Analysis
-
max time kernel
176s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
16-02-2023 15:38
Static task
static1
Behavioral task
behavioral1
Sample
Order confirmation proforma Invoice.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Order confirmation proforma Invoice.exe
Resource
win10v2004-20221111-en
General
-
Target
Order confirmation proforma Invoice.exe
-
Size
884KB
-
MD5
083de0a909532eb3348578a7beb95bca
-
SHA1
29e83783b3fe5a4e483dec157141f066a6af7026
-
SHA256
fdff6b98ec2be3abdd05531d36bc50d514d449dc6f753fb6aa8d4657e5669828
-
SHA512
5c599d3d780886f2b259fd457c976833a6fb3b48e870fda1a58271637cfeda6cbaeae5a2fbb6308496477d6e6fffd9e6f910860b6dda8e7f44c880fd97a3a932
-
SSDEEP
12288:Cb8A+lyMML0gN55kXFyqf0bGBvGoE3IhAf1nAhglR:C4ZzML0gN5WXFaK9GoEHf1nAhglR
Malware Config
Extracted
xloader
2.5
euv4
anniebapartments.com
hagenbicycles.com
herbalist101.com
southerncorrosion.net
kuechenpruefer.com
tajniezdrzi.quest
segurofunerarioar.com
boardsandbeamsdecor.com
alifdanismanlik.com
pkem.top
mddc.clinic
handejqr.com
crux-at.com
awp.email
hugsforbubbs.com
cielotherepy.com
turkcuyuz.com
teamidc.com
lankasirinspa.com
68135.online
oprimanumerodos.com
launchclik.com
customapronsnow.com
thecuratedpour.com
20dzwww.com
encludemedia.com
kreativevisibility.net
mehfeels.com
oecmgroup.com
alert78.info
1207rossmoyne.com
spbutoto.com
t1uba.com
protection-onepa.com
byausorsm26-plala.xyz
bestpleasure4u.com
allmnlenem.quest
mobilpartes.com
fabio.tools
bubu3cin.com
nathanmartinez.digital
shristiprintingplaces.com
silkyflawless.com
berylgrote.top
laidbackfurniture.store
leatherman-neal.com
uschargeport.com
the-pumps.com
deepootech.com
drimev.com
seo-art.agency
jasabacklinkweb20.com
tracynicolalamond.com
dandtglaziers.com
vulacils.com
bendyourtongue.com
gulfund.com
ahmadfaizlajis.com
595531.com
metavillagehub.com
librairie-adrienne.com
77777.store
gongwenbo.com
game2plays.com
rematedeldia.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/516-132-0x0000000000A10000-0x0000000000A3C000-memory.dmp modiloader_stage2 -
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/516-158-0x0000000010410000-0x0000000010439000-memory.dmp xloader behavioral2/memory/5032-164-0x0000000010410000-0x0000000010439000-memory.dmp xloader behavioral2/memory/3676-167-0x0000000000800000-0x0000000000829000-memory.dmp xloader behavioral2/memory/3676-172-0x0000000000800000-0x0000000000829000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
Processes:
easinvoker.exepid process 3396 easinvoker.exe -
Loads dropped DLL 1 IoCs
Processes:
easinvoker.exepid process 3396 easinvoker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Order confirmation proforma Invoice.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Itfzmikw = "C:\\Users\\Public\\Libraries\\wkimzftI.url" Order confirmation proforma Invoice.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
iexpress.exemsdt.exedescription pid process target process PID 5032 set thread context of 700 5032 iexpress.exe Explorer.EXE PID 3676 set thread context of 700 3676 msdt.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
xcopy.exexcopy.exexcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
powershell.exeOrder confirmation proforma Invoice.exeiexpress.exemsdt.exepid process 892 powershell.exe 892 powershell.exe 516 Order confirmation proforma Invoice.exe 516 Order confirmation proforma Invoice.exe 5032 iexpress.exe 5032 iexpress.exe 5032 iexpress.exe 5032 iexpress.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe 3676 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 700 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
iexpress.exemsdt.exepid process 5032 iexpress.exe 5032 iexpress.exe 5032 iexpress.exe 3676 msdt.exe 3676 msdt.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.exeiexpress.exeExplorer.EXEmsdt.exedescription pid process Token: SeDebugPrivilege 892 powershell.exe Token: SeDebugPrivilege 5032 iexpress.exe Token: SeShutdownPrivilege 700 Explorer.EXE Token: SeCreatePagefilePrivilege 700 Explorer.EXE Token: SeShutdownPrivilege 700 Explorer.EXE Token: SeCreatePagefilePrivilege 700 Explorer.EXE Token: SeDebugPrivilege 3676 msdt.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
