Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2023 11:41
Static task
static1
Behavioral task
behavioral1
Sample
DOC.09323872637283.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
DOC.09323872637283.exe
Resource
win10v2004-20230220-en
General
-
Target
DOC.09323872637283.exe
-
Size
1.0MB
-
MD5
33d0315e844e991a28980ad8a108a423
-
SHA1
2c91f349e52c5995bfb81d309392b119d5954996
-
SHA256
3d3106d56edd0d99fb92516b4ab21f27972e104477204343c5f365aa604650ef
-
SHA512
c9639414395d4177b5fd52f3190d5d9e17d31678f815f1e61176c17b87d33dfef70830a0055bd97966a10ee822a59c0a0d55ebed32348067422ab7de1bc8e239
-
SSDEEP
24576:SSWrMz8C3kJ+VnkaJ56TxIN84Mm/3vfb5GJ:SS0o8YXMFIN84X3vfb5W
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3344-133-0x0000000004530000-0x0000000004562000-memory.dmp modiloader_stage2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
xnjvmfsJ.pifdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation xnjvmfsJ.pif -
Executes dropped EXE 1 IoCs
Processes:
xnjvmfsJ.pifpid process 3188 xnjvmfsJ.pif -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DOC.09323872637283.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jsfmvjnx = "C:\\Users\\Public\\Libraries\\xnjvmfsJ.url" DOC.09323872637283.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
xnjvmfsJ.pifNETSTAT.EXEdescription pid process target process PID 3188 set thread context of 3140 3188 xnjvmfsJ.pif Explorer.EXE PID 4372 set thread context of 3140 4372 NETSTAT.EXE Explorer.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2968 4940 WerFault.exe Firefox.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 4372 NETSTAT.EXE -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 30 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 32 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 35 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
xnjvmfsJ.pifNETSTAT.EXEpid process 3188 xnjvmfsJ.pif 3188 xnjvmfsJ.pif 3188 xnjvmfsJ.pif 3188 xnjvmfsJ.pif 3188 xnjvmfsJ.pif 3188 xnjvmfsJ.pif 3188 xnjvmfsJ.pif 3188 xnjvmfsJ.pif 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3140 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
xnjvmfsJ.pifNETSTAT.EXEpid process 3188 xnjvmfsJ.pif 3188 xnjvmfsJ.pif 3188 xnjvmfsJ.pif 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE 4372 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
xnjvmfsJ.pifNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 3188 xnjvmfsJ.pif Token: SeDebugPrivilege 4372 NETSTAT.EXE Token: SeShutdownPrivilege 3140 Explorer.EXE Token: SeCreatePagefilePrivilege 3140 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DOC.09323872637283.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 3344 wrote to memory of 3188 3344 DOC.09323872637283.exe xnjvmfsJ.pif PID 3344 wrote to memory of 3188 3344 DOC.09323872637283.exe xnjvmfsJ.pif PID 3344 wrote to memory of 3188 3344 DOC.09323872637283.exe xnjvmfsJ.pif PID 3344 wrote to memory of 3188 3344 DOC.09323872637283.exe xnjvmfsJ.pif PID 3344 wrote to memory of 3188 3344 DOC.09323872637283.exe xnjvmfsJ.pif PID 3344 wrote to memory of 3188 3344 DOC.09323872637283.exe xnjvmfsJ.pif PID 3140 wrote to memory of 4372 3140 Explorer.EXE NETSTAT.EXE PID 3140 wrote to memory of 4372 3140 Explorer.EXE NETSTAT.EXE PID 3140 wrote to memory of 4372 3140 Explorer.EXE NETSTAT.EXE PID 4372 wrote to memory of 4940 4372 NETSTAT.EXE Firefox.exe PID 4372 wrote to memory of 4940 4372 NETSTAT.EXE Firefox.exe PID 4372 wrote to memory of 4940 4372 NETSTAT.EXE Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DOC.09323872637283.exe"C:\Users\Admin\AppData\Local\Temp\DOC.09323872637283.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Libraries\xnjvmfsJ.pif"C:\Users\Public\Libraries\xnjvmfsJ.pif"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4940 -s 1404⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 452 -p 4940 -ip 49401⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\xnjvmfsJ.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
C:\Users\Public\Libraries\xnjvmfsJ.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
memory/3140-162-0x0000000007CB0000-0x0000000007D59000-memory.dmpFilesize
676KB
-
memory/3140-159-0x0000000007CB0000-0x0000000007D59000-memory.dmpFilesize
676KB
-
memory/3140-151-0x00000000026B0000-0x00000000027CA000-memory.dmpFilesize
1.1MB
-
memory/3188-149-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/3188-147-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/3188-148-0x00000000025F0000-0x000000000293A000-memory.dmpFilesize
3.3MB
-
memory/3188-150-0x0000000000830000-0x0000000000840000-memory.dmpFilesize
64KB
-
memory/3188-143-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/3188-154-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3344-136-0x0000000000400000-0x000000000050A000-memory.dmpFilesize
1.0MB
-
memory/3344-142-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/3344-133-0x0000000004530000-0x0000000004562000-memory.dmpFilesize
200KB
-
memory/3344-141-0x0000000010410000-0x000000001043F000-memory.dmpFilesize
188KB
-
memory/3344-135-0x00000000022B0000-0x00000000022B1000-memory.dmpFilesize
4KB
-
memory/4372-155-0x0000000000C70000-0x0000000000C7B000-memory.dmpFilesize
44KB
-
memory/4372-157-0x0000000000C00000-0x0000000000C2D000-memory.dmpFilesize
180KB
-
memory/4372-158-0x0000000001310000-0x000000000165A000-memory.dmpFilesize
3.3MB
-
memory/4372-156-0x0000000000C00000-0x0000000000C2D000-memory.dmpFilesize
180KB
-
memory/4372-160-0x0000000001140000-0x00000000011CF000-memory.dmpFilesize
572KB
-
memory/4372-153-0x0000000000C70000-0x0000000000C7B000-memory.dmpFilesize
44KB