Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-01-2021 07:16
Static task
static1
Behavioral task
behavioral1
Sample
PO#416421.exe
Resource
win7v20201028
General
-
Target
PO#416421.exe
-
Size
176KB
-
MD5
18ec4947cbfb82bda1635a855b9b4763
-
SHA1
6083fb410e0bd21b5bc0f635861758b2747821ab
-
SHA256
26b068137a8264f4aba9c3617a289417ead13d0c9d53f86a3158c1d113dbf86d
-
SHA512
3283e0b3e64df7b60b6a71f524f83b107a7ce9d577a147da3a0490bd61c5ffd373887730b33ca347cbf21608ac5cb3bbf6d6d1338377d64eaab5ff8cc5963c72
Malware Config
Extracted
formbook
http://www.tzmm.net/wpsb/
0817ls.com
drawbeirut.com
respiteready.com
yufkayurek.com
poss-plus.com
distributesimilar.com
mcmendzlawns.com
bingent.info
wellnessandcomfort.com
humilityhope.com
recetasfes.com
olala.asia
epochryphal.com
room-lettings-onlines.club
lvc.xyz
reicolee.com
davidmarkphotovideo.photography
corpuschristicarbuyers.com
tutorialyoutube.com
ativ.pro
shopzayeska.com
collegeedgecoach.com
russillo.net
lxl-express.com
zadslogistics.com
newimpressionlighting.com
propertiesbyjose.com
potikha.com
phoenixoh.net
pogo-case.com
jordankylebowman.com
2020falafelburger.com
medicinas-enlinea.com
atypicaldesigncollective.com
aureliachic.com
woyaozijiawang.com
adrianapsicanalise.com
bubee-studio.com
musicalprofits.com
cafereuben.com
htxmobilewashndetail.com
hedgeanything.com
newbridgeclothing.com
3c.fitness
fastcincincinnatioffer.com
tiantipaihangbang.com
standupmankato.com
juggernautsbaseball.com
landoflostengineers.com
official-mr-bit-casino.com
hhzxwh.com
muafollow.com
realestatebymel.com
welvasq.com
medicalaccount.club
healthgain.online
xn--mkainternational-w3b.com
parkcrow.com
bazi45b.com
greenmatamp.com
zjksxy.com
homeinspectorbook.com
shelvesthatslude.com
smorapicnic.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1912-3-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral2/memory/1912-4-0x000000000041D040-mapping.dmp xloader behavioral2/memory/2144-6-0x0000000000000000-mapping.dmp xloader -
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO#416421.exePO#416421.execmmon32.exedescription pid process target process PID 3992 set thread context of 1912 3992 PO#416421.exe PO#416421.exe PID 1912 set thread context of 3036 1912 PO#416421.exe Explorer.EXE PID 1912 set thread context of 3036 1912 PO#416421.exe Explorer.EXE PID 2144 set thread context of 3036 2144 cmmon32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
PO#416421.execmmon32.exepid process 1912 PO#416421.exe 1912 PO#416421.exe 1912 PO#416421.exe 1912 PO#416421.exe 1912 PO#416421.exe 1912 PO#416421.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe 2144 cmmon32.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
PO#416421.exePO#416421.execmmon32.exepid process 3992 PO#416421.exe 1912 PO#416421.exe 1912 PO#416421.exe 1912 PO#416421.exe 1912 PO#416421.exe 2144 cmmon32.exe 2144 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
PO#416421.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1912 PO#416421.exe Token: SeDebugPrivilege 2144 cmmon32.exe Token: SeShutdownPrivilege 3036 Explorer.EXE Token: SeCreatePagefilePrivilege 3036 Explorer.EXE Token: SeShutdownPrivilege 3036 Explorer.EXE Token: SeCreatePagefilePrivilege 3036 Explorer.EXE Token: SeShutdownPrivilege 3036 Explorer.EXE Token: SeCreatePagefilePrivilege 3036 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3036 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
PO#416421.exeExplorer.EXEcmmon32.exedescription pid process target process PID 3992 wrote to memory of 1228 3992 PO#416421.exe cmd.exe PID 3992 wrote to memory of 1228 3992 PO#416421.exe cmd.exe PID 3992 wrote to memory of 1228 3992 PO#416421.exe cmd.exe PID 3992 wrote to memory of 1912 3992 PO#416421.exe PO#416421.exe PID 3992 wrote to memory of 1912 3992 PO#416421.exe PO#416421.exe PID 3992 wrote to memory of 1912 3992 PO#416421.exe PO#416421.exe PID 3992 wrote to memory of 1912 3992 PO#416421.exe PO#416421.exe PID 3036 wrote to memory of 2144 3036 Explorer.EXE cmmon32.exe PID 3036 wrote to memory of 2144 3036 Explorer.EXE cmmon32.exe PID 3036 wrote to memory of 2144 3036 Explorer.EXE cmmon32.exe PID 2144 wrote to memory of 3820 2144 cmmon32.exe cmd.exe PID 2144 wrote to memory of 3820 2144 cmmon32.exe cmd.exe PID 2144 wrote to memory of 3820 2144 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO#416421.exe"C:\Users\Admin\AppData\Local\Temp\PO#416421.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
-
C:\Users\Admin\AppData\Local\Temp\PO#416421.exe"C:\Users\Admin\AppData\Local\Temp\PO#416421.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO#416421.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1228-2-0x0000000000000000-mapping.dmp
-
memory/1912-3-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1912-4-0x000000000041D040-mapping.dmp
-
memory/2144-6-0x0000000000000000-mapping.dmp
-
memory/2144-7-0x0000000000260000-0x000000000026C000-memory.dmpFilesize
48KB
-
memory/2144-8-0x0000000000260000-0x000000000026C000-memory.dmpFilesize
48KB
-
memory/3036-11-0x00000000053F0000-0x0000000005537000-memory.dmpFilesize
1.3MB
-
memory/3820-9-0x0000000000000000-mapping.dmp