Analysis
-
max time kernel
188s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 14:31
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe
Resource
win10v2004-20221111-en
General
-
Target
SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe
-
Size
719KB
-
MD5
05f703e7a42a6c540c9d5c815eb17f88
-
SHA1
2fc5a59e412216cba76eb7fa122478bec8c2d125
-
SHA256
0fd7b17afcfaa921522141380792c3105ec20547c795a21c2eb0810c82e7e5e2
-
SHA512
8f7eca2be01bb273b7e18644b02d9358725baf3bd1d51919899226ac8e1a7b8050d018f0af72341eb4aa092150537f151f303513c92305d1dc44e5741bd1c6b0
-
SSDEEP
12288:HbAOmbLGin3WhvyX2GahiJ9//4BsEOeNOVOYPmMi0fq1r:HbPsLV3WhKX2GF///MsEfAVOKmMi0fM
Malware Config
Extracted
formbook
t3qw
cmv2ztfryZrE+3A/E6XVJY/zH13snw==
znM2r24wvyjMBxCX
RH+7M2Ut6PYms2mB6ho=
ZlPRueq+YTIhbwootBU3h8T3H13snw==
cVz99xUsBqvFN6B45U9nio0=
BXU3DIrcdhs2gNyk+lCCIoY=
uzBaz3kYIIMfK6V0Mr9FnhdNPg==
8rOZ/v+7fprLI6NzR+6HJl7EH13snw==
Pr2Wev5P6jlqWCiehQ==
dbzaPc5eWb5zVCPsyrU/
IeLgUQI37HLkFgKO
4xt3Y4yVega6l2LuLk5aovIhhLU=
2QdkbxFB8tkDMkQEyqg1
X1OV8wH0+lwCBwvIciO7Ug==
lYIX+/YAFhbMBxCX
DoxOV/qIixyT+HME6yyvTw==
GAuVkyRmIgwqdeGgIVU3iY8=
VMPRWwSKoDLoqJJuQ3B8kZI=
SAy2t2O1YK0dvad741U3iY8=
OOLZqb+rGSobYw==
BP6KlsGwlrtVHv2LuMCmeZX1
JNnPIbb4mv+inWlIfIQs
i4q7JR4yRCpVjDrXkg==
7d1ZKi1DVjJW0WxEGcBkFXJdkb8=
NahiXwI247vhJ7KMpwquVg==
GUuifI9mMMd3YkgEyqg1
u64xBRXWoLdn3lzrlA==
lGMT+jE3LAL0LoZMwEG2TQ==
adTOQvF5fA7FZd1d3FU3iY8=
/LGF75n7qwdqWCiehQ==
pSZKpi9qOxrMBxCX
H4d//6AZHEEnHhmV
PXLj2/vIWeKTTxeSsqNntbghfTKSgPV8GA==
87y1CKHld806kQ7alA==
a6j+jLaDUF6B67iD19OmeZX1
BDnu2dfk/hxMTA/Niw==
ij31217h5DUh08Y=
tleGAKk0L4nvpKmcdknE29T9
KNyadIZrGSobYw==
+HZi64O1NMpx
2oVLG2r8sIV4
b2cT/URJK5hm
TLvPQfs/9NHzMoQD6yyvTw==
tessj41B14Al1cU=
fvOpegdiN8Y/+9xpkn8JGFR77BLu7vGMGw==
6DdbojapWcBs
OzlpwsiedM46wr17nn0lfvEhJg==
npfZQ/iFlvyfjjXirA0=
14djR8UBxGDMBxCX
w61MS3ttGSobYw==
tIeVD7A+M370sXFtmYgo
P3fa1gYE+CK5cELcHiweOIfs
7TdS87b3eVyEjDrXkg==
S8+Rae1YZHvNScdT3FU3iY8=
hYDFA5EaC2jMBxCX
bi0zjB+moP6gpa42NPlxkJfR6d6SgPV8GA==
P3DCHSDkoLle18c=
zD81ny59PDooXs5e4VU3iY8=
szhcykfHqbXqa0QPeL/ojdg0YByIgPV8GA==
69dJPcsKwJWs6TGnNsWCm5Y=
q5ISFURIL7InoeUp6yyvTw==
Ob6BVcsfwhO0s7UrC64+nhdNPg==
Rnvty9PbBhc/kcyR1gs9TJ0AGuiC
8Bt0U2Iw+Yo0OUEEyqg1
thestillout.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3356-132-0x0000000004130000-0x000000000415B000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation wscript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win32.DropperX-gen.15655.570.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wiobdcde = "C:\\Users\\Public\\Libraries\\edcdboiW.url" SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
wscript.exehelp.exedescription pid process target process PID 2744 set thread context of 764 2744 wscript.exe Explorer.EXE PID 520 set thread context of 764 520 help.exe Explorer.EXE -
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
SecuriteInfo.com.Win32.DropperX-gen.15655.570.exewscript.exehelp.exepid process 3356 SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe 3356 SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe 2744 wscript.exe 2744 wscript.exe 2744 wscript.exe 2744 wscript.exe 2744 wscript.exe 2744 wscript.exe 2744 wscript.exe 2744 wscript.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 764 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
wscript.exehelp.exepid process 2744 wscript.exe 2744 wscript.exe 2744 wscript.exe 520 help.exe 520 help.exe 520 help.exe 520 help.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
wscript.exeExplorer.EXEhelp.exedescription pid process Token: SeDebugPrivilege 2744 wscript.exe Token: SeShutdownPrivilege 764 Explorer.EXE Token: SeCreatePagefilePrivilege 764 Explorer.EXE Token: SeShutdownPrivilege 764 Explorer.EXE Token: SeCreatePagefilePrivilege 764 Explorer.EXE Token: SeDebugPrivilege 520 help.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SecuriteInfo.com.Win32.DropperX-gen.15655.570.exeExplorer.EXEhelp.exedescription pid process target process PID 3356 wrote to memory of 2744 3356 SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe wscript.exe PID 3356 wrote to memory of 2744 3356 SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe wscript.exe PID 3356 wrote to memory of 2744 3356 SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe wscript.exe PID 3356 wrote to memory of 2744 3356 SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe wscript.exe PID 3356 wrote to memory of 2744 3356 SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe wscript.exe PID 3356 wrote to memory of 2744 3356 SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe wscript.exe PID 764 wrote to memory of 520 764 Explorer.EXE help.exe PID 764 wrote to memory of 520 764 Explorer.EXE help.exe PID 764 wrote to memory of 520 764 Explorer.EXE help.exe PID 520 wrote to memory of 1776 520 help.exe Firefox.exe PID 520 wrote to memory of 1776 520 help.exe Firefox.exe PID 520 wrote to memory of 1776 520 help.exe Firefox.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.15655.570.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wscript.exe2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/520-144-0x0000000000000000-mapping.dmp
-
memory/520-150-0x0000000000740000-0x000000000076D000-memory.dmpFilesize
180KB
-
memory/520-148-0x0000000000D80000-0x0000000000E0F000-memory.dmpFilesize
572KB
-
memory/520-147-0x0000000001110000-0x000000000145A000-memory.dmpFilesize
3.3MB
-
memory/520-146-0x0000000000740000-0x000000000076D000-memory.dmpFilesize
180KB
-
memory/520-145-0x0000000000A80000-0x0000000000A87000-memory.dmpFilesize
28KB
-
memory/764-143-0x0000000002D70000-0x0000000002EDC000-memory.dmpFilesize
1.4MB
-
memory/764-149-0x00000000081A0000-0x000000000827B000-memory.dmpFilesize
876KB
-
memory/764-151-0x00000000081A0000-0x000000000827B000-memory.dmpFilesize
876KB
-
memory/2744-141-0x0000000003E20000-0x000000000416A000-memory.dmpFilesize
3.3MB
-
memory/2744-142-0x0000000003D80000-0x0000000003D90000-memory.dmpFilesize
64KB
-
memory/2744-140-0x0000000010411000-0x000000001043F000-memory.dmpFilesize
184KB
-
memory/2744-139-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/2744-138-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/2744-134-0x0000000000000000-mapping.dmp
-
memory/3356-132-0x0000000004130000-0x000000000415B000-memory.dmpFilesize
172KB
-
memory/3356-136-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/3356-135-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB