Analysis Overview
SHA256
040a34e5884c29dd12452d342e344fe0d40f8dc1ea161d93c2a6c35b0a7da08b
Threat Level: Known bad
The file U prilogu nova lista narudzbi.exe was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
Xloader
Formbook
ModiLoader Second Stage
Xloader payload
Executes dropped EXE
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-20 09:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-20 09:36
Reported
2023-01-20 09:38
Platform
win7-20220812-en
Max time kernel
131s
Max time network
147s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe
"C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | onedrive.live.com | udp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
Files
memory/580-54-0x0000000075931000-0x0000000075933000-memory.dmp
memory/580-55-0x0000000000290000-0x00000000002BC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-20 09:36
Reported
2023-01-20 09:38
Platform
win10v2004-20221111-en
Max time kernel
152s
Max time network
154s
Command Line
Signatures
Formbook
ModiLoader, DBatLoader
Xloader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ZZG4TXTXPV = "C:\\Program Files (x86)\\Aut7pyh\\kfrlo8tevh4.exe" | C:\Windows\SysWOW64\cscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Teiejegx = "C:\\Users\\Public\\Libraries\\xgejeieT.url" | C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2676 set thread context of 2688 | N/A | C:\Windows\SysWOW64\iexpress.exe | C:\Windows\Explorer.EXE |
| PID 3348 set thread context of 2688 | N/A | C:\Windows\SysWOW64\cscript.exe | C:\Windows\Explorer.EXE |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe | C:\Windows\SysWOW64\cscript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Aut7pyh | C:\Windows\Explorer.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\iexpress.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\iexpress.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe
"C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe"
C:\Windows\SysWOW64\iexpress.exe
C:\Windows\System32\iexpress.exe
C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\iexpress.exe"
C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe
"C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe"
C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | onedrive.live.com | udp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 8.8.8.8:53 | mi4zkw.bn.files.1drv.com | udp |
| N/A | 13.107.42.12:443 | mi4zkw.bn.files.1drv.com | tcp |
| N/A | 8.8.8.8:53 | www.alifdanismanlik.com | udp |
| N/A | 65.109.63.101:80 | www.alifdanismanlik.com | tcp |
| N/A | 8.8.8.8:53 | www.leatherman-neal.com | udp |
| N/A | 20.50.80.209:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | www.uschargeport.com | udp |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 8.8.8.8:53 | www.encludemedia.com | udp |
| N/A | 34.102.136.180:80 | www.encludemedia.com | tcp |
| N/A | 8.8.8.8:53 | www.oprimanumerodos.com | udp |
| N/A | 8.8.8.8:53 | www.rematedeldia.com | udp |
| N/A | 23.227.38.74:80 | www.rematedeldia.com | tcp |
| N/A | 8.247.210.254:80 | tcp | |
| N/A | 8.8.8.8:53 | www.spbutoto.com | udp |
| N/A | 188.114.97.0:80 | www.spbutoto.com | tcp |
| N/A | 8.8.8.8:53 | www.drimev.com | udp |
| N/A | 8.8.8.8:53 | www.laidbackfurniture.store | udp |
| N/A | 8.8.8.8:53 | www.nathanmartinez.digital | udp |
| N/A | 8.8.8.8:53 | www.librairie-adrienne.com | udp |
| N/A | 192.0.78.141:80 | www.librairie-adrienne.com | tcp |
| N/A | 8.8.8.8:53 | www.lankasirinspa.com | udp |
| N/A | 8.8.8.8:53 | www.bendyourtongue.com | udp |
| N/A | 34.102.136.180:80 | www.bendyourtongue.com | tcp |
| N/A | 8.8.8.8:53 | www.turkcuyuz.com | udp |
| N/A | 8.8.8.8:53 | www.mehfeels.com | udp |
| N/A | 34.98.99.30:80 | www.mehfeels.com | tcp |
| N/A | 8.8.8.8:53 | www.kuechenpruefer.com | udp |
| N/A | 217.160.0.95:80 | www.kuechenpruefer.com | tcp |
| N/A | 8.8.8.8:53 | www.ahmadfaizlajis.com | udp |
| N/A | 8.8.8.8:53 | www.1207rossmoyne.com | udp |
| N/A | 8.8.8.8:53 | www.bubu3cin.com | udp |
| N/A | 31.187.72.243:80 | www.bubu3cin.com | tcp |
| N/A | 8.8.8.8:53 | www.jasabacklinkweb20.com | udp |
Files
memory/4540-132-0x0000000002500000-0x000000000252C000-memory.dmp
memory/2676-134-0x0000000000000000-mapping.dmp
memory/4540-135-0x0000000010410000-0x0000000010439000-memory.dmp
memory/4540-136-0x0000000010410000-0x0000000010439000-memory.dmp
memory/2676-138-0x0000000003C40000-0x0000000003F8A000-memory.dmp
memory/2676-139-0x0000000003B90000-0x0000000003BA1000-memory.dmp
memory/2688-140-0x0000000002EC0000-0x0000000002FEF000-memory.dmp
memory/3348-141-0x0000000000000000-mapping.dmp
memory/2676-142-0x0000000010410000-0x0000000010439000-memory.dmp
memory/3468-143-0x0000000000000000-mapping.dmp
memory/3348-144-0x00000000008E0000-0x0000000000907000-memory.dmp
memory/3348-145-0x0000000002790000-0x0000000002ADA000-memory.dmp
memory/3348-146-0x00000000003D0000-0x00000000003F9000-memory.dmp
