Analysis
-
max time kernel
172s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 14:25
Static task
static1
Behavioral task
behavioral1
Sample
fffggdd.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
fffggdd.exe
Resource
win10v2004-20221111-en
General
-
Target
fffggdd.exe
-
Size
782KB
-
MD5
f20f55180ec2d3663e57a59c12b90888
-
SHA1
f3b202975017b328605c703676d852d4248883b5
-
SHA256
267c00aebd4e485e7ecb00f9708c1ae7b8d2a7bef84ba980d0783abe3fed4b6f
-
SHA512
c1844a38aee0e3491f46f25b3acc28cd0999c11032ebed26b9c54c882a5154bd4387ded1c0ece8b404b739ca1591ebdc6d6531281bcb77b4c7045928b0d70c43
-
SSDEEP
12288:9mHYsrAQMj7JP2cAmYOKe2ncjOQZgRDFHNFap4nruadYaeLw2Y:s4ZljB2tOUAOQZgZ1Hap4nya6RxY
Malware Config
Extracted
formbook
t3qw
cmv2ztfryZrE+3A/E6XVJY/zH13snw==
znM2r24wvyjMBxCX
RH+7M2Ut6PYms2mB6ho=
ZlPRueq+YTIhbwootBU3h8T3H13snw==
cVz99xUsBqvFN6B45U9nio0=
BXU3DIrcdhs2gNyk+lCCIoY=
uzBaz3kYIIMfK6V0Mr9FnhdNPg==
8rOZ/v+7fprLI6NzR+6HJl7EH13snw==
Pr2Wev5P6jlqWCiehQ==
dbzaPc5eWb5zVCPsyrU/
IeLgUQI37HLkFgKO
4xt3Y4yVega6l2LuLk5aovIhhLU=
2QdkbxFB8tkDMkQEyqg1
X1OV8wH0+lwCBwvIciO7Ug==
lYIX+/YAFhbMBxCX
DoxOV/qIixyT+HME6yyvTw==
GAuVkyRmIgwqdeGgIVU3iY8=
VMPRWwSKoDLoqJJuQ3B8kZI=
SAy2t2O1YK0dvad741U3iY8=
OOLZqb+rGSobYw==
BP6KlsGwlrtVHv2LuMCmeZX1
JNnPIbb4mv+inWlIfIQs
i4q7JR4yRCpVjDrXkg==
7d1ZKi1DVjJW0WxEGcBkFXJdkb8=
NahiXwI247vhJ7KMpwquVg==
GUuifI9mMMd3YkgEyqg1
u64xBRXWoLdn3lzrlA==
lGMT+jE3LAL0LoZMwEG2TQ==
adTOQvF5fA7FZd1d3FU3iY8=
/LGF75n7qwdqWCiehQ==
pSZKpi9qOxrMBxCX
H4d//6AZHEEnHhmV
PXLj2/vIWeKTTxeSsqNntbghfTKSgPV8GA==
87y1CKHld806kQ7alA==
a6j+jLaDUF6B67iD19OmeZX1
BDnu2dfk/hxMTA/Niw==
ij31217h5DUh08Y=
tleGAKk0L4nvpKmcdknE29T9
KNyadIZrGSobYw==
+HZi64O1NMpx
2oVLG2r8sIV4
b2cT/URJK5hm
TLvPQfs/9NHzMoQD6yyvTw==
tessj41B14Al1cU=
fvOpegdiN8Y/+9xpkn8JGFR77BLu7vGMGw==
6DdbojapWcBs
OzlpwsiedM46wr17nn0lfvEhJg==
npfZQ/iFlvyfjjXirA0=
14djR8UBxGDMBxCX
w61MS3ttGSobYw==
tIeVD7A+M370sXFtmYgo
P3fa1gYE+CK5cELcHiweOIfs
7TdS87b3eVyEjDrXkg==
S8+Rae1YZHvNScdT3FU3iY8=
hYDFA5EaC2jMBxCX
bi0zjB+moP6gpa42NPlxkJfR6d6SgPV8GA==
P3DCHSDkoLle18c=
zD81ny59PDooXs5e4VU3iY8=
szhcykfHqbXqa0QPeL/ojdg0YByIgPV8GA==
69dJPcsKwJWs6TGnNsWCm5Y=
q5ISFURIL7InoeUp6yyvTw==
Ob6BVcsfwhO0s7UrC64+nhdNPg==
Rnvty9PbBhc/kcyR1gs9TJ0AGuiC
8Bt0U2Iw+Yo0OUEEyqg1
thestillout.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2680-132-0x00000000023D0000-0x00000000023FB000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fffggdd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Zphlklkm = "C:\\Users\\Public\\Libraries\\mklklhpZ.url" fffggdd.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
colorcpl.exedescription pid process target process PID 4856 set thread context of 1068 4856 colorcpl.exe Explorer.EXE PID 4856 set thread context of 1068 4856 colorcpl.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
fffggdd.execolorcpl.exepid process 2680 fffggdd.exe 2680 fffggdd.exe 4856 colorcpl.exe 4856 colorcpl.exe 4856 colorcpl.exe 4856 colorcpl.exe 4856 colorcpl.exe 4856 colorcpl.exe 4856 colorcpl.exe 4856 colorcpl.exe 4856 colorcpl.exe 4856 colorcpl.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
colorcpl.exepid process 4856 colorcpl.exe 4856 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
colorcpl.exedescription pid process Token: SeDebugPrivilege 4856 colorcpl.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fffggdd.exedescription pid process target process PID 2680 wrote to memory of 4856 2680 fffggdd.exe colorcpl.exe PID 2680 wrote to memory of 4856 2680 fffggdd.exe colorcpl.exe PID 2680 wrote to memory of 4856 2680 fffggdd.exe colorcpl.exe PID 2680 wrote to memory of 4856 2680 fffggdd.exe colorcpl.exe PID 2680 wrote to memory of 4856 2680 fffggdd.exe colorcpl.exe PID 2680 wrote to memory of 4856 2680 fffggdd.exe colorcpl.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\fffggdd.exe"C:\Users\Admin\AppData\Local\Temp\fffggdd.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1068-143-0x0000000008030000-0x00000000081DA000-memory.dmpFilesize
1.7MB
-
memory/2680-132-0x00000000023D0000-0x00000000023FB000-memory.dmpFilesize
172KB
-
memory/2680-135-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/2680-136-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/4856-134-0x0000000000000000-mapping.dmp
-
memory/4856-138-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/4856-139-0x0000000010411000-0x000000001043F000-memory.dmpFilesize
184KB
-
memory/4856-140-0x0000000003460000-0x00000000037AA000-memory.dmpFilesize
3.3MB
-
memory/4856-142-0x0000000005680000-0x0000000005690000-memory.dmpFilesize
64KB
-
memory/4856-144-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/4856-145-0x0000000005830000-0x0000000005840000-memory.dmpFilesize
64KB