Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-01-2021 19:50
Static task
static1
Behavioral task
behavioral1
Sample
1dd3dda596f5391bb865683fa49b531e.exe
Resource
win7v20201028
General
-
Target
1dd3dda596f5391bb865683fa49b531e.exe
-
Size
1.0MB
-
MD5
1dd3dda596f5391bb865683fa49b531e
-
SHA1
37eab36b9caabc5e1d55086da5c46bc50b012fca
-
SHA256
2abb16d594f4b36fc8b8aab8cab7736350421c619cec8e12e8975e87f7a99faa
-
SHA512
7c0a2e9d893168c64f3bf2f3dee38261d24dd90be523d313651cfe9646bb14743a09c319f4d0123fbf0fae587f269d8ff6f54c369a52f7e4d78f321ceb81c688
Malware Config
Extracted
formbook
http://www.herbmedia.net/csv8/
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
fessusesefsee.com
logansshop.net
familydalmatianhomes.com
accessible.legal
epicmassiveconcepts.com
indianfactopedia.com
exit-divorce.com
colliapse.com
nosishop.com
hayat-aljowaily.com
soundon.events
previnacovid19-br.com
traptlongview.com
splendidhotelspa.com
masterzushop.com
ednevents.com
studentdividers.com
treningi-enduro.com
hostingcoaster.com
gourmetgroceriesfast.com
thesouthbeachlife.com
teemergin.com
fixmygearfast.com
arb-invest.com
shemaledreamz.com
1819apparel.com
thedigitalsatyam.com
alparmuhendislik.com
distinctmusicproductions.com
procreditexpert.com
insights4innovation.com
jzbtl.com
1033325.com
sorteocamper.info
scheherazadelegault.com
glowportraiture.com
cleitstaapps.com
globepublishers.com
stattests.com
brainandbodystrengthcoach.com
magenx2.info
escaparati.com
wood-decor24.com
travelnetafrica.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1992-13-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1992-14-0x000000000041D0C0-mapping.dmp xloader behavioral2/memory/3244-15-0x0000000000000000-mapping.dmp xloader -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
1dd3dda596f5391bb865683fa49b531e.exevbc.exeexplorer.exedescription pid process target process PID 3928 set thread context of 1992 3928 1dd3dda596f5391bb865683fa49b531e.exe vbc.exe PID 1992 set thread context of 2908 1992 vbc.exe Explorer.EXE PID 3244 set thread context of 2908 3244 explorer.exe Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
1dd3dda596f5391bb865683fa49b531e.exevbc.exeexplorer.exepid process 3928 1dd3dda596f5391bb865683fa49b531e.exe 1992 vbc.exe 1992 vbc.exe 1992 vbc.exe 1992 vbc.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe 3244 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.exeexplorer.exepid process 1992 vbc.exe 1992 vbc.exe 1992 vbc.exe 3244 explorer.exe 3244 explorer.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
1dd3dda596f5391bb865683fa49b531e.exevbc.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3928 1dd3dda596f5391bb865683fa49b531e.exe Token: SeDebugPrivilege 1992 vbc.exe Token: SeDebugPrivilege 3244 explorer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2908 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
1dd3dda596f5391bb865683fa49b531e.exeExplorer.EXEexplorer.exedescription pid process target process PID 3928 wrote to memory of 1980 3928 1dd3dda596f5391bb865683fa49b531e.exe schtasks.exe PID 3928 wrote to memory of 1980 3928 1dd3dda596f5391bb865683fa49b531e.exe schtasks.exe PID 3928 wrote to memory of 1980 3928 1dd3dda596f5391bb865683fa49b531e.exe schtasks.exe PID 3928 wrote to memory of 1992 3928 1dd3dda596f5391bb865683fa49b531e.exe vbc.exe PID 3928 wrote to memory of 1992 3928 1dd3dda596f5391bb865683fa49b531e.exe vbc.exe PID 3928 wrote to memory of 1992 3928 1dd3dda596f5391bb865683fa49b531e.exe vbc.exe PID 3928 wrote to memory of 1992 3928 1dd3dda596f5391bb865683fa49b531e.exe vbc.exe PID 3928 wrote to memory of 1992 3928 1dd3dda596f5391bb865683fa49b531e.exe vbc.exe PID 3928 wrote to memory of 1992 3928 1dd3dda596f5391bb865683fa49b531e.exe vbc.exe PID 2908 wrote to memory of 3244 2908 Explorer.EXE explorer.exe PID 2908 wrote to memory of 3244 2908 Explorer.EXE explorer.exe PID 2908 wrote to memory of 3244 2908 Explorer.EXE explorer.exe PID 3244 wrote to memory of 2776 3244 explorer.exe cmd.exe PID 3244 wrote to memory of 2776 3244 explorer.exe cmd.exe PID 3244 wrote to memory of 2776 3244 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1dd3dda596f5391bb865683fa49b531e.exe"C:\Users\Admin\AppData\Local\Temp\1dd3dda596f5391bb865683fa49b531e.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zLIpEDZOH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB9EF.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB9EF.tmpMD5
d19705b0e32d4924ac97df042de2580c
SHA1223e26d03f61c4c29ad5e6bd39fe0de73525d335
SHA256d74acedba9a517da4e71115c3a49a2c3e7c2ef5e1d6e840ae5df845c6e48fa4b
SHA51296e90c479fb0e81f1ee033ed60f18b23b78686bde35a4cb088b70f0efac2315621e4ac31772af64a203cce90a058bf784c4f8e4887982488910e3263c88399ec
-
memory/1980-11-0x0000000000000000-mapping.dmp
-
memory/1992-14-0x000000000041D0C0-mapping.dmp
-
memory/1992-13-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2776-18-0x0000000000000000-mapping.dmp
-
memory/3244-15-0x0000000000000000-mapping.dmp
-
memory/3244-16-0x0000000000DE0000-0x000000000121F000-memory.dmpFilesize
4.2MB
-
memory/3244-17-0x0000000000DE0000-0x000000000121F000-memory.dmpFilesize
4.2MB
-
memory/3928-9-0x0000000004820000-0x000000000489D000-memory.dmpFilesize
500KB
-
memory/3928-10-0x0000000009860000-0x0000000009861000-memory.dmpFilesize
4KB
-
memory/3928-8-0x00000000074D0000-0x00000000074DE000-memory.dmpFilesize
56KB
-
memory/3928-7-0x00000000072A0000-0x00000000072A1000-memory.dmpFilesize
4KB
-
memory/3928-6-0x00000000072E0000-0x00000000072E1000-memory.dmpFilesize
4KB
-
memory/3928-5-0x0000000007740000-0x0000000007741000-memory.dmpFilesize
4KB
-
memory/3928-2-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/3928-3-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB