Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 08:49
Static task
static1
Behavioral task
behavioral1
Sample
SKM_C221200706052800.exe
Resource
win7v20201028
General
-
Target
SKM_C221200706052800.exe
-
Size
273KB
-
MD5
3c51788968fa6ed67bde7511b1868b08
-
SHA1
194e63c851406e2ac39ef09d48ab35871e041ccc
-
SHA256
0baedfe6121c3fdc3438625335a05080f6e347bf6ff29910d2ff35b2aa02d4d5
-
SHA512
2f872cd65df657e420c8d47e4b9ef2919ecc4b8170855751f8b26faec02fe59df949cb9c3306327250911292d52261a1a28970c2ba41044e47e4f7cb8a3e4467
Malware Config
Extracted
formbook
http://www.destinny.com/s9zh/
paintedinafrica.com
electrumfix.download
edlange.com
tqiawy.xyz
satiscenter.xyz
nc-affiliates.com
agencybuilderforum.com
testabcde.net
venisseturf.net
rubenvdsande.com
nzmatrimony.com
mdthriftsandflips.com
virtualfxstudio.com
communityinsuranceut.com
qqbokep.com
copeva.net
bookedupdaily.com
houstongrowmyairway.com
fortunapublishing.com
empireplumbingandheating.com
globalefactory.com
alfrednelson.com
kernwide.com
soulwaves.info
iregentos.info
emfirstchoice.com
popvoc.com
clubdeproyectos.com
nathanlaube.net
davaresoon.com
girlsnightoutcollection.net
alchemdiagnostics.com
intlgrowcap.com
northeasttnrentalproperties.com
1971265.com
yobingo.ltd
comunityassn.com
pupupe.com
physicianmedspa.com
forestloretour.com
tauntongo.com
elegancescent.com
traumatotrust.com
blkdenim.com
b-taking.com
naturalhealthadvisery.com
fight-box.com
socia1security.net
prestondelnorteapartments.com
peaclbgju.icu
thegolfclubatcirclec.com
westqueenwestlofts.com
elitedesignzink.com
czpeixun.com
blossomenterpriseuganda.com
danettesgifts.com
psikometriums.com
rainbowbanks.com
deshbari.com
movementspecialistslv.com
amkcar.com
contractorsan.com
onurtel.com
dotalogy.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3680-3-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3680-4-0x000000000041D060-mapping.dmp xloader behavioral2/memory/1048-13-0x0000000000470000-0x0000000000499000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
cmstp.exeflow pid process 39 1048 cmstp.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
SKM_C221200706052800.exevbc.execmstp.exedescription pid process target process PID 1360 set thread context of 3680 1360 SKM_C221200706052800.exe vbc.exe PID 3680 set thread context of 2352 3680 vbc.exe Explorer.EXE PID 1048 set thread context of 2352 1048 cmstp.exe Explorer.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 808 1360 WerFault.exe SKM_C221200706052800.exe -
Suspicious behavior: EnumeratesProcesses 78 IoCs
Processes:
SKM_C221200706052800.exevbc.exeWerFault.execmstp.exepid process 1360 SKM_C221200706052800.exe 1360 SKM_C221200706052800.exe 1360 SKM_C221200706052800.exe 3680 vbc.exe 3680 vbc.exe 3680 vbc.exe 3680 vbc.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 808 WerFault.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe 1048 cmstp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
vbc.execmstp.exepid process 3680 vbc.exe 3680 vbc.exe 3680 vbc.exe 1048 cmstp.exe 1048 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
SKM_C221200706052800.exeWerFault.exevbc.exeExplorer.EXEcmstp.exedescription pid process Token: SeDebugPrivilege 1360 SKM_C221200706052800.exe Token: SeRestorePrivilege 808 WerFault.exe Token: SeBackupPrivilege 808 WerFault.exe Token: SeDebugPrivilege 3680 vbc.exe Token: SeDebugPrivilege 808 WerFault.exe Token: SeShutdownPrivilege 2352 Explorer.EXE Token: SeCreatePagefilePrivilege 2352 Explorer.EXE Token: SeShutdownPrivilege 2352 Explorer.EXE Token: SeCreatePagefilePrivilege 2352 Explorer.EXE Token: SeShutdownPrivilege 2352 Explorer.EXE Token: SeCreatePagefilePrivilege 2352 Explorer.EXE Token: SeDebugPrivilege 1048 cmstp.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2352 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
SKM_C221200706052800.exeExplorer.EXEcmstp.exedescription pid process target process PID 1360 wrote to memory of 3680 1360 SKM_C221200706052800.exe vbc.exe PID 1360 wrote to memory of 3680 1360 SKM_C221200706052800.exe vbc.exe PID 1360 wrote to memory of 3680 1360 SKM_C221200706052800.exe vbc.exe PID 1360 wrote to memory of 3680 1360 SKM_C221200706052800.exe vbc.exe PID 1360 wrote to memory of 3680 1360 SKM_C221200706052800.exe vbc.exe PID 1360 wrote to memory of 3680 1360 SKM_C221200706052800.exe vbc.exe PID 2352 wrote to memory of 1048 2352 Explorer.EXE cmstp.exe PID 2352 wrote to memory of 1048 2352 Explorer.EXE cmstp.exe PID 2352 wrote to memory of 1048 2352 Explorer.EXE cmstp.exe PID 1048 wrote to memory of 2796 1048 cmstp.exe cmd.exe PID 1048 wrote to memory of 2796 1048 cmstp.exe cmd.exe PID 1048 wrote to memory of 2796 1048 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SKM_C221200706052800.exe"C:\Users\Admin\AppData\Local\Temp\SKM_C221200706052800.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 10323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/808-5-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/1048-12-0x0000000000A70000-0x0000000000A86000-memory.dmpFilesize
88KB
-
memory/1048-10-0x0000000000000000-mapping.dmp
-
memory/1048-14-0x0000000004570000-0x0000000004890000-memory.dmpFilesize
3.1MB
-
memory/1048-13-0x0000000000470000-0x0000000000499000-memory.dmpFilesize
164KB
-
memory/1048-15-0x0000000004360000-0x00000000043F0000-memory.dmpFilesize
576KB
-
memory/1360-2-0x0000000002F90000-0x0000000002F91000-memory.dmpFilesize
4KB
-
memory/2352-9-0x0000000005000000-0x000000000517A000-memory.dmpFilesize
1.5MB
-
memory/2352-16-0x0000000005180000-0x00000000052B9000-memory.dmpFilesize
1.2MB
-
memory/2796-11-0x0000000000000000-mapping.dmp
-
memory/3680-4-0x000000000041D060-mapping.dmp
-
memory/3680-3-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3680-8-0x00000000006F0000-0x0000000000701000-memory.dmpFilesize
68KB
-
memory/3680-7-0x0000000000BC0000-0x0000000000EE0000-memory.dmpFilesize
3.1MB