Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-es -
resource tags
arch:x64arch:x86image:win10v2004-20231023-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
22-11-2023 08:37
Static task
static1
Behavioral task
behavioral1
Sample
bc6626b114d68546c5af018efe67a4f8c321a476.exe
Resource
win7-20231023-es
Behavioral task
behavioral2
Sample
bc6626b114d68546c5af018efe67a4f8c321a476.exe
Resource
win10v2004-20231023-es
General
-
Target
bc6626b114d68546c5af018efe67a4f8c321a476.exe
-
Size
1.8MB
-
MD5
c0895699c1e9bd08c6b8f7e8c7bcd7d6
-
SHA1
bc6626b114d68546c5af018efe67a4f8c321a476
-
SHA256
5517cdcbe0571bef0456f9f214fd3cb73a7a0c7cb73a5833e31142938277623a
-
SHA512
c8275534abce9d6c0b107e73971d160a2e5983816b961b543df1f18efcd27a0d62c155c168407f067f4fc484ef27af766a42582840781d53555e1338de35a266
-
SSDEEP
49152:aD4+yRMXpcOX8IxTqh0eJa3DZEe9sRuCVCW40MyqChsyfue9Tb:aDqRMXpcOXX8Za31CuCc4MXC+yft
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2732-6-0x0000000004510000-0x0000000005510000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bc6626b114d68546c5af018efe67a4f8c321a476.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ucafwkps = "C:\\Users\\Public\\Ucafwkps.url" bc6626b114d68546c5af018efe67a4f8c321a476.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
colorcpl.execmmon32.exedescription pid process target process PID 2004 set thread context of 3412 2004 colorcpl.exe Explorer.EXE PID 1128 set thread context of 3412 1128 cmmon32.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
colorcpl.exedescription ioc process File opened for modification C:\Windows\INF\monitor.PNF colorcpl.exe -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 39 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 45 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
bc6626b114d68546c5af018efe67a4f8c321a476.execolorcpl.execmmon32.exepid process 2732 bc6626b114d68546c5af018efe67a4f8c321a476.exe 2732 bc6626b114d68546c5af018efe67a4f8c321a476.exe 2004 colorcpl.exe 2004 colorcpl.exe 2004 colorcpl.exe 2004 colorcpl.exe 2004 colorcpl.exe 2004 colorcpl.exe 2004 colorcpl.exe 2004 colorcpl.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3412 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
colorcpl.execmmon32.exepid process 2004 colorcpl.exe 2004 colorcpl.exe 2004 colorcpl.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe 1128 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
colorcpl.exeExplorer.EXEcmmon32.exedescription pid process Token: SeDebugPrivilege 2004 colorcpl.exe Token: SeShutdownPrivilege 3412 Explorer.EXE Token: SeCreatePagefilePrivilege 3412 Explorer.EXE Token: SeShutdownPrivilege 3412 Explorer.EXE Token: SeCreatePagefilePrivilege 3412 Explorer.EXE Token: SeDebugPrivilege 1128 cmmon32.exe Token: SeShutdownPrivilege 3412 Explorer.EXE Token: SeCreatePagefilePrivilege 3412 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3412 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
bc6626b114d68546c5af018efe67a4f8c321a476.exeExplorer.EXEcmmon32.exedescription pid process target process PID 2732 wrote to memory of 2004 2732 bc6626b114d68546c5af018efe67a4f8c321a476.exe colorcpl.exe PID 2732 wrote to memory of 2004 2732 bc6626b114d68546c5af018efe67a4f8c321a476.exe colorcpl.exe PID 2732 wrote to memory of 2004 2732 bc6626b114d68546c5af018efe67a4f8c321a476.exe colorcpl.exe PID 2732 wrote to memory of 2004 2732 bc6626b114d68546c5af018efe67a4f8c321a476.exe colorcpl.exe PID 3412 wrote to memory of 1128 3412 Explorer.EXE cmmon32.exe PID 3412 wrote to memory of 1128 3412 Explorer.EXE cmmon32.exe PID 3412 wrote to memory of 1128 3412 Explorer.EXE cmmon32.exe PID 1128 wrote to memory of 1008 1128 cmmon32.exe Firefox.exe PID 1128 wrote to memory of 1008 1128 cmmon32.exe Firefox.exe PID 1128 wrote to memory of 1008 1128 cmmon32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\bc6626b114d68546c5af018efe67a4f8c321a476.exe"C:\Users\Admin\AppData\Local\Temp\bc6626b114d68546c5af018efe67a4f8c321a476.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe3⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1008