Analysis
-
max time kernel
64s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
30-11-2022 17:46
Static task
static1
Behavioral task
behavioral1
Sample
4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe
Resource
win10v2004-20220812-en
General
-
Target
4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe
-
Size
976KB
-
MD5
72d3cb6dec38a72bb9996cf50f9ca152
-
SHA1
fc0094507beca86633a2ff012a91d9e54a058c0d
-
SHA256
4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773
-
SHA512
b3f1e45494120de1b50b7497f5ffa9f3ec105fdc3928d6951f8194a5c427d980d03c062d75f068714eb7540715e85aebf33211dafc9b6bdfaa8ac2207ee9214a
-
SSDEEP
12288:Rt1rtR29DwSwNy6ZgFwg0jPacng2WnAH+QIMYHCoDaMycZ+rfF8hWf:RnxhSwNy6eFGC+jv+QIPHtDocoJf
Malware Config
Extracted
formbook
4.1
yko3
marathonpetrolevm.com
starakonoba.com
serenemaldives.com
molinahealthacre.com
tesetturhane.com
szmyjq.com
souiti-stone1.com
lxgnu-jcpm.xyz
outercolitis.life
zebzecim.xyz
dynamic-guard.com
sabzifrosh.com
aimm2.com
ancientroots-healing.com
isp.coffee
selfsolution-session.com
cpcsnesscity.com
wwwcaresact.com
managementskillsdaily.com
oficialforclean.com
imovept.com
hydrogengasdetectors.com
poolittle.com
xqrqg.com
gddelivers.com
hkmmobile.com
fontanto.com
sztukawyboru.club
photosbyanya.com
jupiterpcrepair.com
notnowfuzzyhair.com
podcastirresistible.com
newforen.com
abcmro.com
piyboo.com
rohlikphoto.com
worldfmafamily.com
likeabossmakeup.com
thearomamama.com
searchnortheastohioproperty.com
boatingmode.com
governmentjobonline.com
alparime.com
theredmaregiftshop.com
thelifetrainingacademy.com
itsagogh.com
aliaa.store
azahararich.com
covidpitracker.com
boredred.com
openstar.systems
leyman.pro
porterhausbutchery.com
shankarlubes.com
biodunandewaoluwa.com
zzhrubber.com
runlightrunsupported.com
skrivanek.xyz
crystallighthouseacademy.com
ssi-battery.com
secure4-amz.xyz
steelcityradi0.com
rangers3.xyz
tuduban.com
howtodesignamechanicalwatch.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-70-0x0000000004A50000-0x0000000004A7E000-memory.dmp formbook -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1380-64-0x0000000004500000-0x0000000004549000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nikij = "C:\\Users\\Public\\Libraries\\jikiN.url" 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1576 1380 WerFault.exe 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exepid process 1380 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exedescription pid process target process PID 1380 wrote to memory of 1576 1380 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe WerFault.exe PID 1380 wrote to memory of 1576 1380 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe WerFault.exe PID 1380 wrote to memory of 1576 1380 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe WerFault.exe PID 1380 wrote to memory of 1576 1380 4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe"C:\Users\Admin\AppData\Local\Temp\4b2e593addbb89b981e8b3d9ead6cb2bbafd646a620942803c268aeb51a6f773.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 13962⤵
- Program crash
PID:1576
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1380-55-0x0000000000580000-0x000000000059A000-memory.dmpFilesize
104KB
-
memory/1380-61-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1380-64-0x0000000004500000-0x0000000004549000-memory.dmpFilesize
292KB
-
memory/1380-70-0x0000000004A50000-0x0000000004A7E000-memory.dmpFilesize
184KB
-
memory/1380-72-0x0000000004D50000-0x0000000005053000-memory.dmpFilesize
3.0MB
-
memory/1576-71-0x0000000000000000-mapping.dmp