Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
14-03-2023 14:31
Static task
static1
Behavioral task
behavioral1
Sample
DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe
Resource
win10v2004-20230220-en
General
-
Target
DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe
-
Size
1.1MB
-
MD5
a6cef924a4bd619a96f27e3ea6bb57df
-
SHA1
d0caa19884d168e786dbb8edb40673553a61634f
-
SHA256
4a85949b7ffe19e22e4191b55b225cb3ac8b59246785144f585006b94e9ba574
-
SHA512
fc653c79211df1be06324979bd8d80cdc493e489a7d4775c967b11987c5ded36fbccbfdcca6705996348d9d126fe42b0971d4bf550db14963026fda3213c8f80
-
SSDEEP
12288:oX8lOqFSsZ40z3QjB2lr5fPx7Zh70WoQzV9hBoSFhAf1nAhglR:Q8ltFSQ3AB2zp7pcf1nAhglR
Malware Config
Extracted
formbook
4.1
ges9
lolofestival.store
amzin.info
pulsahokii.xyz
bahiszirve.com
animekoe.com
kansastaxaccountant.net
howgoodisgod.online
medakaravan.xyz
pesmagazine.net
americanpopulist.info
nepalihandicraft.com
mariabakermodeling.com
cavify.top
onlinewoonboulevard.com
furniture-22830.com
ophthalmicpersonneltraining.us
yz1204.com
extrawhite.site
tomo.store
martfind.online
united-bc.com
hethonglikesub.site
goldenstategeneralstore.com
amazdea.com
emiliahernandez.com
weeklyrhino.buzz
erjcbtwg.work
16321.xyz
crainbramp.games
studiochiodi.info
km97.xyz
synertel.site
ankerbios.expert
chipetaresort.com
gakuj.xyz
simmonsguitars.com
povsearcher.com
salesatomizer.app
loopmart.shop
easyonionringrecipe.site
icss.studio
ksamayaiu.xyz
xn--recomindame-gbb.com
bepillow.com
homesinowensboro.com
abrashina.com
dplck.com
michellentherapy.com
voyance.health
zwcl365.com
akroglobal.com
endlessillumination.store
florediemgardens.com
lis-journal.com
justinrichert.net
baschung.swiss
thesexyviking.com
abickofconsulting.com
vivacious713833.com
dental-implants-52958.com
tigaberlian.net
trxtr.xyz
offficebanking-cl.top
huslnfts.xyz
viralcx.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4120-152-0x0000000010410000-0x000000001043F000-memory.dmp formbook behavioral2/memory/4236-162-0x0000000010410000-0x000000001043F000-memory.dmp formbook behavioral2/memory/3692-163-0x0000000000DC0000-0x0000000000DEF000-memory.dmp formbook behavioral2/memory/3692-165-0x0000000000DC0000-0x0000000000DEF000-memory.dmp formbook -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4120-134-0x0000000004600000-0x000000000462C000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Issdoppz = "C:\\Users\\Public\\Libraries\\zppodssI.url" DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
iexpress.exewscript.exedescription pid process target process PID 4236 set thread context of 3192 4236 iexpress.exe Explorer.EXE PID 3692 set thread context of 3192 3692 wscript.exe Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exeiexpress.exewscript.exepid process 4120 DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe 4120 DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe 4236 iexpress.exe 4236 iexpress.exe 4236 iexpress.exe 4236 iexpress.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe 3692 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3192 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
iexpress.exewscript.exepid process 4236 iexpress.exe 4236 iexpress.exe 4236 iexpress.exe 3692 wscript.exe 3692 wscript.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
iexpress.exeExplorer.EXEwscript.exedescription pid process Token: SeDebugPrivilege 4236 iexpress.exe Token: SeShutdownPrivilege 3192 Explorer.EXE Token: SeCreatePagefilePrivilege 3192 Explorer.EXE Token: SeShutdownPrivilege 3192 Explorer.EXE Token: SeCreatePagefilePrivilege 3192 Explorer.EXE Token: SeDebugPrivilege 3692 wscript.exe Token: SeShutdownPrivilege 3192 Explorer.EXE Token: SeCreatePagefilePrivilege 3192 Explorer.EXE Token: SeShutdownPrivilege 3192 Explorer.EXE Token: SeCreatePagefilePrivilege 3192 Explorer.EXE Token: SeShutdownPrivilege 3192 Explorer.EXE Token: SeCreatePagefilePrivilege 3192 Explorer.EXE Token: SeShutdownPrivilege 3192 Explorer.EXE Token: SeCreatePagefilePrivilege 3192 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exeExplorer.EXEwscript.exedescription pid process target process PID 4120 wrote to memory of 4236 4120 DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe iexpress.exe PID 4120 wrote to memory of 4236 4120 DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe iexpress.exe PID 4120 wrote to memory of 4236 4120 DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe iexpress.exe PID 4120 wrote to memory of 4236 4120 DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe iexpress.exe PID 4120 wrote to memory of 4236 4120 DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe iexpress.exe PID 4120 wrote to memory of 4236 4120 DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe iexpress.exe PID 3192 wrote to memory of 3692 3192 Explorer.EXE wscript.exe PID 3192 wrote to memory of 3692 3192 Explorer.EXE wscript.exe PID 3192 wrote to memory of 3692 3192 Explorer.EXE wscript.exe PID 3692 wrote to memory of 3384 3692 wscript.exe cmd.exe PID 3692 wrote to memory of 3384 3692 wscript.exe cmd.exe PID 3692 wrote to memory of 3384 3692 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe"C:\Users\Admin\AppData\Local\Temp\DF3960BB0CD231428EEB614A4814EB449D5C857B61BC2F2E568CF5615A949E8F.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\iexpress.exeC:\Windows\System32\iexpress.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\iexpress.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3192-158-0x0000000007D30000-0x0000000007E5D000-memory.dmpFilesize
1.2MB
-
memory/3192-171-0x0000000008760000-0x00000000088C6000-memory.dmpFilesize
1.4MB
-
memory/3192-169-0x0000000008760000-0x00000000088C6000-memory.dmpFilesize
1.4MB
-
memory/3192-168-0x0000000008760000-0x00000000088C6000-memory.dmpFilesize
1.4MB
-
memory/3692-164-0x0000000002EA0000-0x00000000031EA000-memory.dmpFilesize
3.3MB
-
memory/3692-165-0x0000000000DC0000-0x0000000000DEF000-memory.dmpFilesize
188KB
-
memory/3692-167-0x0000000002CE0000-0x0000000002D74000-memory.dmpFilesize
592KB
-
memory/3692-163-0x0000000000DC0000-0x0000000000DEF000-memory.dmpFilesize
188KB
-
memory/3692-161-0x00000000001D0000-0x00000000001F7000-memory.dmpFilesize
156KB
-
memory/3692-160-0x00000000001D0000-0x00000000001F7000-memory.dmpFilesize
156KB
-
memory/4120-152-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/4120-133-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/4120-151-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/4120-136-0x0000000000400000-0x000000000052A000-memory.dmpFilesize
1.2MB
-
memory/4120-134-0x0000000004600000-0x000000000462C000-memory.dmpFilesize
176KB
-
memory/4236-162-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/4236-157-0x0000000003E70000-0x0000000003E85000-memory.dmpFilesize
84KB
-
memory/4236-153-0x0000000002B50000-0x0000000002B51000-memory.dmpFilesize
4KB
-
memory/4236-156-0x0000000003F30000-0x000000000427A000-memory.dmpFilesize
3.3MB