Analysis Overview
SHA256
a275054bea0eb816c6d045580e02c610eb476b33062d34c1913375475de53279
Threat Level: Known bad
The file U prilogu nova lista narudzbi.zip was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
Xloader
ModiLoader Second Stage
Xloader payload
Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-20 13:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-20 13:17
Reported
2023-01-20 13:19
Platform
win7-20221111-en
Max time kernel
134s
Max time network
151s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe
"C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | onedrive.live.com | udp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
Files
memory/1252-54-0x00000000761E1000-0x00000000761E3000-memory.dmp
memory/1252-55-0x00000000003D0000-0x00000000003FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-20 13:17
Reported
2023-01-20 13:19
Platform
win10v2004-20221111-en
Max time kernel
75s
Max time network
135s
Command Line
Signatures
ModiLoader, DBatLoader
Xloader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Teiejegx = "C:\\Users\\Public\\Libraries\\xgejeieT.url" | C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4272 wrote to memory of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe | C:\Windows\SysWOW64\colorcpl.exe |
| PID 4272 wrote to memory of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe | C:\Windows\SysWOW64\colorcpl.exe |
| PID 4272 wrote to memory of 4992 | N/A | C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe | C:\Windows\SysWOW64\colorcpl.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe
"C:\Users\Admin\AppData\Local\Temp\U prilogu nova lista narudzbi.exe"
C:\Windows\SysWOW64\colorcpl.exe
C:\Windows\System32\colorcpl.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 8.8.8.8:53 | onedrive.live.com | udp |
| N/A | 13.107.42.13:443 | onedrive.live.com | tcp |
| N/A | 8.8.8.8:53 | mi4zkw.bn.files.1drv.com | udp |
| N/A | 13.107.43.12:443 | mi4zkw.bn.files.1drv.com | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 51.11.192.48:443 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| N/A | 8.248.99.254:80 | tcp | |
| N/A | 8.248.99.254:80 | tcp |
Files
memory/4272-132-0x0000000002580000-0x00000000025AC000-memory.dmp
memory/4992-134-0x0000000000000000-mapping.dmp
memory/4272-135-0x0000000030410000-0x0000000030439000-memory.dmp
memory/4272-136-0x0000000030410000-0x0000000030439000-memory.dmp