Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-07-2021 13:14
Static task
static1
Behavioral task
behavioral1
Sample
Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe
Resource
win10v20210408
General
-
Target
Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe
-
Size
855KB
-
MD5
bc1f7a65580d90a503efc484dd48c55e
-
SHA1
af65acb93acce3bfa6c660261724c46e02b5b3a1
-
SHA256
74c184d9e5658494b42b413566966b5c54d668aa3dd7631df6d7252c0bcdad03
-
SHA512
53d03eed09f5e65f48005f95751b5778e19a26cd3347f792857bdb9ffd30162b06d712b3c0451dcce1e47c97f2eabca9cecc10e2998d0999266769ff508d87b8
Malware Config
Extracted
xloader
2.3
http://www.naturalresourcesmgt.com/bsk9/
ignitedennys.com
theawslearn.net
tuningyan.wiki
professionalboom.com
btt3d.online
ceyaqua.com
knightslunarius.com
zc168sl.com
girlsnightclasses.com
tcsalud.com
homecottagestudio.com
92gwb.com
stainlesslion.com
arunkapur.com
chalkwithkristi.com
yourmidastouch.com
wijayashaw.com
roofingcompanyinchattanooga.com
sdbadatong.com
tombison.com
artstudio888.com
designtechnician.com
eskarosproperty.com
sadilife.com
kevops.xyz
carpanter.com
texttalktv.com
abbiescottdesigns.com
zqroc.com
sirnawanews.com
bearbrickstore.com
cnyplk.com
fijuridico.com
postyachtforsale.info
penglikj.com
fsllguys.com
brightimewatches.com
66eebb.com
petsjoyfulsmile.com
mycupofteainnovations.com
ds-117.com
nandedzilla.com
midtransport.com
careerkc.com
lobsterlikeabout.com
dampproofcourselondon.com
dogultimate.com
kapresecbdcoffee.com
excitemal.com
taejongcni.com
altjrhvrk.icu
hptproof.com
bidensbrownshirts.com
thehustleandcashflow.com
nzv68.com
ormusgreen.com
abrosnm3.com
2cutsenterprises.com
arominer.com
forevernaturel.com
forbiddendolls.com
melitalifestyle.com
mediasham.com
django-fashion.com
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2656-119-0x0000000000000000-mapping.dmp xloader behavioral2/memory/2656-121-0x0000000010410000-0x0000000010438000-memory.dmp xloader behavioral2/memory/3932-127-0x0000000004AD0000-0x0000000004AF8000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run chkdsk.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run chkdsk.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\XRB0JFOX = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" chkdsk.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ieinstal.exechkdsk.exedescription pid process target process PID 2656 set thread context of 1964 2656 ieinstal.exe Explorer.EXE PID 3932 set thread context of 1964 3932 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
ieinstal.exechkdsk.exepid process 2656 ieinstal.exe 2656 ieinstal.exe 2656 ieinstal.exe 2656 ieinstal.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe 3932 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1964 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
ieinstal.exechkdsk.exepid process 2656 ieinstal.exe 2656 ieinstal.exe 2656 ieinstal.exe 3932 chkdsk.exe 3932 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ieinstal.exechkdsk.exedescription pid process Token: SeDebugPrivilege 2656 ieinstal.exe Token: SeDebugPrivilege 3932 chkdsk.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 1964 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exeExplorer.EXEdescription pid process target process PID 528 wrote to memory of 2656 528 Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe ieinstal.exe PID 528 wrote to memory of 2656 528 Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe ieinstal.exe PID 528 wrote to memory of 2656 528 Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe ieinstal.exe PID 528 wrote to memory of 2656 528 Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe ieinstal.exe PID 528 wrote to memory of 2656 528 Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe ieinstal.exe PID 528 wrote to memory of 2656 528 Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe ieinstal.exe PID 1964 wrote to memory of 3932 1964 Explorer.EXE chkdsk.exe PID 1964 wrote to memory of 3932 1964 Explorer.EXE chkdsk.exe PID 1964 wrote to memory of 3932 1964 Explorer.EXE chkdsk.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe"C:\Users\Admin\AppData\Local\Temp\Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/528-114-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/528-116-0x0000000000AA0000-0x0000000000ABA000-memory.dmpFilesize
104KB
-
memory/1964-130-0x00000000070A0000-0x000000000718F000-memory.dmpFilesize
956KB
-
memory/1964-124-0x00000000069F0000-0x0000000006B89000-memory.dmpFilesize
1.6MB
-
memory/2656-123-0x0000000003120000-0x0000000003130000-memory.dmpFilesize
64KB
-
memory/2656-122-0x0000000004C40000-0x0000000004F60000-memory.dmpFilesize
3.1MB
-
memory/2656-120-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/2656-121-0x0000000010410000-0x0000000010438000-memory.dmpFilesize
160KB
-
memory/2656-119-0x0000000000000000-mapping.dmp
-
memory/3932-125-0x0000000000000000-mapping.dmp
-
memory/3932-127-0x0000000004AD0000-0x0000000004AF8000-memory.dmpFilesize
160KB
-
memory/3932-126-0x0000000000060000-0x000000000006A000-memory.dmpFilesize
40KB
-
memory/3932-128-0x0000000004C80000-0x0000000004FA0000-memory.dmpFilesize
3.1MB
-
memory/3932-129-0x0000000005030000-0x00000000050BF000-memory.dmpFilesize
572KB