Order confirmation proforma Invoice.execmd.exeeasinvoker.execmd.exeExplorer.EXEmsdt.exedescription pid process target process PID 516 wrote to memory of 708 516 Order confirmation proforma Invoice.exe cmd.exe PID 516 wrote to memory of 708 516 Order confirmation proforma Invoice.exe cmd.exe PID 516 wrote to memory of 708 516 Order confirmation proforma Invoice.exe cmd.exe PID 708 wrote to memory of 2532 708 cmd.exe cmd.exe PID 708 wrote to memory of 2532 708 cmd.exe cmd.exe PID 708 wrote to memory of 2532 708 cmd.exe cmd.exe PID 708 wrote to memory of 4784 708 cmd.exe xcopy.exe PID 708 wrote to memory of 4784 708 cmd.exe xcopy.exe PID 708 wrote to memory of 4784 708 cmd.exe xcopy.exe PID 708 wrote to memory of 4432 708 cmd.exe cmd.exe PID 708 wrote to memory of 4432 708 cmd.exe cmd.exe PID 708 wrote to memory of 4432 708 cmd.exe cmd.exe PID 708 wrote to memory of 4844 708 cmd.exe xcopy.exe PID 708 wrote to memory of 4844 708 cmd.exe xcopy.exe PID 708 wrote to memory of 4844 708 cmd.exe xcopy.exe PID 708 wrote to memory of 4188 708 cmd.exe cmd.exe PID 708 wrote to memory of 4188 708 cmd.exe cmd.exe PID 708 wrote to memory of 4188 708 cmd.exe cmd.exe PID 708 wrote to memory of 1576 708 cmd.exe xcopy.exe PID 708 wrote to memory of 1576 708 cmd.exe xcopy.exe PID 708 wrote to memory of 1576 708 cmd.exe xcopy.exe PID 708 wrote to memory of 3396 708 cmd.exe easinvoker.exe PID 708 wrote to memory of 3396 708 cmd.exe easinvoker.exe PID 3396 wrote to memory of 2840 3396 easinvoker.exe cmd.exe PID 3396 wrote to memory of 2840 3396 easinvoker.exe cmd.exe PID 708 wrote to memory of 3736 708 cmd.exe PING.EXE PID 708 wrote to memory of 3736 708 cmd.exe PING.EXE PID 708 wrote to memory of 3736 708 cmd.exe PING.EXE PID 2840 wrote to memory of 892 2840 cmd.exe powershell.exe PID 2840 wrote to memory of 892 2840 cmd.exe powershell.exe PID 516 wrote to memory of 5032 516 Order confirmation proforma Invoice.exe iexpress.exe PID 516 wrote to memory of 5032 516 Order confirmation proforma Invoice.exe iexpress.exe PID 516 wrote to memory of 5032 516 Order confirmation proforma Invoice.exe iexpress.exe PID 516 wrote to memory of 5032 516 Order confirmation proforma Invoice.exe iexpress.exe PID 516 wrote to memory of 5032 516 Order confirmation proforma Invoice.exe iexpress.exe PID 516 wrote to memory of 5032 516 Order confirmation proforma Invoice.exe iexpress.exe PID 700 wrote to memory of 3676 700 Explorer.EXE msdt.exe PID 700 wrote to memory of 3676 700 Explorer.EXE msdt.exe PID 700 wrote to memory of 3676 700 Explorer.EXE msdt.exe PID 3676 wrote to memory of 2380 3676 msdt.exe cmd.exe PID 3676 wrote to memory of 2380 3676 msdt.exe cmd.exe PID 3676 wrote to memory of 2380 3676 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order confirmation proforma Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Order confirmation proforma Invoice.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\ItfzmikwO.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHO F"4⤵
-
C:\Windows\SysWOW64\xcopy.exexcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y4⤵
- Enumerates system info in registry
-
C:\Windows \System32\easinvoker.exe"C:\Windows \System32\easinvoker.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -WindowStyle Hidden -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 64⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\iexpress.exeC:\Windows\System32\iexpress.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\iexpress.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\ItfzmikwO.batFilesize
411B
MD555aba243e88f6a6813c117ffe1fa5979
SHA1210b9b028a4b798c837a182321dbf2e50d112816
SHA2565a11c5641c476891aa30e7ecfa57c2639f6827d8640061f73e9afec0adbbd7d2
