Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 18:34
Static task
static1
Behavioral task
behavioral1
Sample
Inv_7623980.exe
Resource
win7v20210410
General
-
Target
Inv_7623980.exe
-
Size
1.1MB
-
MD5
24de383154bbdc31b305fd25a3ee95db
-
SHA1
7d3be8631affd24746beeec725b4ad0d518805b8
-
SHA256
790898f9518c146e7ffa430b975ee0f5bc162b6b5a5dba008e0572741312bc19
-
SHA512
7dee6bb2ca1996706c59cab95575200b3273bc2e110d9514527d8b5cda4d33bb65a9bf12a7c015568e16a8646cbd5e7df0f71321708ed60de884822cc4855090
Malware Config
Extracted
xloader
2.3
http://www.inverservi.com/m6b5/
ixtarbelize.com
pheamal.com
daiyncc.com
staydoubted.com
laagerlitigation.club
sukrantastansakarya.com
esupport.ltd
vetscontracting.net
themuslimlife.coach
salmanairs.com
somatictherapyservices.com
lastminuteminister.com
comunicarbuenosaires.com
kazuya.tech
insightlyservicedev.com
redevelopment38subhashnagar.com
thefutureinvestor.com
simplysu.com
lagu45.com
livingstonpistolpermit.com
youngedbg.club
askmeboost.com
hizmetbasvuru-girisi.com
fourteenfoodsdq.net
discoglosse.com
shareusall.com
armseducationassociates.com
twilio123.com
hofmann.red
autoanyway.com
duckvlog.com
raceleagues.com
foleyautomotivehydraulics.com
foreverbefaithfultoyou.com
junrui-tech.com
angelinateofilovic.com
justinandsarahgetmarried.com
carlsmithcarlsmith.com
novopeugeot208.com
citestftcwaut17.com
theproductivitygroup.com
cohen-asset.com
trumpismysugardaddy.com
wishcida.com
buncheese.com
dietrichcompanies.com
zafav.xyz
commodore-gravel.com
juport.men
hyanggips.com
aliyunwangpan.com
nuturessoap.com
networksloss.club
blackcouplesofhtown.com
saadiawhite.net
girasmboize.com
melissabelmontefotografias.com
landprorentals.com
bonacrypto.com
meeuba.com
lknstump.com
iregentos.info
linguisticpartner.com
mpsaklera.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2616-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2616-125-0x000000000041D0F0-mapping.dmp xloader behavioral2/memory/3888-132-0x0000000000EA0000-0x0000000000EC9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Inv_7623980.exeInv_7623980.exesvchost.exedescription pid process target process PID 4048 set thread context of 2616 4048 Inv_7623980.exe Inv_7623980.exe PID 2616 set thread context of 2492 2616 Inv_7623980.exe Explorer.EXE PID 3888 set thread context of 2492 3888 svchost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
Inv_7623980.exesvchost.exepid process 2616 Inv_7623980.exe 2616 Inv_7623980.exe 2616 Inv_7623980.exe 2616 Inv_7623980.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe 3888 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2492 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Inv_7623980.exesvchost.exepid process 2616 Inv_7623980.exe 2616 Inv_7623980.exe 2616 Inv_7623980.exe 3888 svchost.exe 3888 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Inv_7623980.exesvchost.exedescription pid process Token: SeDebugPrivilege 2616 Inv_7623980.exe Token: SeDebugPrivilege 3888 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 2492 Explorer.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 2492 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2492 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Inv_7623980.exeExplorer.EXEsvchost.exedescription pid process target process PID 4048 wrote to memory of 2616 4048 Inv_7623980.exe Inv_7623980.exe PID 4048 wrote to memory of 2616 4048 Inv_7623980.exe Inv_7623980.exe PID 4048 wrote to memory of 2616 4048 Inv_7623980.exe Inv_7623980.exe PID 4048 wrote to memory of 2616 4048 Inv_7623980.exe Inv_7623980.exe PID 4048 wrote to memory of 2616 4048 Inv_7623980.exe Inv_7623980.exe PID 4048 wrote to memory of 2616 4048 Inv_7623980.exe Inv_7623980.exe PID 2492 wrote to memory of 3888 2492 Explorer.EXE svchost.exe PID 2492 wrote to memory of 3888 2492 Explorer.EXE svchost.exe PID 2492 wrote to memory of 3888 2492 Explorer.EXE svchost.exe PID 3888 wrote to memory of 2112 3888 svchost.exe cmd.exe PID 3888 wrote to memory of 2112 3888 svchost.exe cmd.exe PID 3888 wrote to memory of 2112 3888 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2112-130-0x0000000000000000-mapping.dmp
-
memory/2492-128-0x00000000059F0000-0x0000000005B04000-memory.dmpFilesize
1.1MB
-
memory/2492-135-0x00000000094A0000-0x0000000009626000-memory.dmpFilesize
1.5MB
-
memory/2616-125-0x000000000041D0F0-mapping.dmp
-
memory/2616-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2616-126-0x0000000001370000-0x0000000001690000-memory.dmpFilesize
3.1MB
-
memory/2616-127-0x0000000000DC0000-0x0000000000F0A000-memory.dmpFilesize
1.3MB
-
memory/3888-132-0x0000000000EA0000-0x0000000000EC9000-memory.dmpFilesize
164KB
-
memory/3888-133-0x0000000003C20000-0x0000000003F40000-memory.dmpFilesize
3.1MB
-
memory/3888-134-0x0000000003A00000-0x0000000003A8F000-memory.dmpFilesize
572KB
-
memory/3888-131-0x0000000000F30000-0x0000000000F3C000-memory.dmpFilesize
48KB
-
memory/3888-129-0x0000000000000000-mapping.dmp
-
memory/4048-120-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/4048-118-0x00000000052A0000-0x00000000052A1000-memory.dmpFilesize
4KB
-
memory/4048-121-0x0000000005160000-0x000000000565E000-memory.dmpFilesize
5.0MB
-
memory/4048-117-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/4048-119-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/4048-123-0x0000000005180000-0x000000000518F000-memory.dmpFilesize
60KB
-
memory/4048-114-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/4048-122-0x0000000005400000-0x000000000547B000-memory.dmpFilesize
492KB
-
memory/4048-116-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB