Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-01-2021 17:09
Static task
static1
Behavioral task
behavioral1
Sample
TEC20201601.exe
Resource
win7v20201028
General
-
Target
TEC20201601.exe
-
Size
1.2MB
-
MD5
19682ff802fd6fc13c896ba4572e9edc
-
SHA1
c52eed4a18f23464ef7c8968c4a7cad63564d2e6
-
SHA256
73384c630a5bcbb5201f567aa142fc712df5c2ceb9b61c301a5e4a025af2b3ca
-
SHA512
31b65796fa7de32a80ab5244edea91642cca0b3161bd82a93d5601bd1f9b28b5de6a6647a053dfcfca2d10a54165dcdff9f221cb49690707b9a4a85719a56dc1
Malware Config
Extracted
formbook
http://www.a-emeservice.com/m8ec/
thomascraigwealth.com
melbournemedicalhealth.net
tdxcoin.com
lukassbprojects.net
aldemallc.com
moqawalat-kuwait.com
txcsco.com
jobcarepro.com
sedotwcmedanmurah.com
niconthenine.com
radliffrehab.com
infiniteechogroup.com
stellantis-luxury-rent.com
ibusehat.info
resellerauctions.com
softwarexprogrammers.com
bumpnlifestyle.com
mintmacher.com
partapprintercare.com
justrightinsurance.com
beyond-ml.com
mikrotandborste.com
madisonmeadowsseniorliving.com
smart14day.com
fiftyfivetwelve.com
respectinvestadvance.com
shelleylutherfortexas.com
kunst-stueck-chen.com
adastraperaspera.xyz
aletheaastraea.info
zhghzlg.com
cameroncooperar.com
inrushconsulting.com
oldeny.com
foggardens.com
bubbygoobers.com
apartmentnegotiator.com
iregentos.info
charlesadoptionhome.com
sugawara-garasu.com
insidescripps.net
offerlamp.com
flagpeel.com
tb1919.com
estherneil.com
greatunsearchablethings.com
jeunetherapie.com
ricardoinman.com
sbq58.com
morifan.com
foodpukka.com
onewaytaxi.club
ksolves-vendor.com
ashleighemmaboyle.com
hbseelong.com
vanotti-watches.com
faizulrahmanmusafir.com
cb5677.com
gcasservices.com
perteprampram01.com
308hamlinloop.com
machkind.com
cwpdhambers.xyz
glenwoodsteak.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2392-8-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2392-9-0x000000000041D0A0-mapping.dmp xloader behavioral2/memory/1760-16-0x0000000000A00000-0x0000000000A29000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
TEC20201601.exeTEC20201601.exechkdsk.exedescription pid process target process PID 812 set thread context of 2392 812 TEC20201601.exe TEC20201601.exe PID 2392 set thread context of 3048 2392 TEC20201601.exe Explorer.EXE PID 1760 set thread context of 3048 1760 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
TEC20201601.exechkdsk.exepid process 2392 TEC20201601.exe 2392 TEC20201601.exe 2392 TEC20201601.exe 2392 TEC20201601.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe 1760 chkdsk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
TEC20201601.exechkdsk.exepid process 2392 TEC20201601.exe 2392 TEC20201601.exe 2392 TEC20201601.exe 1760 chkdsk.exe 1760 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TEC20201601.exechkdsk.exedescription pid process Token: SeDebugPrivilege 2392 TEC20201601.exe Token: SeDebugPrivilege 1760 chkdsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
TEC20201601.exeExplorer.EXEchkdsk.exedescription pid process target process PID 812 wrote to memory of 2392 812 TEC20201601.exe TEC20201601.exe PID 812 wrote to memory of 2392 812 TEC20201601.exe TEC20201601.exe PID 812 wrote to memory of 2392 812 TEC20201601.exe TEC20201601.exe PID 812 wrote to memory of 2392 812 TEC20201601.exe TEC20201601.exe PID 812 wrote to memory of 2392 812 TEC20201601.exe TEC20201601.exe PID 812 wrote to memory of 2392 812 TEC20201601.exe TEC20201601.exe PID 3048 wrote to memory of 1760 3048 Explorer.EXE chkdsk.exe PID 3048 wrote to memory of 1760 3048 Explorer.EXE chkdsk.exe PID 3048 wrote to memory of 1760 3048 Explorer.EXE chkdsk.exe PID 1760 wrote to memory of 2812 1760 chkdsk.exe cmd.exe PID 1760 wrote to memory of 2812 1760 chkdsk.exe cmd.exe PID 1760 wrote to memory of 2812 1760 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TEC20201601.exe"C:\Users\Admin\AppData\Local\Temp\TEC20201601.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TEC20201601.exe"C:\Users\Admin\AppData\Local\Temp\TEC20201601.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\TEC20201601.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/812-7-0x0000000002871000-0x0000000002872000-memory.dmpFilesize
4KB
-
memory/812-2-0x0000000002870000-0x0000000002871000-memory.dmpFilesize
4KB
-
memory/1760-14-0x0000000000000000-mapping.dmp
-
memory/1760-19-0x0000000000F80000-0x0000000001010000-memory.dmpFilesize
576KB
-
memory/1760-17-0x0000000000BD0000-0x0000000000EF0000-memory.dmpFilesize
3.1MB
-
memory/1760-16-0x0000000000A00000-0x0000000000A29000-memory.dmpFilesize
164KB
-
memory/1760-15-0x0000000001180000-0x000000000118A000-memory.dmpFilesize
40KB
-
memory/2392-9-0x000000000041D0A0-mapping.dmp
-
memory/2392-11-0x0000000000E90000-0x00000000011B0000-memory.dmpFilesize
3.1MB
-
memory/2392-12-0x0000000000E10000-0x0000000000E21000-memory.dmpFilesize
68KB
-
memory/2392-8-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2812-18-0x0000000000000000-mapping.dmp
-
memory/3048-13-0x0000000005960000-0x0000000005AB1000-memory.dmpFilesize
1.3MB