Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2023 16:12
Static task
static1
Behavioral task
behavioral1
Sample
Proforma Invoice attached.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Proforma Invoice attached.exe
Resource
win10v2004-20230220-en
General
-
Target
Proforma Invoice attached.exe
-
Size
805KB
-
MD5
dab7cc983ca9542bd96062d675128a57
-
SHA1
13d832f3e6a884dfee1b05c4fe9ab7f754c8607c
-
SHA256
e399bdc24cb76e8ebdfef7bba94b18031fe0b4fd3664fcad763e77b1e4b2da86
-
SHA512
de268296462fe12039fc316b4674b4bc20e4ad4140e198ea5f8fc38d42e7434c8ba4e47b76b5cebad4b692e828a7d0423f1b01ebf7cefbb7abfc52f05f0697e3
-
SSDEEP
12288:29Id6OrPwqTQAwBTTvY0Z3l9+P/bnqvPPOmWnADUcHjNEU:29XyTFwtTpZ1E32POM7m
Malware Config
Extracted
xloader
2.6
uj3c
copimetro.com
choonchain.com
luxxwireless.com
fashionweekofcincinnati.com
campingshare.net
suncochina.com
kidsfundoor.com
testingnyc.co
lovesoe.com
vehiclesbeenrecord.com
socialpearmarketing.com
maxproductdji.com
getallarticle.online
forummind.com
arenamarenostrum.com
trisuaka.xyz
designgamagazine.com
chateaulehotel.com
huangse5.com
esginvestment.tech
intercontinentalship.com
moneytaoism.com
agardenfortwo.com
trendiddas.com
fjuoomw.xyz
dantvilla.com
shopwithtrooperdavecom.com
lanwenzong.com
xpertsrealty.com
gamelabsmash.com
nomaxdic.com
chillyracing.com
mypleasure-blog.com
projectkyla.com
florurbana.com
oneplacemexico.com
gografic.com
giantht.com
dotombori-base.com
westlifinance.online
maacsecurity.com
lydas.info
instapandas.com
labustiadepaper.net
unglue52.com
onurnet.net
wellkept.info
6111.site
platinumroofingsusa.com
bodyplex.fitness
empireapothecary.com
meigsbuilds.online
garygrover.com
nicholasnikas.com
yd9992.com
protections-clients.info
sueyhzx.com
naturathome.info
superinformatico.net
printsgarden.com
xn--qn1b03fy2b841b.com
preferable.info
ozzyconstructionma.com
10stopp.online
nutricognition.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4680-134-0x00000000023B0000-0x00000000023E2000-memory.dmp modiloader_stage2 -
Xloader payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4680-142-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/1480-149-0x0000000010410000-0x000000001043B000-memory.dmp xloader behavioral2/memory/3264-157-0x00000000006A0000-0x00000000006CB000-memory.dmp xloader behavioral2/memory/3264-159-0x00000000006A0000-0x00000000006CB000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 58 3264 rundll32.exe -
Executes dropped EXE 1 IoCs
Processes:
hsoloqgU.pifpid process 1480 hsoloqgU.pif -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Proforma Invoice attached.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ugqolosh = "C:\\Users\\Public\\Libraries\\hsoloqgU.url" Proforma Invoice attached.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
hsoloqgU.pifrundll32.exedescription pid process target process PID 1480 set thread context of 3216 1480 hsoloqgU.pif Explorer.EXE PID 3264 set thread context of 3216 3264 rundll32.exe Explorer.EXE -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
hsoloqgU.pifrundll32.exepid process 1480 hsoloqgU.pif 1480 hsoloqgU.pif 1480 hsoloqgU.pif 1480 hsoloqgU.pif 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe 3264 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3216 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
hsoloqgU.pifrundll32.exepid process 1480 hsoloqgU.pif 1480 hsoloqgU.pif 1480 hsoloqgU.pif 3264 rundll32.exe 3264 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
hsoloqgU.pifrundll32.exedescription pid process Token: SeDebugPrivilege 1480 hsoloqgU.pif Token: SeDebugPrivilege 3264 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Proforma Invoice attached.exeExplorer.EXErundll32.exedescription pid process target process PID 4680 wrote to memory of 1480 4680 Proforma Invoice attached.exe hsoloqgU.pif PID 4680 wrote to memory of 1480 4680 Proforma Invoice attached.exe hsoloqgU.pif PID 4680 wrote to memory of 1480 4680 Proforma Invoice attached.exe hsoloqgU.pif PID 4680 wrote to memory of 1480 4680 Proforma Invoice attached.exe hsoloqgU.pif PID 4680 wrote to memory of 1480 4680 Proforma Invoice attached.exe hsoloqgU.pif PID 4680 wrote to memory of 1480 4680 Proforma Invoice attached.exe hsoloqgU.pif PID 3216 wrote to memory of 3264 3216 Explorer.EXE rundll32.exe PID 3216 wrote to memory of 3264 3216 Explorer.EXE rundll32.exe PID 3216 wrote to memory of 3264 3216 Explorer.EXE rundll32.exe PID 3264 wrote to memory of 2640 3264 rundll32.exe cmd.exe PID 3264 wrote to memory of 2640 3264 rundll32.exe cmd.exe PID 3264 wrote to memory of 2640 3264 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Proforma Invoice attached.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice attached.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Libraries\hsoloqgU.pif"C:\Users\Public\Libraries\hsoloqgU.pif"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Public\Libraries\hsoloqgU.pif"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\Libraries\hsoloqgU.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
C:\Users\Public\Libraries\hsoloqgU.pifFilesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
memory/1480-150-0x0000000002470000-0x0000000002481000-memory.dmpFilesize
68KB
-
memory/1480-143-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1480-148-0x0000000002500000-0x000000000284A000-memory.dmpFilesize
3.3MB
-
memory/1480-149-0x0000000010410000-0x000000001043B000-memory.dmpFilesize
172KB
-
memory/1480-154-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3216-151-0x00000000027D0000-0x0000000002939000-memory.dmpFilesize
1.4MB
-
memory/3216-165-0x0000000008610000-0x0000000008798000-memory.dmpFilesize
1.5MB
-
memory/3216-163-0x0000000008610000-0x0000000008798000-memory.dmpFilesize
1.5MB
-
memory/3216-162-0x0000000008610000-0x0000000008798000-memory.dmpFilesize
1.5MB
-
memory/3264-157-0x00000000006A0000-0x00000000006CB000-memory.dmpFilesize
172KB
-
memory/3264-153-0x0000000000C30000-0x0000000000C44000-memory.dmpFilesize
80KB
-
memory/3264-156-0x0000000000C30000-0x0000000000C44000-memory.dmpFilesize
80KB
-
memory/3264-158-0x00000000025D0000-0x000000000291A000-memory.dmpFilesize
3.3MB
-
memory/3264-159-0x00000000006A0000-0x00000000006CB000-memory.dmpFilesize
172KB
-
memory/3264-161-0x00000000023F0000-0x0000000002480000-memory.dmpFilesize
576KB
-
memory/4680-133-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/4680-141-0x0000000010410000-0x000000001043B000-memory.dmpFilesize
172KB
-
memory/4680-134-0x00000000023B0000-0x00000000023E2000-memory.dmpFilesize
200KB
-
memory/4680-136-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/4680-142-0x0000000010410000-0x000000001043B000-memory.dmpFilesize
172KB