Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2023 08:41
Static task
static1
Behavioral task
behavioral1
Sample
4fa301c6f5c6013be9d3b136ef6fbb96.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
4fa301c6f5c6013be9d3b136ef6fbb96.exe
Resource
win10v2004-20231020-en
General
-
Target
4fa301c6f5c6013be9d3b136ef6fbb96.exe
-
Size
1.7MB
-
MD5
4fa301c6f5c6013be9d3b136ef6fbb96
-
SHA1
1e1e6227b2bc7426b168a492c4b8d202478be1a4
-
SHA256
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa
-
SHA512
797b816d9163ad032caafcaed0ec43f8c7f3e4689ca61ea71776ff1bc1a5d08aacf671fbb07cdd2be9e10736c2d3a7253763156cb2d91c107d8916e3f758bfc1
-
SSDEEP
49152:bZAtX8IxTqh0eJa3DZEe9sRuCVCW4lMyqChsQ:bZmXX8Za31CuCc5MXC+Q
Malware Config
Extracted
formbook
4.1
6nrs
mteverestminiralwater.com
northlakesodllcgov.com
de-guru.com
iwz-69.com
323va.com
tiktokshopbuilder.com
sekisensei.com
jcpublicschoolsfoundation.com
yangguangdadao.net
dingshenghr.net
yzyz458.xyz
topmczonseo.com
financeconta.com
handtools-88870.bond
scymedia.online
rutman.store
qlpss.com
righitch.com
parentsrpeople2.com
appeal-request-review.com
getestablishcrednow.net
hjkl500.space
bottles2bags.com
willanime.com
tqmqmkmmh.top
tawreed-int.com
whhqlh.com
medicaltraininglnstitution.com
schneidermans.shop
551kk.cfd
h-m-31.com
8363k.vip
chatlhh5.com
precisionappinstalls.com
uslasry.net
data-analytics-78756.bond
assabmould.net
ivxxms.top
cnwsjd.cfd
chronotech.online
rzrfux.com
aquaedgewatersports.com
novaatria.com
gddeli.icu
nancymottabstractart.com
rsungu.com
aeroportlogistics.com
occultdoctor.com
idolaqq6.xyz
cremation-services-98621.bond
druk.site
tasaki.shop
yehslawd.com
mqksv2.top
cybertechglobalai.com
testcf.xyz
ravalpersonnelservices.com
easyhealthconsulting.com
forklift-job.sbs
ssongg10494.cfd
ecodfairs.top
inin-03.com
601234.net
milehighopenhouse.com
fmahrd.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3840-9-0x0000000003450000-0x0000000004450000-memory.dmp formbook behavioral2/memory/3840-13-0x0000000003450000-0x0000000004450000-memory.dmp formbook behavioral2/memory/4984-20-0x00000000008E0000-0x000000000090F000-memory.dmp formbook behavioral2/memory/4984-22-0x00000000008E0000-0x000000000090F000-memory.dmp formbook -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1480-3-0x0000000003100000-0x0000000004100000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4fa301c6f5c6013be9d3b136ef6fbb96.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kxoyjzlj = "C:\\Users\\Public\\Kxoyjzlj.url" 4fa301c6f5c6013be9d3b136ef6fbb96.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
SndVol.exerundll32.exedescription pid process target process PID 3840 set thread context of 3340 3840 SndVol.exe Explorer.EXE PID 4984 set thread context of 3340 4984 rundll32.exe Explorer.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
4fa301c6f5c6013be9d3b136ef6fbb96.exeSndVol.exerundll32.exepid process 1480 4fa301c6f5c6013be9d3b136ef6fbb96.exe 1480 4fa301c6f5c6013be9d3b136ef6fbb96.exe 3840 SndVol.exe 3840 SndVol.exe 3840 SndVol.exe 3840 SndVol.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe 4984 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3340 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
SndVol.exerundll32.exepid process 3840 SndVol.exe 3840 SndVol.exe 3840 SndVol.exe 4984 rundll32.exe 4984 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
SndVol.exeExplorer.EXErundll32.exedescription pid process Token: SeDebugPrivilege 3840 SndVol.exe Token: SeShutdownPrivilege 3340 Explorer.EXE Token: SeCreatePagefilePrivilege 3340 Explorer.EXE Token: SeShutdownPrivilege 3340 Explorer.EXE Token: SeCreatePagefilePrivilege 3340 Explorer.EXE Token: SeShutdownPrivilege 3340 Explorer.EXE Token: SeCreatePagefilePrivilege 3340 Explorer.EXE Token: SeShutdownPrivilege 3340 Explorer.EXE Token: SeCreatePagefilePrivilege 3340 Explorer.EXE Token: SeDebugPrivilege 4984 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SndVol.exepid process 3840 SndVol.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SndVol.exepid process 3840 SndVol.exe 3840 SndVol.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3340 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
4fa301c6f5c6013be9d3b136ef6fbb96.exeExplorer.EXErundll32.exedescription pid process target process PID 1480 wrote to memory of 3840 1480 4fa301c6f5c6013be9d3b136ef6fbb96.exe SndVol.exe PID 1480 wrote to memory of 3840 1480 4fa301c6f5c6013be9d3b136ef6fbb96.exe SndVol.exe PID 1480 wrote to memory of 3840 1480 4fa301c6f5c6013be9d3b136ef6fbb96.exe SndVol.exe PID 1480 wrote to memory of 3840 1480 4fa301c6f5c6013be9d3b136ef6fbb96.exe SndVol.exe PID 3340 wrote to memory of 4984 3340 Explorer.EXE rundll32.exe PID 3340 wrote to memory of 4984 3340 Explorer.EXE rundll32.exe PID 3340 wrote to memory of 4984 3340 Explorer.EXE rundll32.exe PID 4984 wrote to memory of 4912 4984 rundll32.exe cmd.exe PID 4984 wrote to memory of 4912 4984 rundll32.exe cmd.exe PID 4984 wrote to memory of 4912 4984 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Users\Admin\AppData\Local\Temp\4fa301c6f5c6013be9d3b136ef6fbb96.exe"C:\Users\Admin\AppData\Local\Temp\4fa301c6f5c6013be9d3b136ef6fbb96.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3840 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\SndVol.exe"3⤵PID:4912