Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-01-2023 06:56
Static task
static1
Behavioral task
behavioral1
Sample
Nainlvkuhdtqpx.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Nainlvkuhdtqpx.exe
Resource
win10v2004-20220812-en
General
-
Target
Nainlvkuhdtqpx.exe
-
Size
700KB
-
MD5
547abdfd3ecdbbc533c608b4a3168b99
-
SHA1
6b5b996871c2da3494cfcdc0d352acf35ad486c7
-
SHA256
2ffd794617caa37c56661fa29be97f34a50f7a49f76e4caa3570b6f2cadd7b34
-
SHA512
aee32e21489ed4b3c1cb6594996a34aa52242897a7fb2de6d3ee4a23cafb4c0bc7506f1561247d2afe5219cd0c6fec9e4cbe9935d2887fd4ea9f9acae1f2af27
-
SSDEEP
12288:bgBB6jXPwPtg1b0RYoaN8ntpKzHVKnqAFchi8oyn7nBad:byESSV4YCQzHMqSATB
Malware Config
Extracted
formbook
nvp4
EiywrQNofDNveWY1IESoBA==
yqEWFGRfErX7ICQCwyQ+YeLXtaA=
Ers0rc50nbjso0jbdZTmBw==
XQxVP45+F5OZn3ZBTC7MLe1OF3G5c5uK9A==
RHh4uwtsttjzlxy+eW3+
W+xQshfnvmF5n5x2d+cEVdBNIkQRHRE=
FwlyiuXNX0+Trw==
euLn91on/7DeDe++zbQ4YeLXtaA=
td4cO8m3HDRWtl8p7Q==
ZrlyAAPqc3GXI5k=
OM0IisKOI78FJC/IuIxxAu5nRg==
d6A0QJ6PV+AOpyK+eW3+
+EgxFWUu3Ulatl8p7Q==
GC/stck1ILXn+cWZx7w8W6rPFmO6c5uK9A==
hhIiK4+CKEOfB4tr
mA1pyQ85ye8N
4xgWYcEpEoidv8eXKNncAQ==
L+hOVbe+IWyc8oVUclc=
J7EGaJ+L+wKLXUYg7w==
L5R/nfdgQdMHD+TUKw1Zo3Hb
E4z2kWG/vE6yt5E=
+efGEVp82EycSL2U4cpFU2an/aM5SDuF
6zA2kAqIdAQKkve6y7RjtRBf+i8Nvw==
VRqXzvXLVF+hS9arybBihGeOTaKP
PgKByBDCpL4cd9+yO52n/xZmQZeF
pMit5lre4GVyi3xcfywQY58=
F/vD9x4Oz0RWtl8p7Q==
hvZhvTgp/H7Lm2RNdl0=
h/xWhNLDOEpSZUTmIguoBA==
o8qw6kCdiDV4kn1FMZ6et06V+dCQZEmG
bgMOGYox8vMQ
YmFKj+ZWVRBcep49cl0=
Wox2hOnIRnGp3s2RMZ9Zo3Hb
eeTk5zCrpCpSyntTeF0=
FOA7J3NsxuomwEARYVLNU1TR
yuLXKrWb72SKrA==
K6T6LoiKKwZrHY5i
B8UkEkol7nBvrLeOjSwQY58=
GwvWc8gVAk6yt5E=
4IboPYD24Hqi5mxf+g==
L4XQI2A00QtXxxi+eW3+
doMqp/ZMkE6yt5E=
1ebXKoTs0GSYqMZZc1U=
CYnoUKIiG5vI4/HHLNXpCw==
P/FwuirU0FeJxseeKNncAQ==
N21GaMlCYhFbtl8p7Q==
KY95j+NDjk6yt5E=
C/rJL7ACO0yfB4tr
z6QDKYo85+nxAx+zmTgBLYY=
IPBjddXCgzlvd2Y/C3KaMomhUQ==
KNsyKXJjN+wYPi8OLgNZo3Hb
kht0meHAHPpzqQ==
Rm5BMnxa1/s/yxq2wSJcfpc=
+Tn9l2Ax8vMQ
rwkQV4ruG7v1/s+ZKNncAQ==
7+RhcuhVYBpggr5YZUw=
YRaX4klS4xWfB4tr
YIZ5wgZjYOsslloz9A==
+SAdmP/smDZ6oKF4GxNZo3Hb
mSIWBEa/uz9JSodz
PGc0UrsbRk1LwHVWOp+9CQ==
DnJQctQ5jE6yt5E=
gYmlw+nLOxtYl4k=
eRJtqhQDH3KQsg==
brainbookgroup.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2760-132-0x0000000002870000-0x000000000289D000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nainlvkuhdtqpx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nainlvku = "C:\\Users\\Public\\Libraries\\ukvlniaN.url" Nainlvkuhdtqpx.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
iexpress.exeNETSTAT.EXEdescription pid process target process PID 1960 set thread context of 2348 1960 iexpress.exe Explorer.EXE PID 2312 set thread context of 2348 2312 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2312 NETSTAT.EXE -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
Nainlvkuhdtqpx.exeiexpress.exeNETSTAT.EXEpid process 2760 Nainlvkuhdtqpx.exe 2760 Nainlvkuhdtqpx.exe 2760 Nainlvkuhdtqpx.exe 2760 Nainlvkuhdtqpx.exe 1960 iexpress.exe 1960 iexpress.exe 1960 iexpress.exe 1960 iexpress.exe 1960 iexpress.exe 1960 iexpress.exe 1960 iexpress.exe 1960 iexpress.exe 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2348 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
