Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2023 17:00
Static task
static1
Behavioral task
behavioral1
Sample
Order confirmation, Invoice.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
Order confirmation, Invoice.exe
Resource
win10v2004-20231023-en
General
-
Target
Order confirmation, Invoice.exe
-
Size
1.8MB
-
MD5
08be0b23f7706fcfddf96ae258a67249
-
SHA1
54b9491995dda5b4849c5f10afc53175e0f67bd9
-
SHA256
66c7d769249d9da750ff736b447f0573c7cd5432a680e3a72d09bc1e238e83d1
-
SHA512
716a7751942e38f097c881bed9e6389043ed6360ca3f1dd65dd7ae644f6967ecaa9a9445295c31ac9d7e58ec316672d6b1c3b165a0473c8da2b276dfb2239a44
-
SSDEEP
49152:aD4+yRMXpcOX8IxTqh0eJa3DZEe9sRuCVCW4FMyqChsyfue9T:aDqRMXpcOXX8Za31CuCchMXC+yf
Malware Config
Extracted
formbook
4.1
ao65
spins2023.pro
foodontario.com
jsnmz.com
canwealljustagree.com
shopthedivine.store
thelakahealth.com
kuis-raja-borong.website
hbqc2.com
optimusvisionlb.com
urdulatest.com
akhayarplus.com
info-antai-service.com
kermisbedrijfkramer.online
epansion.com
gxqingmeng.top
maltsky.net
ictwath.com
sharmafootcare.com
mycheese.net
portfoliotestkitchen.com
gwhi13.cfd
fuzzybraintrivia.com
thnkotb.com
merchdojacat.com
1techtrendzstore.com
cnkclaw.net
xsslm888.com
musecheng.net
flowandfield.online
somdevista.com
baissm.top
xn--88-uqi1dtk.com
cewra.com
stellarskyline.com
mbutunerfitness.com
ssongg13916.cfd
sprockettrucking.com
boonts.cfd
oaistetic.com
enfejbazi1sjrttrsjegfwafe.click
you-can-too.com
chamdiemcchc.com
mrgdistilling.info
yptv1.com
ecofare.xyz
ouxodb001.cfd
sdymavillageculturehouse.com
carbolife.net
iokgw1.top
harmonicod.com
bbpinata.com
grfngr.design
colibriinvest.com
infossphere.space
glistenbeautylounge.com
paysprinters.online
ruhaniiyat.com
leathfortexas.com
tuesdayfolder.com
autoinsurancebound.com
scwanguan.fun
darkcreamslivki.xyz
0qtqg.com
ycth3hhtkd.asia
hivaom.top
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1080-10-0x0000000005020000-0x0000000006020000-memory.dmp formbook behavioral2/memory/1080-14-0x0000000005020000-0x0000000006020000-memory.dmp formbook behavioral2/memory/3516-23-0x0000000000EE0000-0x0000000000F0F000-memory.dmp formbook behavioral2/memory/3516-25-0x0000000000EE0000-0x0000000000F0F000-memory.dmp formbook -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1172-3-0x0000000004530000-0x0000000005530000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Order confirmation, Invoice.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ugoseapd = "C:\\Users\\Public\\Ugoseapd.url" Order confirmation, Invoice.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
colorcpl.exemsiexec.exedescription pid process target process PID 1080 set thread context of 3328 1080 colorcpl.exe Explorer.EXE PID 3516 set thread context of 3328 3516 msiexec.exe Explorer.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
Order confirmation, Invoice.execolorcpl.exemsiexec.exepid process 1172 Order confirmation, Invoice.exe 1172 Order confirmation, Invoice.exe 1080 colorcpl.exe 1080 colorcpl.exe 1080 colorcpl.exe 1080 colorcpl.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe 3516 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3328 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
colorcpl.exemsiexec.exepid process 1080 colorcpl.exe 1080 colorcpl.exe 1080 colorcpl.exe 3516 msiexec.exe 3516 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
colorcpl.exeExplorer.EXEmsiexec.exedescription pid process Token: SeDebugPrivilege 1080 colorcpl.exe Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeShutdownPrivilege 3328 Explorer.EXE Token: SeCreatePagefilePrivilege 3328 Explorer.EXE Token: SeDebugPrivilege 3516 msiexec.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3328 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Order confirmation, Invoice.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1172 wrote to memory of 1080 1172 Order confirmation, Invoice.exe colorcpl.exe PID 1172 wrote to memory of 1080 1172 Order confirmation, Invoice.exe colorcpl.exe PID 1172 wrote to memory of 1080 1172 Order confirmation, Invoice.exe colorcpl.exe PID 1172 wrote to memory of 1080 1172 Order confirmation, Invoice.exe colorcpl.exe PID 3328 wrote to memory of 3516 3328 Explorer.EXE msiexec.exe PID 3328 wrote to memory of 3516 3328 Explorer.EXE msiexec.exe PID 3328 wrote to memory of 3516 3328 Explorer.EXE msiexec.exe PID 3516 wrote to memory of 2484 3516 msiexec.exe cmd.exe PID 3516 wrote to memory of 2484 3516 msiexec.exe cmd.exe PID 3516 wrote to memory of 2484 3516 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Users\Admin\AppData\Local\Temp\Order confirmation, Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Order confirmation, Invoice.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1080 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\colorcpl.exe"3⤵PID:2484