Analysis
-
max time kernel
75s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2023, 13:17
Static task
static1
Behavioral task
behavioral1
Sample
U prilogu nova lista narudzbi.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
U prilogu nova lista narudzbi.exe
Resource
win10v2004-20221111-en
General
-
Target
U prilogu nova lista narudzbi.exe
-
Size
740KB
-
MD5
c03c09f867ffd16bb0af27e90d77d917
-
SHA1
0db2adb82a5500ae122fe35986a76264715b5985
-
SHA256
040a34e5884c29dd12452d342e344fe0d40f8dc1ea161d93c2a6c35b0a7da08b
-
SHA512
9a0157b8ec6d4e45f38913dbbca8a951d24590e8831d731a39ddc7511c5833e5a77932c446641f4cff14e30801dd224904e3632c0fbdd842c24d2660e26ff9e7
-
SSDEEP
12288:QJwpjlZUpP4dtZp1EgkuI1EXfVFxLBoOQziyMD78phts2O16a:QopZ9tT1wuI1EtLLxiiya78phm
Malware Config
Extracted
xloader
2.5
euv4
anniebapartments.com
hagenbicycles.com
herbalist101.com
southerncorrosion.net
kuechenpruefer.com
tajniezdrzi.quest
segurofunerarioar.com
boardsandbeamsdecor.com
alifdanismanlik.com
pkem.top
mddc.clinic
handejqr.com
crux-at.com
awp.email
hugsforbubbs.com
cielotherepy.com
turkcuyuz.com
teamidc.com
lankasirinspa.com
68135.online
oprimanumerodos.com
launchclik.com
customapronsnow.com
thecuratedpour.com
20dzwww.com
encludemedia.com
kreativevisibility.net
mehfeels.com
oecmgroup.com
alert78.info
1207rossmoyne.com
spbutoto.com
t1uba.com
protection-onepa.com
byausorsm26-plala.xyz
bestpleasure4u.com
allmnlenem.quest
mobilpartes.com
fabio.tools
bubu3cin.com
nathanmartinez.digital
shristiprintingplaces.com
silkyflawless.com
berylgrote.top
laidbackfurniture.store
leatherman-neal.com
uschargeport.com
the-pumps.com
deepootech.com
drimev.com
seo-art.agency
jasabacklinkweb20.com
tracynicolalamond.com
dandtglaziers.com
vulacils.com
bendyourtongue.com
gulfund.com
ahmadfaizlajis.com
595531.com
metavillagehub.com
librairie-adrienne.com
77777.store
gongwenbo.com
game2plays.com
rematedeldia.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
resource yara_rule behavioral2/memory/4272-132-0x0000000002580000-0x00000000025AC000-memory.dmp modiloader_stage2 -
Xloader payload 1 IoCs
resource yara_rule behavioral2/memory/4272-136-0x0000000030410000-0x0000000030439000-memory.dmp xloader -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Teiejegx = "C:\\Users\\Public\\Libraries\\xgejeieT.url" U prilogu nova lista narudzbi.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4272 U prilogu nova lista narudzbi.exe 4272 U prilogu nova lista narudzbi.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4272 wrote to memory of 4992 4272 U prilogu nova lista narudzbi.exe 85 PID 4272 wrote to memory of 4992 4272 U prilogu nova lista narudzbi.exe 85 PID 4272 wrote to memory of 4992 4272 U prilogu nova lista narudzbi.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe"C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe2⤵PID:4992
-