memory/2688-147-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-148-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-149-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-150-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-151-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-152-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-153-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-154-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-155-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-156-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-158-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-157-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-160-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-159-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-161-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-163-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-164-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-165-0x0000000007B00000-0x0000000007B10000-memory.dmp
memory/2688-166-0x0000000007B00000-0x0000000007B10000-memory.dmp
memory/3348-167-0x00000000025D0000-0x0000000002660000-memory.dmp
memory/2688-168-0x0000000008230000-0x000000000830F000-memory.dmp
memory/3348-169-0x00000000003D0000-0x00000000003F9000-memory.dmp
memory/2688-170-0x0000000007B00000-0x0000000007B10000-memory.dmp
memory/2688-171-0x0000000007B00000-0x0000000007B10000-memory.dmp
memory/2688-172-0x0000000008230000-0x000000000830F000-memory.dmp
memory/2688-173-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-174-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-175-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-176-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-177-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-178-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-179-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-180-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-181-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-182-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-183-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-184-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-185-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-186-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-187-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-188-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-189-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-190-0x00000000029F0000-0x0000000002A00000-memory.dmp
memory/2688-191-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/2688-192-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/2688-193-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/2688-194-0x00000000029F0000-0x0000000002A00000-memory.dmp
memory/2688-195-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/2688-196-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/2688-197-0x0000000002A00000-0x0000000002A10000-memory.dmp
memory/2224-198-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe
| MD5 | d594b2a33efafd0eabf09e3fdc05fcea |
| SHA1 | 06845890c783abb305a8c9bbd119df5de0a17e6f |
| SHA256 | dd2c185deae89d41f42fb9903aa274ae70b103ea2285184c4565f39b69df945f |
| SHA512 | 20e26f7ceb672a4b64cf05ca5595611b9fa561b6c141bd0e9fdc777836af1e343dffed81b07d8f3636d1e21a1fe42176c0a090dfb711eacd56006f85551e9a43 |
C:\Program Files (x86)\Aut7pyh\kfrlo8tevh4.exe
| MD5 | d594b2a33efafd0eabf09e3fdc05fcea |
| SHA1 | 06845890c783abb305a8c9bbd119df5de0a17e6f |
| SHA256 | dd2c185deae89d41f42fb9903aa274ae70b103ea2285184c4565f39b69df945f |
| SHA512 | 20e26f7ceb672a4b64cf05ca5595611b9fa561b6c141bd0e9fdc777836af1e343dffed81b07d8f3636d1e21a1fe42176c0a090dfb711eacd56006f85551e9a43 |
memory/4736-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DB1
| MD5 | b608d407fc15adea97c26936bc6f03f6 |
| SHA1 | 953e7420801c76393902c0d6bb56148947e41571 |
| SHA256 | b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf |
| SHA512 | cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4 |
memory/2688-203-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-204-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-205-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-206-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-207-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-208-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-209-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-210-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-211-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-212-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-214-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-213-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-215-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-216-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-217-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-218-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-219-0x0000000001070000-0x0000000001080000-memory.dmp
memory/2688-220-0x0000000007B10000-0x0000000007B20000-memory.dmp
memory/2688-221-0x0000000007B10000-0x0000000007B20000-memory.dmp
memory/2688-222-0x0000000007B10000-0x0000000007B20000-memory.dmp
memory/2688-223-0x0000000007B10000-0x0000000007B20000-memory.dmp