Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 13:05
Static task
static1
Behavioral task
behavioral1
Sample
Instruction copy.exe
Resource
win7v20210408
General
-
Target
Instruction copy.exe
-
Size
960KB
-
MD5
f91a66d080744b9e8b946984d6d747c4
-
SHA1
886580b7e7d7f27135d2c9981770a2a59332e680
-
SHA256
c6a1a1a68b5faac43930deeab9cd6745bde62869786e21e0681b3dc0973afa80
-
SHA512
b559c9048de556c45f77e26d4c2f1c7785348b76ae4d5f9957e202a5c9d01e7c68a1a3958aeede45ff427ad741b01fcd15497e67898acfc5176f9ac9aa1e2238
Malware Config
Extracted
xloader
2.3
http://www.inverservi.com/m6b5/
ixtarbelize.com
pheamal.com
daiyncc.com
staydoubted.com
laagerlitigation.club
sukrantastansakarya.com
esupport.ltd
vetscontracting.net
themuslimlife.coach
salmanairs.com
somatictherapyservices.com
lastminuteminister.com
comunicarbuenosaires.com
kazuya.tech
insightlyservicedev.com
redevelopment38subhashnagar.com
thefutureinvestor.com
simplysu.com
lagu45.com
livingstonpistolpermit.com
youngedbg.club
askmeboost.com
hizmetbasvuru-girisi.com
fourteenfoodsdq.net
discoglosse.com
shareusall.com
armseducationassociates.com
twilio123.com
hofmann.red
autoanyway.com
duckvlog.com
raceleagues.com
foleyautomotivehydraulics.com
foreverbefaithfultoyou.com
junrui-tech.com
angelinateofilovic.com
justinandsarahgetmarried.com
carlsmithcarlsmith.com
novopeugeot208.com
citestftcwaut17.com
theproductivitygroup.com
cohen-asset.com
trumpismysugardaddy.com
wishcida.com
buncheese.com
dietrichcompanies.com
zafav.xyz
commodore-gravel.com
juport.men
hyanggips.com
aliyunwangpan.com
nuturessoap.com
networksloss.club
blackcouplesofhtown.com
saadiawhite.net
girasmboize.com
melissabelmontefotografias.com
landprorentals.com
bonacrypto.com
meeuba.com
lknstump.com
iregentos.info
linguisticpartner.com
mpsaklera.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2764-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2764-125-0x000000000041D0F0-mapping.dmp xloader behavioral2/memory/2720-132-0x00000000005A0000-0x00000000005C9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Instruction copy.exeInstruction copy.exenetsh.exedescription pid process target process PID 3972 set thread context of 2764 3972 Instruction copy.exe Instruction copy.exe PID 2764 set thread context of 3008 2764 Instruction copy.exe Explorer.EXE PID 2720 set thread context of 3008 2720 netsh.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
Instruction copy.exenetsh.exepid process 2764 Instruction copy.exe 2764 Instruction copy.exe 2764 Instruction copy.exe 2764 Instruction copy.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe 2720 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Instruction copy.exenetsh.exepid process 2764 Instruction copy.exe 2764 Instruction copy.exe 2764 Instruction copy.exe 2720 netsh.exe 2720 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Instruction copy.exenetsh.exedescription pid process Token: SeDebugPrivilege 2764 Instruction copy.exe Token: SeDebugPrivilege 2720 netsh.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Instruction copy.exeExplorer.EXEnetsh.exedescription pid process target process PID 3972 wrote to memory of 2764 3972 Instruction copy.exe Instruction copy.exe PID 3972 wrote to memory of 2764 3972 Instruction copy.exe Instruction copy.exe PID 3972 wrote to memory of 2764 3972 Instruction copy.exe Instruction copy.exe PID 3972 wrote to memory of 2764 3972 Instruction copy.exe Instruction copy.exe PID 3972 wrote to memory of 2764 3972 Instruction copy.exe Instruction copy.exe PID 3972 wrote to memory of 2764 3972 Instruction copy.exe Instruction copy.exe PID 3008 wrote to memory of 2720 3008 Explorer.EXE netsh.exe PID 3008 wrote to memory of 2720 3008 Explorer.EXE netsh.exe PID 3008 wrote to memory of 2720 3008 Explorer.EXE netsh.exe PID 2720 wrote to memory of 2116 2720 netsh.exe cmd.exe PID 2720 wrote to memory of 2116 2720 netsh.exe cmd.exe PID 2720 wrote to memory of 2116 2720 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe"C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe"C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Instruction copy.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2116-130-0x0000000000000000-mapping.dmp
-
memory/2720-129-0x0000000000000000-mapping.dmp
-
memory/2720-134-0x0000000002C80000-0x0000000002D0F000-memory.dmpFilesize
572KB
-
memory/2720-133-0x0000000002EF0000-0x0000000003210000-memory.dmpFilesize
3.1MB
-
memory/2720-132-0x00000000005A0000-0x00000000005C9000-memory.dmpFilesize
164KB
-
memory/2720-131-0x0000000000A60000-0x0000000000A7E000-memory.dmpFilesize
120KB
-
memory/2764-125-0x000000000041D0F0-mapping.dmp
-
memory/2764-127-0x0000000001100000-0x00000000011AE000-memory.dmpFilesize
696KB
-
memory/2764-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2764-126-0x00000000016F0000-0x0000000001A10000-memory.dmpFilesize
3.1MB
-
memory/3008-135-0x0000000002CD0000-0x0000000002D6A000-memory.dmpFilesize
616KB
-
memory/3008-128-0x00000000053A0000-0x00000000054CF000-memory.dmpFilesize
1.2MB
-
memory/3972-114-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/3972-122-0x0000000005670000-0x00000000056EB000-memory.dmpFilesize
492KB
-
memory/3972-121-0x00000000052F0000-0x00000000057EE000-memory.dmpFilesize
5.0MB
-
memory/3972-120-0x0000000005450000-0x0000000005451000-memory.dmpFilesize
4KB
-
memory/3972-119-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/3972-118-0x00000000054B0000-0x00000000054B1000-memory.dmpFilesize
4KB
-
memory/3972-117-0x0000000005390000-0x0000000005391000-memory.dmpFilesize
4KB
-
memory/3972-116-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/3972-123-0x0000000005440000-0x000000000544F000-memory.dmpFilesize
60KB