Analysis
-
max time kernel
156s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 09:32
Static task
static1
Behavioral task
behavioral1
Sample
yeni siparis listesi.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
yeni siparis listesi.exe
Resource
win10v2004-20220812-en
General
-
Target
yeni siparis listesi.exe
-
Size
816KB
-
MD5
6b0f23e56a98160ef61e1864227b0617
-
SHA1
08b5e21bce19e406d182478a67bad6462b86a887
-
SHA256
7f354681e9ec602aef4dcdedfc3eb05a8f1a777b3691ae4d9d58e78240d49fe8
-
SHA512
961da7bd43e5fdf0f411fc4634614191be3e4e928d21e4a0c16d45b3f9dc7fed79079fc7bd3aff57883a77c48874b3e28ea8e590d57c6ac83f0a6c74fc63de40
-
SSDEEP
12288:hvTirPykFC+EQpA7EOiidyVMmfP8DspvZFVphCF807ldv8gUwowEl52joHDL4wk:aPVFn/A7vsV/f6MvvV+maKN5RA
Malware Config
Extracted
xloader
2.6
uj3c
copimetro.com
choonchain.com
luxxwireless.com
fashionweekofcincinnati.com
campingshare.net
suncochina.com
kidsfundoor.com
testingnyc.co
lovesoe.com
vehiclesbeenrecord.com
socialpearmarketing.com
maxproductdji.com
getallarticle.online
forummind.com
arenamarenostrum.com
trisuaka.xyz
designgamagazine.com
chateaulehotel.com
huangse5.com
esginvestment.tech
intercontinentalship.com
moneytaoism.com
agardenfortwo.com
trendiddas.com
fjuoomw.xyz
dantvilla.com
shopwithtrooperdavecom.com
lanwenzong.com
xpertsrealty.com
gamelabsmash.com
nomaxdic.com
chillyracing.com
mypleasure-blog.com
projectkyla.com
florurbana.com
oneplacemexico.com
gografic.com
giantht.com
dotombori-base.com
westlifinance.online
maacsecurity.com
lydas.info
instapandas.com
labustiadepaper.net
unglue52.com
onurnet.net
wellkept.info
6111.site
platinumroofingsusa.com
bodyplex.fitness
empireapothecary.com
meigsbuilds.online
garygrover.com
nicholasnikas.com
yd9992.com
protections-clients.info
sueyhzx.com
naturathome.info
superinformatico.net
printsgarden.com
xn--qn1b03fy2b841b.com
preferable.info
ozzyconstructionma.com
10stopp.online
nutricognition.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3036-132-0x0000000003040000-0x000000000306C000-memory.dmp modiloader_stage2 -
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3036-136-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/4924-142-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/3396-146-0x0000000000A50000-0x0000000000A7B000-memory.dmp xloader behavioral2/memory/3396-147-0x0000000000A50000-0x0000000000A7B000-memory.dmp xloader -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
yeni siparis listesi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xidtkrwo = "C:\\Users\\Public\\Libraries\\owrktdiX.url" yeni siparis listesi.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
iexpress.exeNETSTAT.EXEdescription pid process target process PID 4924 set thread context of 2348 4924 iexpress.exe Explorer.EXE PID 3396 set thread context of 2348 3396 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3396 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
yeni siparis listesi.exeiexpress.exeNETSTAT.EXEpid process 3036 yeni siparis listesi.exe 3036 yeni siparis listesi.exe 4924 iexpress.exe 4924 iexpress.exe 4924 iexpress.exe 4924 iexpress.exe 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE 3396 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2348 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
iexpress.exeNETSTAT.EXEpid process 4924 iexpress.exe 4924 iexpress.exe 4924 iexpress.exe 3396 NETSTAT.EXE 3396 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
iexpress.exeExplorer.EXENETSTAT.EXEdescription pid process Token: SeDebugPrivilege 4924 iexpress.exe Token: SeShutdownPrivilege 2348 Explorer.EXE Token: SeCreatePagefilePrivilege 2348 Explorer.EXE Token: SeShutdownPrivilege 2348 Explorer.EXE Token: SeCreatePagefilePrivilege 2348 Explorer.EXE Token: SeDebugPrivilege 3396 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
yeni siparis listesi.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 3036 wrote to memory of 4924 3036 yeni siparis listesi.exe iexpress.exe PID 3036 wrote to memory of 4924 3036 yeni siparis listesi.exe iexpress.exe PID 3036 wrote to memory of 4924 3036 yeni siparis listesi.exe iexpress.exe PID 3036 wrote to memory of 4924 3036 yeni siparis listesi.exe iexpress.exe PID 3036 wrote to memory of 4924 3036 yeni siparis listesi.exe iexpress.exe PID 3036 wrote to memory of 4924 3036 yeni siparis listesi.exe iexpress.exe PID 2348 wrote to memory of 3396 2348 Explorer.EXE NETSTAT.EXE PID 2348 wrote to memory of 3396 2348 Explorer.EXE NETSTAT.EXE PID 2348 wrote to memory of 3396 2348 Explorer.EXE NETSTAT.EXE PID 3396 wrote to memory of 4780 3396 NETSTAT.EXE cmd.exe PID 3396 wrote to memory of 4780 3396 NETSTAT.EXE cmd.exe PID 3396 wrote to memory of 4780 3396 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yeni siparis listesi.exe"C:\Users\Admin\AppData\Local\Temp\yeni siparis listesi.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\iexpress.exeC:\Windows\System32\iexpress.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\iexpress.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2348-140-0x0000000002FD0000-0x00000000030C5000-memory.dmpFilesize
980KB
-
memory/2348-150-0x0000000008250000-0x0000000008310000-memory.dmpFilesize
768KB
-
memory/2348-149-0x0000000008250000-0x0000000008310000-memory.dmpFilesize
768KB
-
memory/3036-135-0x0000000010410000-0x000000001043B000-memory.dmpFilesize
172KB
-
memory/3036-136-0x0000000010410000-0x000000001043B000-memory.dmpFilesize
172KB
-
memory/3036-132-0x0000000003040000-0x000000000306C000-memory.dmpFilesize
176KB
-
memory/3396-146-0x0000000000A50000-0x0000000000A7B000-memory.dmpFilesize
172KB
-
memory/3396-141-0x0000000000000000-mapping.dmp
-
memory/3396-144-0x0000000000A00000-0x0000000000A0B000-memory.dmpFilesize
44KB
-
memory/3396-145-0x0000000001440000-0x000000000178A000-memory.dmpFilesize
3.3MB
-
memory/3396-147-0x0000000000A50000-0x0000000000A7B000-memory.dmpFilesize
172KB
-
memory/3396-148-0x00000000011D0000-0x0000000001260000-memory.dmpFilesize
576KB
-
memory/4780-143-0x0000000000000000-mapping.dmp
-
memory/4924-142-0x0000000010410000-0x000000001043B000-memory.dmpFilesize
172KB
-
memory/4924-139-0x00000000040D0000-0x00000000040E1000-memory.dmpFilesize
68KB
-
memory/4924-137-0x00000000041F0000-0x000000000453A000-memory.dmpFilesize
3.3MB
-
memory/4924-134-0x0000000000000000-mapping.dmp