kemiandsalam22.com
skipperage.info
tabulose-lust.xyz
wahproducts.com
mcleod.top
acepaintingservice.com
longtaidazong.com
spit2dabeat.com
jthecreator.net
sanhelu00.top
ipcemea.info
uniofilm.com
kitchenbw.space
abiccreats.com
southamptonvac.com
zavodalabda.xyz
mahahills.com
careers01-cxeinc.com
betteryourfinancial.info
buyfarfalla.com
moesoldmine.com
sioreu.com
havehealthybloodsugar.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4948-149-0x0000000050410000-0x000000005043F000-memory.dmp formbook behavioral2/memory/3116-193-0x0000000050410000-0x000000005043F000-memory.dmp formbook behavioral2/memory/3892-196-0x0000000000590000-0x00000000005BF000-memory.dmp formbook behavioral2/memory/3892-200-0x0000000000590000-0x00000000005BF000-memory.dmp formbook -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEW PO.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation NEW PO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEW PO.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bctoiprjb = "C:\\Users\\Public\\Libraries\\bjrpiotcB.url" NEW PO.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cmd.exemstsc.exedescription pid process target process PID 3116 set thread context of 2928 3116 cmd.exe Explorer.EXE PID 3892 set thread context of 2928 3892 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
NEW PO.execmd.exemstsc.exepid process 4948 NEW PO.exe 4948 NEW PO.exe 3116 cmd.exe 3116 cmd.exe 3116 cmd.exe 3116 cmd.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe 3892 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2928 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
cmd.exemstsc.exepid process 3116 cmd.exe 3116 cmd.exe 3116 cmd.exe 3892 mstsc.exe 3892 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
cmd.exeExplorer.EXEmstsc.exedescription pid process Token: SeDebugPrivilege 3116 cmd.exe Token: SeShutdownPrivilege 2928 Explorer.EXE Token: SeCreatePagefilePrivilege 2928 Explorer.EXE Token: SeShutdownPrivilege 2928 Explorer.EXE Token: SeCreatePagefilePrivilege 2928 Explorer.EXE Token: SeDebugPrivilege 3892 mstsc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
NEW PO.exeExplorer.EXEmstsc.exedescription pid process target process PID 4948 wrote to memory of 3116 4948 NEW PO.exe cmd.exe PID 4948 wrote to memory of 3116 4948 NEW PO.exe cmd.exe PID 4948 wrote to memory of 3116 4948 NEW PO.exe cmd.exe PID 4948 wrote to memory of 3116 4948 NEW PO.exe cmd.exe PID 4948 wrote to memory of 3116 4948 NEW PO.exe cmd.exe PID 4948 wrote to memory of 3116 4948 NEW PO.exe cmd.exe PID 2928 wrote to memory of 3892 2928 Explorer.EXE mstsc.exe PID 2928 wrote to memory of 3892 2928 Explorer.EXE mstsc.exe PID 2928 wrote to memory of 3892 2928 Explorer.EXE mstsc.exe PID 3892 wrote to memory of 3612 3892 mstsc.exe cmd.exe PID 3892 wrote to memory of 3612 3892 mstsc.exe cmd.exe PID 3892 wrote to memory of 3612 3892 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NEW PO.exe"C:\Users\Admin\AppData\Local\Temp\NEW PO.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\cmd.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2928-191-0x00000000088E0000-0x0000000008A56000-memory.dmpFilesize
1.5MB
-
memory/2928-201-0x0000000008C50000-0x0000000008DA9000-memory.dmpFilesize
1.3MB
-
memory/2928-199-0x0000000008C50000-0x0000000008DA9000-memory.dmpFilesize
1.3MB
-
memory/3116-193-0x0000000050410000-0x000000005043F000-memory.dmpFilesize
188KB
-
memory/3116-190-0x0000000001330000-0x0000000001345000-memory.dmpFilesize
84KB
-
memory/3116-147-0x0000000000000000-mapping.dmp
-
memory/3116-189-0x0000000001DB0000-0x00000000020FA000-memory.dmpFilesize
3.3MB
-
memory/3612-194-0x0000000000000000-mapping.dmp
-
memory/3892-192-0x0000000000000000-mapping.dmp
-
memory/3892-195-0x0000000000780000-0x00000000008BA000-memory.dmpFilesize
1.2MB
-
memory/3892-196-0x0000000000590000-0x00000000005BF000-memory.dmpFilesize
188KB
-
memory/3892-197-0x00000000029E0000-0x0000000002D2A000-memory.dmpFilesize
3.3MB
-
memory/3892-198-0x0000000002720000-0x00000000027B4000-memory.dmpFilesize
592KB
-
memory/3892-200-0x0000000000590000-0x00000000005BF000-memory.dmpFilesize
188KB
-
memory/4948-149-0x0000000050410000-0x000000005043F000-memory.dmpFilesize
188KB