Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-05-2021 14:55
Static task
static1
Behavioral task
behavioral1
Sample
Advised Original Copy.exe
Resource
win7v20210410
General
-
Target
Advised Original Copy.exe
-
Size
116KB
-
MD5
c7204a082507c549863ff363ea3c087c
-
SHA1
aab2be6081caa29574b359933e908a47418e6e22
-
SHA256
de69ed8e2b3ba6de15b3f28b802725d41241e5b6d6717e522a2b53db860a1efb
-
SHA512
d7a0b3aa53072297d92323f262851c1e93eeab0fd74f5628c9bba803ec1452ee584ea2907e5c0ee542cb36997e87ce2db1600e725f5847724c6678dd24b8476d
Malware Config
Extracted
xloader
2.3
http://www.innovativevan.com/i8be/
cdymjim.icu
globalmilitaryaircraft.com
slusheestore.com
freepdfconvert.net
itadsweden.com
legenddocs.com
metholyptus.com
966cm.com
mobilitygloves-protect.com
travaze.net
go-kalisa.com
believehavefaith.com
nywebhost.com
semitsol.com
wowyuu.net
cochesb2b.com
gobesttobuy.com
senmec23.com
bmsgw.com
newazenterprise.com
onlinefitnessmechanic.com
makeournationsafeagain.com
climat2020.com
hamsikoysutlaci.net
networkslice.com
wanganwanderer1.com
nationwidesignage.com
lucianmediazone.com
geekyweel.com
hzky888.com
mcfarlaneweb.com
c-w3.com
covidstracking.com
flowingwealth.com
sprinklesglobal.com
secret-mall.com
extraclasss.com
stasiapl.com
1905vintage.com
8649gb.com
brisketbeard.com
optionsafecode.com
foms4om.com
differentquartz.info
freshly.pizza
levettfyneralhome.com
leteeshirtboutique.com
creativesdanfe.com
t-oils.com
seoforamz.com
carbon2algae.com
kronospros.com
storepisode.com
viautong30.com
weipr.net
mjspizzaandwinghouse.com
e-yzr.com
webcamthing.com
wb917.com
sedentariocero.com
salon-solution.com
solgeneration.com
viviennevaile.com
weightlossbiloxi.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1272-70-0x0000000000401000-0x0000000000541000-memory.dmp xloader behavioral1/memory/960-76-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
Advised Original Copy.exeAdvised Original Copy.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Advised Original Copy.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Advised Original Copy.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1504 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
Advised Original Copy.exeAdvised Original Copy.exepid process 1688 Advised Original Copy.exe 1272 Advised Original Copy.exe 1272 Advised Original Copy.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Advised Original Copy.exeAdvised Original Copy.exeNETSTAT.EXEdescription pid process target process PID 1688 set thread context of 1272 1688 Advised Original Copy.exe Advised Original Copy.exe PID 1272 set thread context of 1208 1272 Advised Original Copy.exe Explorer.EXE PID 960 set thread context of 1208 960 NETSTAT.EXE Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
Advised Original Copy.exedescription ioc process File opened for modification C:\Windows\win.ini Advised Original Copy.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 960 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
Advised Original Copy.exeNETSTAT.EXEpid process 1272 Advised Original Copy.exe 1272 Advised Original Copy.exe 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE 960 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Advised Original Copy.exeAdvised Original Copy.exeNETSTAT.EXEpid process 1688 Advised Original Copy.exe 1272 Advised Original Copy.exe 1272 Advised Original Copy.exe 1272 Advised Original Copy.exe 960 NETSTAT.EXE 960 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Advised Original Copy.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 1272 Advised Original Copy.exe Token: SeDebugPrivilege 960 NETSTAT.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Advised Original Copy.exepid process 1688 Advised Original Copy.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Advised Original Copy.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 1688 wrote to memory of 1272 1688 Advised Original Copy.exe Advised Original Copy.exe PID 1688 wrote to memory of 1272 1688 Advised Original Copy.exe Advised Original Copy.exe PID 1688 wrote to memory of 1272 1688 Advised Original Copy.exe Advised Original Copy.exe PID 1688 wrote to memory of 1272 1688 Advised Original Copy.exe Advised Original Copy.exe PID 1688 wrote to memory of 1272 1688 Advised Original Copy.exe Advised Original Copy.exe PID 1208 wrote to memory of 960 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 960 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 960 1208 Explorer.EXE NETSTAT.EXE PID 1208 wrote to memory of 960 1208 Explorer.EXE NETSTAT.EXE PID 960 wrote to memory of 1504 960 NETSTAT.EXE cmd.exe PID 960 wrote to memory of 1504 960 NETSTAT.EXE cmd.exe PID 960 wrote to memory of 1504 960 NETSTAT.EXE cmd.exe PID 960 wrote to memory of 1504 960 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Advised Original Copy.exe"C:\Users\Admin\AppData\Local\Temp\Advised Original Copy.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Advised Original Copy.exe"C:\Users\Admin\AppData\Local\Temp\Advised Original Copy.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Advised Original Copy.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/960-74-0x0000000000000000-mapping.dmp
-
memory/960-79-0x00000000006D0000-0x000000000075F000-memory.dmpFilesize
572KB
-
memory/960-77-0x0000000001FD0000-0x00000000022D3000-memory.dmpFilesize
3.0MB
-
memory/960-76-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/960-75-0x0000000000630000-0x0000000000639000-memory.dmpFilesize
36KB
-
memory/1208-73-0x0000000004CC0000-0x0000000004D91000-memory.dmpFilesize
836KB
-
memory/1208-80-0x0000000004F00000-0x0000000004FD1000-memory.dmpFilesize
836KB
-
memory/1272-72-0x000000001E720000-0x000000001E730000-memory.dmpFilesize
64KB
-
memory/1272-71-0x000000001E8F0000-0x000000001EBF3000-memory.dmpFilesize
3.0MB
-
memory/1272-70-0x0000000000401000-0x0000000000541000-memory.dmpFilesize
1.2MB
-
memory/1272-68-0x00000000001B0000-0x00000000002B0000-memory.dmpFilesize
1024KB
-
memory/1272-66-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/1272-65-0x00000000004019EC-mapping.dmp
-
memory/1504-78-0x0000000000000000-mapping.dmp
-
memory/1688-63-0x0000000000320000-0x000000000032C000-memory.dmpFilesize
48KB
-
memory/1688-64-0x0000000075011000-0x0000000075013000-memory.dmpFilesize
8KB