Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 08:38
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe
-
Size
782KB
-
MD5
a5e7d643822b4bec515727dcb5a81654
-
SHA1
378be3dff71b0a5486758091c71149202e19e78b
-
SHA256
dc35d3d87c8f062b000472a46ec166c5bf8f399f95c02717eab4ce542043afd7
-
SHA512
f3f7db1e7d2d05c0ffb96f829b1cc93692dc8130175e67398a9626e475f0a6472641cc57417a7ad39df765bb5b350b408b99bb98fe9621f6c082cd3c091241af
-
SSDEEP
12288:9mHYsrAQMj7JP2cAmYOKe2ncjOQZ0RDFHNFap4nruadYaeLw2Y:s4ZljB2tOUAOQZ0Z1Hap4nya6RxY
Malware Config
Extracted
formbook
nvp4
EiywrQNofDNveWY1IESoBA==
yqEWFGRfErX7ICQCwyQ+YeLXtaA=
Ers0rc50nbjso0jbdZTmBw==
XQxVP45+F5OZn3ZBTC7MLe1OF3G5c5uK9A==
RHh4uwtsttjzlxy+eW3+
W+xQshfnvmF5n5x2d+cEVdBNIkQRHRE=
FwlyiuXNX0+Trw==
euLn91on/7DeDe++zbQ4YeLXtaA=
td4cO8m3HDRWtl8p7Q==
ZrlyAAPqc3GXI5k=
OM0IisKOI78FJC/IuIxxAu5nRg==
d6A0QJ6PV+AOpyK+eW3+
+EgxFWUu3Ulatl8p7Q==
GC/stck1ILXn+cWZx7w8W6rPFmO6c5uK9A==
hhIiK4+CKEOfB4tr
mA1pyQ85ye8N
4xgWYcEpEoidv8eXKNncAQ==
L+hOVbe+IWyc8oVUclc=
J7EGaJ+L+wKLXUYg7w==
L5R/nfdgQdMHD+TUKw1Zo3Hb
E4z2kWG/vE6yt5E=
+efGEVp82EycSL2U4cpFU2an/aM5SDuF
6zA2kAqIdAQKkve6y7RjtRBf+i8Nvw==
VRqXzvXLVF+hS9arybBihGeOTaKP
PgKByBDCpL4cd9+yO52n/xZmQZeF
pMit5lre4GVyi3xcfywQY58=
F/vD9x4Oz0RWtl8p7Q==
hvZhvTgp/H7Lm2RNdl0=
h/xWhNLDOEpSZUTmIguoBA==
o8qw6kCdiDV4kn1FMZ6et06V+dCQZEmG
bgMOGYox8vMQ
YmFKj+ZWVRBcep49cl0=
Wox2hOnIRnGp3s2RMZ9Zo3Hb
eeTk5zCrpCpSyntTeF0=
FOA7J3NsxuomwEARYVLNU1TR
yuLXKrWb72SKrA==
K6T6LoiKKwZrHY5i
B8UkEkol7nBvrLeOjSwQY58=
GwvWc8gVAk6yt5E=
4IboPYD24Hqi5mxf+g==
L4XQI2A00QtXxxi+eW3+
doMqp/ZMkE6yt5E=
1ebXKoTs0GSYqMZZc1U=
CYnoUKIiG5vI4/HHLNXpCw==
P/FwuirU0FeJxseeKNncAQ==
N21GaMlCYhFbtl8p7Q==
KY95j+NDjk6yt5E=
C/rJL7ACO0yfB4tr
z6QDKYo85+nxAx+zmTgBLYY=
IPBjddXCgzlvd2Y/C3KaMomhUQ==
KNsyKXJjN+wYPi8OLgNZo3Hb
kht0meHAHPpzqQ==
Rm5BMnxa1/s/yxq2wSJcfpc=
+Tn9l2Ax8vMQ
rwkQV4ruG7v1/s+ZKNncAQ==
7+RhcuhVYBpggr5YZUw=
YRaX4klS4xWfB4tr
YIZ5wgZjYOsslloz9A==
+SAdmP/smDZ6oKF4GxNZo3Hb
mSIWBEa/uz9JSodz
PGc0UrsbRk1LwHVWOp+9CQ==
DnJQctQ5jE6yt5E=
gYmlw+nLOxtYl4k=
eRJtqhQDH3KQsg==
brainbookgroup.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2064-132-0x00000000022A0000-0x00000000022CB000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation wscript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nxqyldvh = "C:\\Users\\Public\\Libraries\\hvdlyqxN.url" SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wscript.exedescription pid process target process PID 3500 set thread context of 2688 3500 wscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exewscript.exepid process 2064 SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe 2064 SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe 3500 wscript.exe 3500 wscript.exe 3500 wscript.exe 3500 wscript.exe 3500 wscript.exe 3500 wscript.exe 3500 wscript.exe 3500 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2688 Explorer.EXE -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
wscript.exepid process 3500 wscript.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
wscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3500 wscript.exe Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Explorer.EXEpid process 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Explorer.EXEpid process 2688 Explorer.EXE 2688 Explorer.EXE 2688 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exeExplorer.EXEdescription pid process target process PID 2064 wrote to memory of 3500 2064 SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe wscript.exe PID 2064 wrote to memory of 3500 2064 SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe wscript.exe PID 2064 wrote to memory of 3500 2064 SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe wscript.exe PID 2064 wrote to memory of 3500 2064 SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe wscript.exe PID 2064 wrote to memory of 3500 2064 SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe wscript.exe PID 2064 wrote to memory of 3500 2064 SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe wscript.exe PID 2688 wrote to memory of 2772 2688 Explorer.EXE systray.exe PID 2688 wrote to memory of 2772 2688 Explorer.EXE systray.exe PID 2688 wrote to memory of 2772 2688 Explorer.EXE systray.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wscript.exe3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2064-132-0x00000000022A0000-0x00000000022CB000-memory.dmpFilesize
172KB
-
memory/2064-135-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/2064-136-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/2688-143-0x0000000008280000-0x00000000083C4000-memory.dmpFilesize
1.3MB
-
memory/3500-134-0x0000000000000000-mapping.dmp
-
memory/3500-138-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/3500-139-0x0000000010411000-0x000000001043F000-memory.dmpFilesize
184KB
-
memory/3500-140-0x0000000004350000-0x000000000469A000-memory.dmpFilesize
3.3MB
-
memory/3500-141-0x0000000010432000-0x0000000010434000-memory.dmpFilesize
8KB
-
memory/3500-142-0x0000000004280000-0x0000000004290000-memory.dmpFilesize
64KB
-
memory/3500-144-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB