Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2023 17:44
Static task
static1
Behavioral task
behavioral1
Sample
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe
Resource
win10v2004-20231023-en
General
-
Target
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe
-
Size
1.7MB
-
MD5
4fa301c6f5c6013be9d3b136ef6fbb96
-
SHA1
1e1e6227b2bc7426b168a492c4b8d202478be1a4
-
SHA256
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa
-
SHA512
797b816d9163ad032caafcaed0ec43f8c7f3e4689ca61ea71776ff1bc1a5d08aacf671fbb07cdd2be9e10736c2d3a7253763156cb2d91c107d8916e3f758bfc1
-
SSDEEP
49152:bZAtX8IxTqh0eJa3DZEe9sRuCVCW4lMyqChsQ:bZmXX8Za31CuCc5MXC+Q
Malware Config
Extracted
formbook
4.1
6nrs
mteverestminiralwater.com
northlakesodllcgov.com
de-guru.com
iwz-69.com
323va.com
tiktokshopbuilder.com
sekisensei.com
jcpublicschoolsfoundation.com
yangguangdadao.net
dingshenghr.net
yzyz458.xyz
topmczonseo.com
financeconta.com
handtools-88870.bond
scymedia.online
rutman.store
qlpss.com
righitch.com
parentsrpeople2.com
appeal-request-review.com
getestablishcrednow.net
hjkl500.space
bottles2bags.com
willanime.com
tqmqmkmmh.top
tawreed-int.com
whhqlh.com
medicaltraininglnstitution.com
schneidermans.shop
551kk.cfd
h-m-31.com
8363k.vip
chatlhh5.com
precisionappinstalls.com
uslasry.net
data-analytics-78756.bond
assabmould.net
ivxxms.top
cnwsjd.cfd
chronotech.online
rzrfux.com
aquaedgewatersports.com
novaatria.com
gddeli.icu
nancymottabstractart.com
rsungu.com
aeroportlogistics.com
occultdoctor.com
idolaqq6.xyz
cremation-services-98621.bond
druk.site
tasaki.shop
yehslawd.com
mqksv2.top
cybertechglobalai.com
testcf.xyz
ravalpersonnelservices.com
easyhealthconsulting.com
forklift-job.sbs
ssongg10494.cfd
ecodfairs.top
inin-03.com
601234.net
milehighopenhouse.com
fmahrd.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1800-9-0x00000000045C0000-0x00000000055C0000-memory.dmp formbook behavioral2/memory/1800-18-0x00000000045C0000-0x00000000055C0000-memory.dmp formbook behavioral2/memory/1812-24-0x00000000012D0000-0x00000000012FF000-memory.dmp formbook behavioral2/memory/1812-26-0x00000000012D0000-0x00000000012FF000-memory.dmp formbook -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4548-3-0x0000000003170000-0x0000000004170000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kxoyjzlj = "C:\\Users\\Public\\Kxoyjzlj.url" e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
colorcpl.exeipconfig.exedescription pid process target process PID 1800 set thread context of 3344 1800 colorcpl.exe Explorer.EXE PID 1812 set thread context of 3344 1812 ipconfig.exe Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1812 ipconfig.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 24 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.execolorcpl.exeipconfig.exepid process 4548 e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe 4548 e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe 1800 colorcpl.exe 1800 colorcpl.exe 1800 colorcpl.exe 1800 colorcpl.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe 1812 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3344 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
colorcpl.exeipconfig.exepid process 1800 colorcpl.exe 1800 colorcpl.exe 1800 colorcpl.exe 1812 ipconfig.exe 1812 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
colorcpl.exeExplorer.EXEipconfig.exedescription pid process Token: SeDebugPrivilege 1800 colorcpl.exe Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE Token: SeShutdownPrivilege 3344 Explorer.EXE Token: SeCreatePagefilePrivilege 3344 Explorer.EXE Token: SeDebugPrivilege 1812 ipconfig.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3344 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exeExplorer.EXEipconfig.exedescription pid process target process PID 4548 wrote to memory of 1800 4548 e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe colorcpl.exe PID 4548 wrote to memory of 1800 4548 e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe colorcpl.exe PID 4548 wrote to memory of 1800 4548 e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe colorcpl.exe PID 4548 wrote to memory of 1800 4548 e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe colorcpl.exe PID 3344 wrote to memory of 1812 3344 Explorer.EXE ipconfig.exe PID 3344 wrote to memory of 1812 3344 Explorer.EXE ipconfig.exe PID 3344 wrote to memory of 1812 3344 Explorer.EXE ipconfig.exe PID 1812 wrote to memory of 1752 1812 ipconfig.exe cmd.exe PID 1812 wrote to memory of 1752 1812 ipconfig.exe cmd.exe PID 1812 wrote to memory of 1752 1812 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe"C:\Users\Admin\AppData\Local\Temp\e5590f3ca36c707f3cec8c6fdfecfa949233708dae9b8d11f020906b8058bffa.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\colorcpl.exeC:\Windows\System32\colorcpl.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\colorcpl.exe"3⤵PID:1752