Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 08:19
Static task
static1
Behavioral task
behavioral1
Sample
120fa64f85b894d98a09843a4e0fe81a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
120fa64f85b894d98a09843a4e0fe81a.exe
Resource
win10v2004-20220901-en
General
-
Target
120fa64f85b894d98a09843a4e0fe81a.exe
-
Size
782KB
-
MD5
120fa64f85b894d98a09843a4e0fe81a
-
SHA1
cccd0142f24a8939dd22d7176bafeeb60ffa67ae
-
SHA256
503d324cb44c441dafaabdec1455afe9a320cfceaa346198050f3ffad7c6aa8a
-
SHA512
ae9d4b1e7f539b90684207731ccf46b4500928957a10ccef75384149d15168d9980be6c6575a28199abb04294661cd97d1be6715a6f6941d2b222e2a94833793
-
SSDEEP
12288:9mHYsrAQMj7JP2cAmYOKe2ncjOQZlRDFHNFap4nruadYaeLw2Y:s4ZljB2tOUAOQZlZ1Hap4nya6RxY
Malware Config
Extracted
formbook
4.1
3nop
slot999.site
hagsahoy.com
howdyart.com
orders-marketplace.com
ranaa.email
masterlink.guru
archershut.com
weikumcommunications.com
dphardmoney.com
shjyutie.com
vivaberlin.net
mycto.today
curvygirlugc.com
otnmp.cfd
alwrists.com
propercandlecompany.com
allindustry-bg.com
theyoungbizacademy.com
expand658170.com
leslainesdumouchon.com
suptisa.com
picnic-in-andong.com
wanligui.com
cesarjunaro.com
kuxita.xyz
simpkecpr.com
microsoftsecuritys.com
responsefactor.com
polyggroup.com
talonxmfg.biz
jam-nins.com
picuar.com
familysafehidingplaces.com
centericehockey.com
appleidd.info
igctsansculottism.sbs
guiaestilosaude.online
happysscribe.com
tizzbizz.com
qcorretor.com
baremaster.online
liputanlima.com
ontherighttrack.systems
zzza002.xyz
k-aashirwaad.com
stillwatersagawork.com
skindoze.com
asdjmhfg.xyz
refaccionariafgnogales.com
hunn.pro
tlland.group
homebizen.com
newszi.xyz
nicetimecafe.net
qdbs.cloud
ebtl.wtf
dchasss.com
kijangjantan.tech
elegant-story.com
glimtmedia.com
1dot.online
neatneighborncclean.com
marionarzel.com
app-arthrex.com
xctech.world
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1092-136-0x0000000010410000-0x000000001043F000-memory.dmp formbook behavioral2/memory/628-138-0x0000000010410000-0x000000001043F000-memory.dmp formbook -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1092-132-0x0000000000810000-0x000000000083B000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
120fa64f85b894d98a09843a4e0fe81a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ylbueznh = "C:\\Users\\Public\\Libraries\\hnzeublY.url" 120fa64f85b894d98a09843a4e0fe81a.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wscript.exedescription pid process target process PID 628 set thread context of 2416 628 wscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
120fa64f85b894d98a09843a4e0fe81a.exewscript.exepid process 1092 120fa64f85b894d98a09843a4e0fe81a.exe 1092 120fa64f85b894d98a09843a4e0fe81a.exe 628 wscript.exe 628 wscript.exe 628 wscript.exe 628 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2416 Explorer.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
wscript.exepid process 628 wscript.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
wscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 628 wscript.exe Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE Token: SeShutdownPrivilege 2416 Explorer.EXE Token: SeCreatePagefilePrivilege 2416 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
120fa64f85b894d98a09843a4e0fe81a.exeExplorer.EXEdescription pid process target process PID 1092 wrote to memory of 628 1092 120fa64f85b894d98a09843a4e0fe81a.exe wscript.exe PID 1092 wrote to memory of 628 1092 120fa64f85b894d98a09843a4e0fe81a.exe wscript.exe PID 1092 wrote to memory of 628 1092 120fa64f85b894d98a09843a4e0fe81a.exe wscript.exe PID 1092 wrote to memory of 628 1092 120fa64f85b894d98a09843a4e0fe81a.exe wscript.exe PID 1092 wrote to memory of 628 1092 120fa64f85b894d98a09843a4e0fe81a.exe wscript.exe PID 1092 wrote to memory of 628 1092 120fa64f85b894d98a09843a4e0fe81a.exe wscript.exe PID 2416 wrote to memory of 4572 2416 Explorer.EXE netsh.exe PID 2416 wrote to memory of 4572 2416 Explorer.EXE netsh.exe PID 2416 wrote to memory of 4572 2416 Explorer.EXE netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\120fa64f85b894d98a09843a4e0fe81a.exe"C:\Users\Admin\AppData\Local\Temp\120fa64f85b894d98a09843a4e0fe81a.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wscript.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/628-138-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/628-134-0x0000000000000000-mapping.dmp
-
memory/628-140-0x0000000004320000-0x0000000004335000-memory.dmpFilesize
84KB
-
memory/628-139-0x0000000004410000-0x000000000475A000-memory.dmpFilesize
3.3MB
-
memory/1092-136-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/1092-132-0x0000000000810000-0x000000000083B000-memory.dmpFilesize
172KB
-
memory/1092-135-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/2416-141-0x0000000007C00000-0x0000000007D3E000-memory.dmpFilesize
1.2MB
-
memory/2416-142-0x0000000002B50000-0x0000000002B60000-memory.dmpFilesize
64KB
-
memory/2416-143-0x0000000002FE0000-0x0000000002FF0000-memory.dmpFilesize
64KB
-
memory/2416-144-0x0000000003070000-0x0000000003080000-memory.dmpFilesize
64KB
-
memory/2416-145-0x0000000003070000-0x0000000003080000-memory.dmpFilesize
64KB
-
memory/2416-146-0x0000000002FE0000-0x0000000002FF0000-memory.dmpFilesize
64KB
-
memory/2416-147-0x0000000003070000-0x0000000003080000-memory.dmpFilesize
64KB
-
memory/2416-148-0x0000000003070000-0x0000000003080000-memory.dmpFilesize
64KB