SHA51268009c4c9bbea75a3bfa9f79945d30957a95691ea405d031b4ca7f1cb47504bbc768fcae59173885743ad4d6cfdd2313c3fe0acb515e34e5c809ecdc7f45e307
-
C:\Users\Public\Libraries\KDECO.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
C:\Users\Public\Libraries\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Users\Public\Libraries\netutils.dllFilesize
110KB
MD5b375e74a145c45d07190212e9157e5f8
SHA159d3de7748e1090ce95523601224ce5ab6cc4a3a
SHA2566ec341496722bfdde504d430a7ece494701a9369b1fa5376ec488a77ab3c1744
SHA512859737afb6108f131c0ac35560878359505c4f7fdd01ce468c04b15848df71f70987552a831a43ce948a37c9b1d6a434ff7f6fb5946f3730049b924d5b462ef0
-
C:\Windows \System32\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Windows \System32\easinvoker.exeFilesize
128KB
MD5231ce1e1d7d98b44371ffff407d68b59
SHA125510d0f6353dbf0c9f72fc880de7585e34b28ff
SHA25630951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96
SHA512520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612
-
C:\Windows \System32\netutils.dllFilesize
110KB
MD5b375e74a145c45d07190212e9157e5f8
SHA159d3de7748e1090ce95523601224ce5ab6cc4a3a
SHA2566ec341496722bfdde504d430a7ece494701a9369b1fa5376ec488a77ab3c1744
SHA512859737afb6108f131c0ac35560878359505c4f7fdd01ce468c04b15848df71f70987552a831a43ce948a37c9b1d6a434ff7f6fb5946f3730049b924d5b462ef0
-
C:\Windows \System32\netutils.dllFilesize
110KB
MD5b375e74a145c45d07190212e9157e5f8
SHA159d3de7748e1090ce95523601224ce5ab6cc4a3a
SHA2566ec341496722bfdde504d430a7ece494701a9369b1fa5376ec488a77ab3c1744
SHA512859737afb6108f131c0ac35560878359505c4f7fdd01ce468c04b15848df71f70987552a831a43ce948a37c9b1d6a434ff7f6fb5946f3730049b924d5b462ef0
-
C:\windows \system32\KDECO.batFilesize
155B
MD5213c60adf1c9ef88dc3c9b2d579959d2
SHA1e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
SHA25637c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e
SHA512fe897d9caa306b0e761b2fd61bb5dc32a53bfaad1ce767c6860af4e3ad59c8f3257228a6e1072dab0f990cb51c59c648084ba419ac6bc5c0a99bdffa569217b7
-
memory/516-132-0x0000000000A10000-0x0000000000A3C000-memory.dmpFilesize
176KB
-
memory/516-158-0x0000000010410000-0x0000000010439000-memory.dmpFilesize
164KB
-
memory/516-157-0x0000000010410000-0x0000000010439000-memory.dmpFilesize
164KB
-
memory/700-162-0x0000000007F40000-0x0000000007FF2000-memory.dmpFilesize
712KB
-
memory/700-169-0x0000000007F40000-0x0000000007FF2000-memory.dmpFilesize
712KB
-
memory/700-173-0x0000000008000000-0x000000000812B000-memory.dmpFilesize
1.2MB
-
memory/700-171-0x0000000008000000-0x000000000812B000-memory.dmpFilesize
1.2MB
-
memory/708-134-0x0000000000000000-mapping.dmp
-
memory/892-153-0x0000000000000000-mapping.dmp
-
memory/892-155-0x00007FFAF3290000-0x00007FFAF3D51000-memory.dmpFilesize
10.8MB
-
memory/892-154-0x0000019D3AB60000-0x0000019D3AB82000-memory.dmpFilesize
136KB
-
memory/1576-143-0x0000000000000000-mapping.dmp
-
memory/2380-165-0x0000000000000000-mapping.dmp
-
memory/2532-136-0x0000000000000000-mapping.dmp
-
memory/2840-150-0x0000000000000000-mapping.dmp
-
memory/3396-145-0x0000000000000000-mapping.dmp
-
memory/3676-170-0x0000000002630000-0x00000000026C0000-memory.dmpFilesize
576KB
-
memory/3676-172-0x0000000000800000-0x0000000000829000-memory.dmpFilesize
164KB
-
memory/3676-168-0x0000000002900000-0x0000000002C4A000-memory.dmpFilesize
3.3MB
-
memory/3676-166-0x0000000000900000-0x0000000000957000-memory.dmpFilesize
348KB
-
memory/3676-163-0x0000000000000000-mapping.dmp
-
memory/3676-167-0x0000000000800000-0x0000000000829000-memory.dmpFilesize
164KB
-
memory/3736-151-0x0000000000000000-mapping.dmp
-
memory/4188-142-0x0000000000000000-mapping.dmp
-
memory/4432-139-0x0000000000000000-mapping.dmp
-
memory/4784-137-0x0000000000000000-mapping.dmp
-
memory/4844-140-0x0000000000000000-mapping.dmp
-
memory/5032-164-0x0000000010410000-0x0000000010439000-memory.dmpFilesize
164KB
-
memory/5032-161-0x0000000003BE0000-0x0000000003BF1000-memory.dmpFilesize
68KB
-
memory/5032-160-0x0000000003D00000-0x000000000404A000-memory.dmpFilesize
3.3MB
-
memory/5032-156-0x0000000000000000-mapping.dmp