Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 13:25
Static task
static1
Behavioral task
behavioral1
Sample
7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe
Resource
win10v2004-20230220-en
General
-
Target
7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe
-
Size
910KB
-
MD5
7d9e7b27f0510fb4776c55c0165ab25f
-
SHA1
c12cd673f4c8c516b367b091f3c30d30bc9c11b1
-
SHA256
db0e998a1dd20e1b6c853cc778592c580971032cc8362d236d055dde3824ca44
-
SHA512
2bc8144f54b93fb7019ceccf8c62ac043a33e570e21445f3beb8b4e3940310a28116b08ed356f5ad09d237bf68a50b48c9b8dda03008a51e09264e631e44d256
-
SSDEEP
12288:cvI/SRZe0WFIQ38UWtwn/8vprceJz5Roy59N7axbIeYPG48SLuk8A1xdY5mQPmdx:cQ3SQ3XWtwn/8vB99mDkFyYQPE29K
Malware Config
Extracted
formbook
4.1
ges9
lolofestival.store
amzin.info
pulsahokii.xyz
bahiszirve.com
animekoe.com
kansastaxaccountant.net
howgoodisgod.online
medakaravan.xyz
pesmagazine.net
americanpopulist.info
nepalihandicraft.com
mariabakermodeling.com
cavify.top
onlinewoonboulevard.com
furniture-22830.com
ophthalmicpersonneltraining.us
yz1204.com
extrawhite.site
tomo.store
martfind.online
united-bc.com
hethonglikesub.site
goldenstategeneralstore.com
amazdea.com
emiliahernandez.com
weeklyrhino.buzz
erjcbtwg.work
16321.xyz
crainbramp.games
studiochiodi.info
km97.xyz
synertel.site
ankerbios.expert
chipetaresort.com
gakuj.xyz
simmonsguitars.com
povsearcher.com
salesatomizer.app
loopmart.shop
easyonionringrecipe.site
icss.studio
ksamayaiu.xyz
xn--recomindame-gbb.com
bepillow.com
homesinowensboro.com
abrashina.com
dplck.com
michellentherapy.com
voyance.health
zwcl365.com
akroglobal.com
endlessillumination.store
florediemgardens.com
lis-journal.com
justinrichert.net
baschung.swiss
thesexyviking.com
abickofconsulting.com
vivacious713833.com
dental-implants-52958.com
tigaberlian.net
trxtr.xyz
offficebanking-cl.top
huslnfts.xyz
viralcx.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4908-149-0x0000000010410000-0x000000001043F000-memory.dmp formbook behavioral2/memory/4172-159-0x0000000010410000-0x000000001043F000-memory.dmp formbook behavioral2/memory/1056-160-0x0000000001100000-0x000000000112F000-memory.dmp formbook behavioral2/memory/1056-162-0x0000000001100000-0x000000000112F000-memory.dmp formbook -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4908-134-0x0000000003FC0000-0x0000000003FEC000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nzarotih = "C:\\Users\\Public\\Libraries\\hitorazN.url" 7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
colorcpl.execmmon32.exedescription pid process target process PID 4172 set thread context of 664 4172 colorcpl.exe Explorer.EXE PID 1056 set thread context of 664 1056 cmmon32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.execolorcpl.execmmon32.exepid process 4908 7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe 4908 7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe 4172 colorcpl.exe 4172 colorcpl.exe 4172 colorcpl.exe 4172 colorcpl.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe 1056 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 664 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
colorcpl.execmmon32.exepid process 4172 colorcpl.exe 4172 colorcpl.exe 4172 colorcpl.exe 1056 cmmon32.exe 1056 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
colorcpl.exeExplorer.EXEcmmon32.exedescription pid process Token: SeDebugPrivilege 4172 colorcpl.exe Token: SeShutdownPrivilege 664 Explorer.EXE Token: SeCreatePagefilePrivilege 664 Explorer.EXE Token: SeShutdownPrivilege 664 Explorer.EXE Token: SeCreatePagefilePrivilege 664 Explorer.EXE Token: SeDebugPrivilege 1056 cmmon32.exe Token: SeShutdownPrivilege 664 Explorer.EXE Token: SeCreatePagefilePrivilege 664 Explorer.EXE Token: SeShutdownPrivilege 664 Explorer.EXE Token: SeCreatePagefilePrivilege 664 Explorer.EXE Token: SeShutdownPrivilege 664 Explorer.EXE Token: SeCreatePagefilePrivilege 664 Explorer.EXE Token: SeShutdownPrivilege 664 Explorer.EXE Token: SeCreatePagefilePrivilege 664 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 664 Explorer.EXE 664 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exeExplorer.EXEcmmon32.exedescription pid process target process PID 4908 wrote to memory of 4172 4908 7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe colorcpl.exe PID 4908 wrote to memory of 4172 4908 7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe colorcpl.exe PID 4908 wrote to memory of 4172 4908 7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe colorcpl.exe PID 4908 wrote to memory of 4172 4908 7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe colorcpl.exe PID 4908 wrote to memory of 4172 4908 7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe colorcpl.exe PID 4908 wrote to memory of 4172 4908 7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe colorcpl.exe PID 664 wrote to memory of 1056 664 Explorer.EXE cmmon32.exe PID 664 wrote to memory of 1056 664 Explorer.EXE cmmon32.exe PID 664 wrote to memory of 1056 664 Explorer.EXE cmmon32.exe PID 1056 wrote to memory of 3884 1056 cmmon32.exe cmd.exe PID 1056 wrote to memory of 3884 1056 cmmon32.exe cmd.exe PID 1056 wrote to memory of 3884 1056 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe"C:\Users\Admin\AppData\Local\Temp\7ade248258607cabe21381f7bc1d26141e18c6cc5998da2f57eee775ba78d955.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\colorcpl.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/664-155-0x0000000003F20000-0x0000000003FF7000-memory.dmpFilesize
860KB
-
memory/664-168-0x0000000008480000-0x00000000085CC000-memory.dmpFilesize
1.3MB
-
memory/664-166-0x0000000008480000-0x00000000085CC000-memory.dmpFilesize
1.3MB
-
memory/664-165-0x0000000008480000-0x00000000085CC000-memory.dmpFilesize
1.3MB
-
memory/1056-162-0x0000000001100000-0x000000000112F000-memory.dmpFilesize
188KB
-
memory/1056-161-0x0000000003020000-0x000000000336A000-memory.dmpFilesize
3.3MB
-
memory/1056-164-0x0000000002E60000-0x0000000002EF4000-memory.dmpFilesize
592KB
-
memory/1056-160-0x0000000001100000-0x000000000112F000-memory.dmpFilesize
188KB
-
memory/1056-158-0x0000000000CF0000-0x0000000000CFC000-memory.dmpFilesize
48KB
-
memory/1056-156-0x0000000000CF0000-0x0000000000CFC000-memory.dmpFilesize
48KB
-
memory/4172-154-0x0000000004890000-0x00000000048A5000-memory.dmpFilesize
84KB
-
memory/4172-159-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/4172-152-0x00000000049D0000-0x0000000004D1A000-memory.dmpFilesize
3.3MB
-
memory/4172-150-0x00000000022F0000-0x00000000022F1000-memory.dmpFilesize
4KB
-
memory/4908-148-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/4908-149-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/4908-133-0x0000000002120000-0x0000000002121000-memory.dmpFilesize
4KB
-
memory/4908-137-0x0000000002120000-0x0000000002121000-memory.dmpFilesize
4KB
-
memory/4908-136-0x0000000000400000-0x00000000004EA000-memory.dmpFilesize
936KB
-
memory/4908-134-0x0000000003FC0000-0x0000000003FEC000-memory.dmpFilesize
176KB