Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 09:43
Static task
static1
Behavioral task
behavioral1
Sample
Consignment Details&BL Draft.exe
Resource
win7v20201028
General
-
Target
Consignment Details&BL Draft.exe
-
Size
663KB
-
MD5
bbcdacdde22b8bab6d71f543c36c9b2f
-
SHA1
f4752b9407c50396ca6ca1fef1a50827eb5cbc10
-
SHA256
6fbc3e54a04aeadf268907b5041bdaf5af8980d76eafce3bc5d995c0fa779fd8
-
SHA512
37c504b110e85656398ca91c4ed67e2854252b5402ca1b60cd8a24fa38c4e67c9346a8b4dc14005a44cdab708488bfe8b58f52e36449a4467de928591cbc6919
Malware Config
Extracted
formbook
http://www.mwavpn.com/9bwn/
italiancoastal.com
shareandfit.com
ibexacademia.com
guejek.com
vitalbizdev.com
connemaracomputers.com
surf-livre.com
styleforwoman.com
costcopaysecure.com
kingdomandqueendom.com
www-societegenerale.com
radiokerbfm.com
marylandstars.net
thechampionsday.com
beertenderb95.com
iybbshop.com
maglex.info
vh3g.asia
zaairobot.online
ryderhydros.com
gamedaigia.pro
online-termin-vereinbarung.info
essential-nature.com
parkwoodmeadowsseniorliving.com
lastenmedia.net
yaprs.com
redpinepainting.com
glensideautosales.net
gicirmotor.com
goblissyourself.com
depotresort.com
survivalrunfotografen.com
natursteinteppiche.com
hungr.website
njcantonpalece.com
huellatinta.com
solbesiktning.com
finanka.website
cleanworkstations.com
thedivinegifts.com
thefinalverdict.net
amsco-ems.com
bloomsfromtheheart.com
elgantlamps.com
theofficialcookiejar.com
maucay.com
domains4me.net
takedaitos.com
tmlforums.com
electricdrumadvisor.com
pottydiaper.com
yup.network
anchorconcretesolutions.com
eroerolibrary.com
hammocksrehab.com
naya-bazar.com
metamorphosiswei.com
indravision.net
libreriapapeleriacaniles.com
jims-info.com
teenporncup.com
yoshinaga-dentalclinic.com
mygreatordinarylife.com
sallanvarkki.net
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2020-4-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1504-13-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1192 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Consignment Details&BL Draft.exeConsignment Details&BL Draft.exeipconfig.exedescription pid process target process PID 644 set thread context of 2020 644 Consignment Details&BL Draft.exe Consignment Details&BL Draft.exe PID 2020 set thread context of 1264 2020 Consignment Details&BL Draft.exe Explorer.EXE PID 2020 set thread context of 1264 2020 Consignment Details&BL Draft.exe Explorer.EXE PID 1504 set thread context of 1264 1504 ipconfig.exe Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1504 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Consignment Details&BL Draft.exeipconfig.exepid process 2020 Consignment Details&BL Draft.exe 2020 Consignment Details&BL Draft.exe 2020 Consignment Details&BL Draft.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe 1504 ipconfig.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Consignment Details&BL Draft.exeConsignment Details&BL Draft.exeipconfig.exepid process 644 Consignment Details&BL Draft.exe 2020 Consignment Details&BL Draft.exe 2020 Consignment Details&BL Draft.exe 2020 Consignment Details&BL Draft.exe 2020 Consignment Details&BL Draft.exe 1504 ipconfig.exe 1504 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Consignment Details&BL Draft.exeipconfig.exedescription pid process Token: SeDebugPrivilege 2020 Consignment Details&BL Draft.exe Token: SeDebugPrivilege 1504 ipconfig.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE 1264 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Consignment Details&BL Draft.exeConsignment Details&BL Draft.exeipconfig.exedescription pid process target process PID 644 wrote to memory of 2020 644 Consignment Details&BL Draft.exe Consignment Details&BL Draft.exe PID 644 wrote to memory of 2020 644 Consignment Details&BL Draft.exe Consignment Details&BL Draft.exe PID 644 wrote to memory of 2020 644 Consignment Details&BL Draft.exe Consignment Details&BL Draft.exe PID 644 wrote to memory of 2020 644 Consignment Details&BL Draft.exe Consignment Details&BL Draft.exe PID 644 wrote to memory of 2020 644 Consignment Details&BL Draft.exe Consignment Details&BL Draft.exe PID 2020 wrote to memory of 1504 2020 Consignment Details&BL Draft.exe ipconfig.exe PID 2020 wrote to memory of 1504 2020 Consignment Details&BL Draft.exe ipconfig.exe PID 2020 wrote to memory of 1504 2020 Consignment Details&BL Draft.exe ipconfig.exe PID 2020 wrote to memory of 1504 2020 Consignment Details&BL Draft.exe ipconfig.exe PID 1504 wrote to memory of 1192 1504 ipconfig.exe cmd.exe PID 1504 wrote to memory of 1192 1504 ipconfig.exe cmd.exe PID 1504 wrote to memory of 1192 1504 ipconfig.exe cmd.exe PID 1504 wrote to memory of 1192 1504 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Consignment Details&BL Draft.exe"C:\Users\Admin\AppData\Local\Temp\Consignment Details&BL Draft.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Consignment Details&BL Draft.exe"C:\Users\Admin\AppData\Local\Temp\Consignment Details&BL Draft.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"4⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Consignment Details&BL Draft.exe"5⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/644-2-0x00000000765E1000-0x00000000765E3000-memory.dmpFilesize
8KB
-
memory/1192-14-0x0000000000000000-mapping.dmp
-
memory/1264-17-0x0000000009140000-0x0000000009278000-memory.dmpFilesize
1.2MB
-
memory/1264-7-0x0000000004D90000-0x0000000004ECB000-memory.dmpFilesize
1.2MB
-
memory/1264-9-0x0000000006CA0000-0x0000000006E3E000-memory.dmpFilesize
1.6MB
-
memory/1504-13-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/1504-16-0x0000000001DC0000-0x0000000001E4F000-memory.dmpFilesize
572KB
-
memory/1504-15-0x0000000002090000-0x0000000002393000-memory.dmpFilesize
3.0MB
-
memory/1504-10-0x0000000000000000-mapping.dmp
-
memory/1504-12-0x0000000000820000-0x000000000082A000-memory.dmpFilesize
40KB
-
memory/2020-5-0x00000000009A0000-0x0000000000CA3000-memory.dmpFilesize
3.0MB
-
memory/2020-8-0x0000000000360000-0x0000000000370000-memory.dmpFilesize
64KB
-
memory/2020-6-0x00000000001E0000-0x00000000001F0000-memory.dmpFilesize
64KB
-
memory/2020-4-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/2020-3-0x000000000041D050-mapping.dmp