Analysis Overview
SHA256
4b382c5497bb61b9cc4189101e9595a031f37db9fa712b61cdc4a60f59bff8b4
Threat Level: Known bad
The file 6.exe was found to be: Known bad.
Malicious Activity Summary
Xloader
ModiLoader, DBatLoader
ModiLoader Second Stage
Xloader payload
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-17 11:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-17 11:33
Reported
2023-01-17 11:35
Platform
win7-20220812-en
Max time kernel
132s
Max time network
147s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | onedrive.live.com | udp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
Files
memory/788-54-0x0000000076681000-0x0000000076683000-memory.dmp
memory/788-55-0x00000000004E0000-0x000000000050C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-17 11:33
Reported
2023-01-17 11:35
Platform
win10v2004-20221111-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
ModiLoader, DBatLoader
Xloader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Whnuwjse = "C:\\Users\\Public\\Libraries\\esjwunhW.url" | C:\Users\Admin\AppData\Local\Temp\6.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3776 set thread context of 1032 | N/A | C:\Windows\SysWOW64\iexpress.exe | C:\Windows\Explorer.EXE |
| PID 4532 set thread context of 1032 | N/A | C:\Windows\SysWOW64\WWAHost.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WWAHost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WWAHost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\iexpress.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WWAHost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
C:\Windows\SysWOW64\iexpress.exe
C:\Windows\System32\iexpress.exe
C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\iexpress.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | onedrive.live.com | udp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 8.8.8.8:53 | oyu9oq.ph.files.1drv.com | udp |
| N/A | 13.107.42.12:443 | oyu9oq.ph.files.1drv.com | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | www.cielotherepy.com | udp |
| N/A | 8.8.8.8:53 | www.gongwenbo.com | udp |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 8.8.8.8:53 | www.allmnlenem.quest | udp |
| N/A | 8.8.8.8:53 | www.byausorsm26-plala.xyz | udp |
| N/A | 8.8.8.8:53 | a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| N/A | 8.8.8.8:53 | www.nathanmartinez.digital | udp |
| N/A | 8.8.8.8:53 | www.southerncorrosion.net | udp |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 8.8.8.8:53 | www.fabio.tools | udp |
| N/A | 8.8.8.8:53 | www.alert78.info | udp |
| N/A | 8.8.8.8:53 | www.kuechenpruefer.com | udp |
| N/A | 217.160.0.95:80 | www.kuechenpruefer.com | tcp |
| N/A | 8.8.8.8:53 | www.68135.online | udp |
| N/A | 8.8.8.8:53 | www.vulacils.com | udp |
| N/A | 8.8.8.8:53 | www.deepootech.com | udp |
| N/A | 8.8.8.8:53 | www.customapronsnow.com | udp |
| N/A | 18.65.39.29:80 | www.customapronsnow.com | tcp |
| N/A | 8.8.8.8:53 | www.handejqr.com | udp |
| N/A | 23.251.40.122:80 | www.handejqr.com | tcp |
| N/A | 8.8.8.8:53 | www.rematedeldia.com | udp |
| N/A | 23.227.38.74:80 | www.rematedeldia.com | tcp |
| N/A | 8.8.8.8:53 | www.fabio.tools | udp |
| N/A | 8.8.8.8:53 | www.68135.online | udp |
| N/A | 8.8.8.8:53 | www.mobilpartes.com | udp |
| N/A | 3.130.253.23:80 | www.mobilpartes.com | tcp |
Files
memory/4920-132-0x0000000003050000-0x000000000307C000-memory.dmp
memory/3776-134-0x0000000000000000-mapping.dmp
memory/4920-135-0x0000000010410000-0x0000000010439000-memory.dmp
memory/4920-136-0x0000000010410000-0x0000000010439000-memory.dmp
memory/3776-138-0x0000000010410000-0x0000000010439000-memory.dmp
memory/3776-139-0x0000000003FC0000-0x000000000430A000-memory.dmp
memory/3776-140-0x0000000003F70000-0x0000000003F81000-memory.dmp
memory/1032-141-0x00000000028C0000-0x0000000002A53000-memory.dmp
memory/4532-142-0x0000000000000000-mapping.dmp
memory/1752-143-0x0000000000000000-mapping.dmp
memory/4532-144-0x0000000000980000-0x0000000000A5C000-memory.dmp
memory/4532-145-0x0000000001BC0000-0x0000000001F0A000-memory.dmp
memory/4532-146-0x0000000001020000-0x0000000001049000-memory.dmp
memory/4532-147-0x00000000018F0000-0x0000000001980000-memory.dmp
memory/1032-148-0x0000000008460000-0x00000000085BF000-memory.dmp
memory/4532-149-0x0000000001020000-0x0000000001049000-memory.dmp
memory/1032-150-0x0000000008460000-0x00000000085BF000-memory.dmp