Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2023, 09:36
Static task
static1
Behavioral task
behavioral1
Sample
U prilogu nova lista narudzbi.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
U prilogu nova lista narudzbi.exe
Resource
win10v2004-20221111-en
General
-
Target
U prilogu nova lista narudzbi.exe
-
Size
740KB
-
MD5
c03c09f867ffd16bb0af27e90d77d917
-
SHA1
0db2adb82a5500ae122fe35986a76264715b5985
-
SHA256
040a34e5884c29dd12452d342e344fe0d40f8dc1ea161d93c2a6c35b0a7da08b
-
SHA512
9a0157b8ec6d4e45f38913dbbca8a951d24590e8831d731a39ddc7511c5833e5a77932c446641f4cff14e30801dd224904e3632c0fbdd842c24d2660e26ff9e7
-
SSDEEP
12288:QJwpjlZUpP4dtZp1EgkuI1EXfVFxLBoOQziyMD78phts2O16a:QopZ9tT1wuI1EtLLxiiya78phm
Malware Config
Extracted
xloader
2.5
euv4
anniebapartments.com
hagenbicycles.com
herbalist101.com
southerncorrosion.net
kuechenpruefer.com
tajniezdrzi.quest
segurofunerarioar.com
boardsandbeamsdecor.com
alifdanismanlik.com
pkem.top
mddc.clinic
handejqr.com
crux-at.com
awp.email
hugsforbubbs.com
cielotherepy.com
turkcuyuz.com
teamidc.com
lankasirinspa.com
68135.online
oprimanumerodos.com
launchclik.com
customapronsnow.com
thecuratedpour.com
20dzwww.com
encludemedia.com
kreativevisibility.net
mehfeels.com
oecmgroup.com
alert78.info
1207rossmoyne.com
spbutoto.com
t1uba.com
protection-onepa.com
byausorsm26-plala.xyz
bestpleasure4u.com
allmnlenem.quest
mobilpartes.com
fabio.tools
bubu3cin.com
nathanmartinez.digital
shristiprintingplaces.com
silkyflawless.com
berylgrote.top
laidbackfurniture.store
leatherman-neal.com
uschargeport.com
the-pumps.com
deepootech.com
drimev.com
seo-art.agency
jasabacklinkweb20.com
tracynicolalamond.com
dandtglaziers.com
vulacils.com
bendyourtongue.com
gulfund.com
ahmadfaizlajis.com
595531.com
metavillagehub.com
librairie-adrienne.com
77777.store
gongwenbo.com
game2plays.com
rematedeldia.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/4540-132-0x0000000002500000-0x000000000252C000-memory.dmp modiloader_stage2 -
Xloader payload 4 IoCs
resource yara_rule behavioral2/memory/4540-136-0x0000000010410000-0x0000000010439000-memory.dmp xloader behavioral2/memory/2676-142-0x0000000010410000-0x0000000010439000-memory.dmp xloader behavioral2/memory/3348-146-0x00000000003D0000-0x00000000003F9000-memory.dmp xloader behavioral2/memory/3348-169-0x00000000003D0000-0x00000000003F9000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
pid Process 2224 kfrlo8tevh4.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZZG4TXTXPV = "C:\\Program Files (x86)\\Aut7pyh\\kfrlo8tevh4.exe" cscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Teiejegx = "C:\\Users\\Public\\Libraries\\xgejeieT.url" U prilogu nova lista narudzbi.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2676 set thread context of 2688 2676 iexpress.exe 23 PID 3348 set thread context of 2688 3348 cscript.exe 23 -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe cscript.exe File opened for modification C:\Program Files (x86)\Aut7pyh Explorer.EXE -
description ioc Process Key created \Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 4540 U prilogu nova lista narudzbi.exe 4540 U prilogu nova lista narudzbi.exe 2676 iexpress.exe 2676 iexpress.exe 2676 iexpress.exe 2676 iexpress.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2688 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2676 iexpress.exe 2676 iexpress.exe 2676 iexpress.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe 3348 cscript.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeDebugPrivilege 2676 iexpress.exe Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeDebugPrivilege 3348 cscript.exe Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE Token: SeShutdownPrivilege 2688 Explorer.EXE Token: SeCreatePagefilePrivilege 2688 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4540 wrote to memory of 2676 4540 U prilogu nova lista narudzbi.exe 82 PID 4540 wrote to memory of 2676 4540 U prilogu nova lista narudzbi.exe 82 PID 4540 wrote to memory of 2676 4540 U prilogu nova lista narudzbi.exe 82 PID 4540 wrote to memory of 2676 4540 U prilogu nova lista narudzbi.exe 82 PID 4540 wrote to memory of 2676 4540 U prilogu nova lista narudzbi.exe 82 PID 4540 wrote to memory of 2676 4540 U prilogu nova lista narudzbi.exe 82 PID 2688 wrote to memory of 3348 2688 Explorer.EXE 83 PID 2688 wrote to memory of 3348 2688 Explorer.EXE 83 PID 2688 wrote to memory of 3348 2688 Explorer.EXE 83 PID 3348 wrote to memory of 3468 3348 cscript.exe 86 PID 3348 wrote to memory of 3468 3348 cscript.exe 86 PID 3348 wrote to memory of 3468 3348 cscript.exe 86 PID 2688 wrote to memory of 2224 2688 Explorer.EXE 93 PID 2688 wrote to memory of 2224 2688 Explorer.EXE 93 PID 2688 wrote to memory of 2224 2688 Explorer.EXE 93 PID 3348 wrote to memory of 4736 3348 cscript.exe 94 PID 3348 wrote to memory of 4736 3348 cscript.exe 94 PID 3348 wrote to memory of 4736 3348 cscript.exe 94 PID 3348 wrote to memory of 4688 3348 cscript.exe 96 PID 3348 wrote to memory of 4688 3348 cscript.exe 96 PID 3348 wrote to memory of 4688 3348 cscript.exe 96
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe"C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\iexpress.exeC:\Windows\System32\iexpress.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\iexpress.exe"3⤵PID:3468
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:4736
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4688
-
-
-
C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe"C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe"2⤵
- Executes dropped EXE
PID:2224
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5d594b2a33efafd0eabf09e3fdc05fcea
SHA106845890c783abb305a8c9bbd119df5de0a17e6f
SHA256dd2c185deae89d41f42fb9903aa274ae70b103ea2285184c4565f39b69df945f
SHA51220e26f7ceb672a4b64cf05ca5595611b9fa561b6c141bd0e9fdc777836af1e343dffed81b07d8f3636d1e21a1fe42176c0a090dfb711eacd56006f85551e9a43
-
Filesize
148KB
MD5d594b2a33efafd0eabf09e3fdc05fcea
SHA106845890c783abb305a8c9bbd119df5de0a17e6f
SHA256dd2c185deae89d41f42fb9903aa274ae70b103ea2285184c4565f39b69df945f
SHA51220e26f7ceb672a4b64cf05ca5595611b9fa561b6c141bd0e9fdc777836af1e343dffed81b07d8f3636d1e21a1fe42176c0a090dfb711eacd56006f85551e9a43
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4