Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-03-2021 16:00
Static task
static1
Behavioral task
behavioral1
Sample
gotv.exe
Resource
win7v20201028
General
-
Target
gotv.exe
-
Size
164KB
-
MD5
1da73d4931cd6893f7b9fc765225a62d
-
SHA1
cdc4992d5e425628b1c12c51d64a9105824bacc5
-
SHA256
12e42bff4fa377032623342ac1f23a5c87225a40ef8b900cbb06ae4bd203864d
-
SHA512
fe6d7693e80890b3da7a27d37630d48a4de919b53a8532496fe9c4b66665dde605a46f71d42e228d83fa8d3c92aaadc5a36b50e479f450742ab8a06589820a18
Malware Config
Extracted
xloader
http://www.pardsoda.com/w25t/
nowayinlocksmith.com
bookaprovider.com
joybirder.com
decoracerrado.com
preciousmonments.com
96kixx.com
parentseducationalco-op.com
cbdandbtc.com
santanadeliciasymas.com
finecharlottehomes.com
themanibox.com
backupasia.com
buffalodetailstore.com
iprdo.com
croce-komeko.com
bluechipsgroup.company
truyencow.com
globalism.online
oicrafts.com
naturalawakeningsprograms.com
findsurreydeltahomes.com
dressing.cat
tavazonfund.com
defichair.com
str8firekennels.com
lenskart.site
salahdinortho.com
3tothrive.com
watchsdeals.com
plethoracosmetics.net
kentland33store.com
abbaszawawi.com
resepmasakankita.info
tomschoices.net
xn--livezoty-bpb.com
sixteen3handscottages.com
elliesuesews.com
mylordismyshepherd.com
chaing-list.xyz
asesorgrupovivir.com
kicked2theothercurb.com
nemahealthcare.com
allsalesvinyl.net
crystal-beachclub.com
mprose.net
chooseone.xyz
glasgowldn2009.com
getyourquan.com
nailpolishng.com
myeunoiateacompany.com
tobaccomangalt.com
honggedichan.com
beleafagency.com
zhonghuixingyue.com
fitnessworldexample.com
skdocm.club
buygenerations.com
aressdsg.com
auberge-escotais.com
claritycleaningsystems.com
riru300.com
aserchofalltrades.com
blackholidayco.com
bookclubspeakers.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2976-8-0x0000000000401000-0x0000000000541000-memory.dmp xloader behavioral2/memory/684-15-0x0000000002F70000-0x0000000002F99000-memory.dmp xloader -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
gotv.exegotv.exepid process 1144 gotv.exe 2976 gotv.exe 2976 gotv.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
gotv.exegotv.exeNETSTAT.EXEdescription pid process target process PID 1144 set thread context of 2976 1144 gotv.exe gotv.exe PID 2976 set thread context of 3044 2976 gotv.exe Explorer.EXE PID 684 set thread context of 3044 684 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 684 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
gotv.exeNETSTAT.EXEpid process 2976 gotv.exe 2976 gotv.exe 2976 gotv.exe 2976 gotv.exe 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE 684 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
gotv.exegotv.exeNETSTAT.EXEpid process 1144 gotv.exe 2976 gotv.exe 2976 gotv.exe 2976 gotv.exe 684 NETSTAT.EXE 684 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
gotv.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 2976 gotv.exe Token: SeDebugPrivilege 684 NETSTAT.EXE Token: SeShutdownPrivilege 3044 Explorer.EXE Token: SeCreatePagefilePrivilege 3044 Explorer.EXE Token: SeShutdownPrivilege 3044 Explorer.EXE Token: SeCreatePagefilePrivilege 3044 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
gotv.exepid process 1144 gotv.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3044 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
gotv.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1144 wrote to memory of 2976 1144 gotv.exe gotv.exe PID 1144 wrote to memory of 2976 1144 gotv.exe gotv.exe PID 1144 wrote to memory of 2976 1144 gotv.exe gotv.exe PID 1144 wrote to memory of 2976 1144 gotv.exe gotv.exe PID 3044 wrote to memory of 684 3044 Explorer.EXE NETSTAT.EXE PID 3044 wrote to memory of 684 3044 Explorer.EXE NETSTAT.EXE PID 3044 wrote to memory of 684 3044 Explorer.EXE NETSTAT.EXE PID 684 wrote to memory of 800 684 NETSTAT.EXE cmd.exe PID 684 wrote to memory of 800 684 NETSTAT.EXE cmd.exe PID 684 wrote to memory of 800 684 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gotv.exe"C:\Users\Admin\AppData\Local\Temp\gotv.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gotv.exe"C:\Users\Admin\AppData\Local\Temp\gotv.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\gotv.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/684-12-0x0000000000000000-mapping.dmp
-
memory/684-18-0x00000000036E0000-0x000000000376F000-memory.dmpFilesize
572KB
-
memory/684-14-0x0000000000DA0000-0x0000000000DAB000-memory.dmpFilesize
44KB
-
memory/684-16-0x0000000003870000-0x0000000003B90000-memory.dmpFilesize
3.1MB
-
memory/684-15-0x0000000002F70000-0x0000000002F99000-memory.dmpFilesize
164KB
-
memory/800-13-0x0000000000000000-mapping.dmp
-
memory/1144-4-0x0000000002310000-0x000000000231B000-memory.dmpFilesize
44KB
-
memory/2976-7-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/2976-9-0x000000001E710000-0x000000001EA30000-memory.dmpFilesize
3.1MB
-
memory/2976-10-0x000000001E600000-0x000000001E610000-memory.dmpFilesize
64KB
-
memory/2976-8-0x0000000000401000-0x0000000000541000-memory.dmpFilesize
1.2MB
-
memory/2976-6-0x0000000000401000-0x00000000004FD000-memory.dmpFilesize
1008KB
-
memory/2976-5-0x00000000004018E4-mapping.dmp
-
memory/3044-11-0x0000000002750000-0x000000000281A000-memory.dmpFilesize
808KB
-
memory/3044-19-0x0000000005D50000-0x0000000005E4A000-memory.dmpFilesize
1000KB