Analysis
-
max time kernel
172s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 20:07
Static task
static1
Behavioral task
behavioral1
Sample
CJYUAEBL.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
CJYUAEBL.exe
Resource
win10v2004-20220812-en
General
-
Target
CJYUAEBL.exe
-
Size
1010KB
-
MD5
7cb5f631784c4e56f1bbbd2db5e08cf4
-
SHA1
467bcd4c278b2fae07b3dfb68b29814f0c1ec606
-
SHA256
ffa9f3d0e3d4d29b10cba30fe3394d538b8c415e9c29cf36a56990e9204ec7bf
-
SHA512
07ec1ed2124d24c02438fec3cd9ca65897f320fcb324192f5717ff0759c3a6a24e04e88dff84fd4ba37e0370c24d092231c93147fe90e93ce981cda6335d33f2
-
SSDEEP
24576:owfXt2qCbasU3cyK9pNhMhtrjxLF7ZQ/ronBb5:oEcO+9bh+1lLFaMnBb
Malware Config
Extracted
bitrat
1.38
winery.nsupdate.info:5877
-
communication_password
e5ff7c52fb3501484ea7ca8641803415
-
tor_process
tor
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3196-132-0x0000000002450000-0x000000000247B000-memory.dmp modiloader_stage2 -
Processes:
resource yara_rule behavioral2/memory/3196-135-0x0000000010410000-0x00000000107F4000-memory.dmp upx behavioral2/memory/3196-136-0x0000000010410000-0x00000000107F4000-memory.dmp upx behavioral2/memory/4804-138-0x0000000010410000-0x00000000107F4000-memory.dmp upx behavioral2/memory/4804-139-0x0000000010410000-0x00000000107F4000-memory.dmp upx behavioral2/memory/4804-141-0x0000000010410000-0x00000000107F4000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
CJYUAEBL.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cjyuaebl = "C:\\Users\\Public\\Libraries\\lbeauyjC.url" CJYUAEBL.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
colorcpl.exepid process 4804 colorcpl.exe 4804 colorcpl.exe 4804 colorcpl.exe 4804 colorcpl.exe 4804 colorcpl.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CJYUAEBL.exepid process 3196 CJYUAEBL.exe 3196 CJYUAEBL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
colorcpl.exedescription pid process Token: SeShutdownPrivilege 4804 colorcpl.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
colorcpl.exepid process 4804 colorcpl.exe 4804 colorcpl.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
CJYUAEBL.exedescription pid process target process PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe PID 3196 wrote to memory of 4804 3196 CJYUAEBL.exe colorcpl.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CJYUAEBL.exe"C:\Users\Admin\AppData\Local\Temp\CJYUAEBL.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3196-132-0x0000000002450000-0x000000000247B000-memory.dmpFilesize
172KB
-
memory/3196-135-0x0000000010410000-0x00000000107F4000-memory.dmpFilesize
3.9MB
-
memory/3196-136-0x0000000010410000-0x00000000107F4000-memory.dmpFilesize
3.9MB
-
memory/4804-134-0x0000000000000000-mapping.dmp
-
memory/4804-138-0x0000000010410000-0x00000000107F4000-memory.dmpFilesize
3.9MB
-
memory/4804-139-0x0000000010410000-0x00000000107F4000-memory.dmpFilesize
3.9MB
-
memory/4804-140-0x0000000074D60000-0x0000000074D99000-memory.dmpFilesize
228KB
-
memory/4804-141-0x0000000010410000-0x00000000107F4000-memory.dmpFilesize
3.9MB