Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2023 16:29
Static task
static1
Behavioral task
behavioral1
Sample
Znuvgbtsedoszb.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Znuvgbtsedoszb.exe
Resource
win10v2004-20231127-en
General
-
Target
Znuvgbtsedoszb.exe
-
Size
2.8MB
-
MD5
d726d57563144b62b4688cc12e34cfda
-
SHA1
5ce5d9e655a8bc6bec4c5b823f1a2ad6bfeff327
-
SHA256
83320be7f5851145e2f8713daeea3bcf5eff2ac87d63e6e47336f95ed22e91c8
-
SHA512
010712d263144ae1cfd5a907ad66768fd8cf5b6654f80d8c8de7e136b73184a957000f3e022d473a49fb3432717068254fbb57a115eb803aad95b9d4288c6122
-
SSDEEP
49152:Xm/PpH8yc0/wU2lpe63ZrxKrVEbRIqiPt411Fehg1mQzZ:XOpcyV/wjpdZrxEVEtI14xqnY
Malware Config
Extracted
formbook
4.1
fadc
protechdream.com
faireco.life
bakrinhome.com
bustygirl.xyz
kbif.info
ningo.bond
hollywoodcircleevents.site
eapv-uabjo.com
852bets.com
nooption.online
global-strategy.pro
cartaonline.online
sacredbones2023.com
barsandbands.fun
liftchairs-info-mx.today
delamar.one
shuntianyuan.net
americanworldsolutions.com
julitv.net
criativax.com
edge-estimates.info
fursanalhamayel.com
huilingtong.net
cheemanotary.com
myartgallery.net
mrsearthphilippines.com
auth7070-50.cfd
wrld.site
mypluscoins.com
curvepro.net
petticoatsandpockets.com
dzji12.top
y250rx08ow.top
korearx.com
sensorlightsales.com
kloveloboosting.com
innercircleloans.com
r0g.lat
hombresprostatabio.online
telcosme.com
ansorullawfirm.com
donateprolifeministry.com
wtmidsole.com
tincoco.net
yuanlaigou.net
complete-s.monster
dm16888.xyz
aidadesignhub.com
lcyj.net
qiohdf55123.com
arlnx.com
haixindx.com
2viaequatorial.com
biaogewuliu.com
kristieannmarkets.com
iptvtest.live
vanheltenadviesenfinance.com
seathee.com
ywhlearn.com
eeee84.com
tr-dysonbayisi-tr.com
annaddiddi.com
kmdsz.net
ocseawatch.com
baoshengmaritime.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2736-9-0x0000000002A90000-0x0000000003A90000-memory.dmp formbook behavioral2/memory/2736-13-0x0000000002A90000-0x0000000003A90000-memory.dmp formbook behavioral2/memory/4040-20-0x0000000000620000-0x000000000064F000-memory.dmp formbook behavioral2/memory/4040-22-0x0000000000620000-0x000000000064F000-memory.dmp formbook -
ModiLoader Second Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2572-2-0x0000000004400000-0x0000000005400000-memory.dmp modiloader_stage2 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Znuvgbtsedoszb.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3455265224-196869244-2056873367-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Znuvgbts = "C:\\Users\\Public\\Znuvgbts.url" Znuvgbtsedoszb.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
SndVol.exerundll32.exedescription pid process target process PID 2736 set thread context of 3260 2736 SndVol.exe Explorer.EXE PID 4040 set thread context of 3260 4040 rundll32.exe Explorer.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 38 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 40 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
Znuvgbtsedoszb.exeSndVol.exerundll32.exepid process 2572 Znuvgbtsedoszb.exe 2572 Znuvgbtsedoszb.exe 2736 SndVol.exe 2736 SndVol.exe 2736 SndVol.exe 2736 SndVol.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe 4040 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3260 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
SndVol.exerundll32.exepid process 2736 SndVol.exe 2736 SndVol.exe 2736 SndVol.exe 4040 rundll32.exe 4040 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
SndVol.exeExplorer.EXErundll32.exedescription pid process Token: SeDebugPrivilege 2736 SndVol.exe Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE Token: SeDebugPrivilege 4040 rundll32.exe Token: SeShutdownPrivilege 3260 Explorer.EXE Token: SeCreatePagefilePrivilege 3260 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SndVol.exepid process 2736 SndVol.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SndVol.exepid process 2736 SndVol.exe 2736 SndVol.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3260 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Znuvgbtsedoszb.exeExplorer.EXErundll32.exedescription pid process target process PID 2572 wrote to memory of 2736 2572 Znuvgbtsedoszb.exe SndVol.exe PID 2572 wrote to memory of 2736 2572 Znuvgbtsedoszb.exe SndVol.exe PID 2572 wrote to memory of 2736 2572 Znuvgbtsedoszb.exe SndVol.exe PID 2572 wrote to memory of 2736 2572 Znuvgbtsedoszb.exe SndVol.exe PID 3260 wrote to memory of 4040 3260 Explorer.EXE rundll32.exe PID 3260 wrote to memory of 4040 3260 Explorer.EXE rundll32.exe PID 3260 wrote to memory of 4040 3260 Explorer.EXE rundll32.exe PID 4040 wrote to memory of 1052 4040 rundll32.exe cmd.exe PID 4040 wrote to memory of 1052 4040 rundll32.exe cmd.exe PID 4040 wrote to memory of 1052 4040 rundll32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Znuvgbtsedoszb.exe"C:\Users\Admin\AppData\Local\Temp\Znuvgbtsedoszb.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\SndVol.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2572-1-0x0000000004400000-0x0000000005400000-memory.dmpFilesize
16.0MB
-
memory/2572-2-0x0000000004400000-0x0000000005400000-memory.dmpFilesize
16.0MB
-
memory/2572-4-0x0000000000400000-0x00000000006DA000-memory.dmpFilesize
2.9MB
-
memory/2572-0-0x0000000002590000-0x0000000002591000-memory.dmpFilesize
4KB
-
memory/2736-9-0x0000000002A90000-0x0000000003A90000-memory.dmpFilesize
16.0MB
-
memory/2736-11-0x00000000223F0000-0x000000002273A000-memory.dmpFilesize
3.3MB
-
memory/2736-13-0x0000000002A90000-0x0000000003A90000-memory.dmpFilesize
16.0MB
-
memory/2736-14-0x00000000222F0000-0x0000000022304000-memory.dmpFilesize
80KB
-
memory/3260-25-0x0000000008D00000-0x0000000008E01000-memory.dmpFilesize
1.0MB
-
memory/3260-18-0x00000000077C0000-0x00000000078A8000-memory.dmpFilesize
928KB
-
memory/3260-29-0x0000000008D00000-0x0000000008E01000-memory.dmpFilesize
1.0MB
-
memory/3260-26-0x0000000008D00000-0x0000000008E01000-memory.dmpFilesize
1.0MB
-
memory/4040-15-0x0000000000060000-0x0000000000074000-memory.dmpFilesize
80KB
-
memory/4040-22-0x0000000000620000-0x000000000064F000-memory.dmpFilesize
188KB
-
memory/4040-24-0x0000000002350000-0x00000000023E3000-memory.dmpFilesize
588KB
-
memory/4040-21-0x00000000024A0000-0x00000000027EA000-memory.dmpFilesize
3.3MB
-
memory/4040-20-0x0000000000620000-0x000000000064F000-memory.dmpFilesize
188KB
-
memory/4040-19-0x0000000000060000-0x0000000000074000-memory.dmpFilesize
80KB