iexpress.exeNETSTAT.EXEpid process 1960 iexpress.exe 1960 iexpress.exe 1960 iexpress.exe 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE 2312 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
iexpress.exeExplorer.EXENETSTAT.EXEdescription pid process Token: SeDebugPrivilege 1960 iexpress.exe Token: SeShutdownPrivilege 2348 Explorer.EXE Token: SeCreatePagefilePrivilege 2348 Explorer.EXE Token: SeShutdownPrivilege 2348 Explorer.EXE Token: SeCreatePagefilePrivilege 2348 Explorer.EXE Token: SeDebugPrivilege 2312 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Nainlvkuhdtqpx.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 2760 wrote to memory of 1960 2760 Nainlvkuhdtqpx.exe iexpress.exe PID 2760 wrote to memory of 1960 2760 Nainlvkuhdtqpx.exe iexpress.exe PID 2760 wrote to memory of 1960 2760 Nainlvkuhdtqpx.exe iexpress.exe PID 2760 wrote to memory of 1960 2760 Nainlvkuhdtqpx.exe iexpress.exe PID 2760 wrote to memory of 1960 2760 Nainlvkuhdtqpx.exe iexpress.exe PID 2760 wrote to memory of 1960 2760 Nainlvkuhdtqpx.exe iexpress.exe PID 2348 wrote to memory of 2312 2348 Explorer.EXE NETSTAT.EXE PID 2348 wrote to memory of 2312 2348 Explorer.EXE NETSTAT.EXE PID 2348 wrote to memory of 2312 2348 Explorer.EXE NETSTAT.EXE PID 2312 wrote to memory of 1488 2312 NETSTAT.EXE Firefox.exe PID 2312 wrote to memory of 1488 2312 NETSTAT.EXE Firefox.exe PID 2312 wrote to memory of 1488 2312 NETSTAT.EXE Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nainlvkuhdtqpx.exe"C:\Users\Admin\AppData\Local\Temp\Nainlvkuhdtqpx.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\iexpress.exeC:\Windows\System32\iexpress.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1960-143-0x0000000010432000-0x0000000010434000-memory.dmpFilesize
8KB
-
memory/1960-134-0x0000000000000000-mapping.dmp
-
memory/1960-147-0x0000000010411000-0x000000001043F000-memory.dmpFilesize
184KB
-
memory/1960-146-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/1960-140-0x0000000010411000-0x000000001043F000-memory.dmpFilesize
184KB
-
memory/1960-138-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/1960-141-0x0000000003660000-0x00000000039AA000-memory.dmpFilesize
3.3MB
-
memory/1960-142-0x0000000002210000-0x0000000002220000-memory.dmpFilesize
64KB
-
memory/2312-145-0x0000000000000000-mapping.dmp
-
memory/2312-148-0x0000000000280000-0x000000000028B000-memory.dmpFilesize
44KB
-
memory/2312-149-0x0000000001080000-0x00000000010AD000-memory.dmpFilesize
180KB
-
memory/2312-150-0x0000000001740000-0x0000000001A8A000-memory.dmpFilesize
3.3MB
-
memory/2312-151-0x0000000001620000-0x00000000016AF000-memory.dmpFilesize
572KB
-
memory/2312-153-0x0000000001080000-0x00000000010AD000-memory.dmpFilesize
180KB
-
memory/2348-144-0x0000000008400000-0x0000000008531000-memory.dmpFilesize
1.2MB
-
memory/2348-152-0x0000000002FD0000-0x0000000003087000-memory.dmpFilesize
732KB
-
memory/2348-154-0x0000000002FD0000-0x0000000003087000-memory.dmpFilesize
732KB
-
memory/2760-132-0x0000000002870000-0x000000000289D000-memory.dmpFilesize
180KB
-
memory/2760-136-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/2760-135-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB