Analysis
-
max time kernel
149s -
max time network
181s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
27-07-2021 23:58
Static task
static1
Behavioral task
behavioral1
Sample
PO_9756-NMNBVC.exe
Resource
win7v20210410
General
-
Target
PO_9756-NMNBVC.exe
-
Size
871KB
-
MD5
9a649c1d193d55ef7f66e59b8294f24d
-
SHA1
e4c00ec807de5111c061ebc5d8421fe0d0114fc8
-
SHA256
04657288f9e931379d2c526330b23310c8bb26d65a209a2ebca5fb089b91efe3
-
SHA512
37fec35bf1cdae3560dc6e1503320f628d70f7a701135253412340afb84101f4ed444cb243143febbae6983969c1fe0e7e7a528fcd1aadcb7a8f08150130d4b5
Malware Config
Extracted
xloader
2.3
http://www.bodymoisturizer.online/q4kr/
realmodapk.com
hanoharuka.com
shivalikspiritualproducts.com
womenshealthclinincagra.com
racketpark.com
startuporig.com
azkachinas.com
klanblog.com
linuxradio.tools
siteoficial-liquida.com
glsbuyer.com
bestdeez.com
teens2cash.com
valleyviewconstruct.com
myfortniteskins.com
cambecare.com
csec2011.com
idookap.com
warmwallsrecords.com
smartmirror.one
alertreels.com
oiop.online
61cratoslot.com
hispanicassoclv.com
pennyforyourprep.com
fayansistanbul.com
superbartendergigs.club
herr-nourimann.com
oatkc.net
romahony.com
sportcrea.com
crystalnieblas.com
lcmet.com
nwaymyatthu-mm.com
edsufferen.club
apispotlight.com
shadowcatrecording.com
capwisefin.com
themesinsider.com
kadrisells.com
db-82.com
rentyoursubmarine.com
rin-ronshop.com
donzfamilia.com
loyalcollegeofart.com
socialize.site
shadesailstructure.com
smcenterbiz.com
zcdonghua.com
1420radiolider.com
ckenpo.com
trucksitasa.com
getthistle.com
usvisanicaragua.com
josiemaxwrites.com
dehaagennutraceuticals.com
noiaapp.com
blinbins.com
getreitive.com
turmericbar.com
manifestwealthrightnow.com
garagekuhn.com
longviewfinancialadvisor.com
hallworthcapital.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/656-66-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/656-67-0x000000000041D0D0-mapping.dmp xloader behavioral1/memory/1468-74-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO_9756-NMNBVC.exeRegSvcs.exenetsh.exedescription pid process target process PID 676 set thread context of 656 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 656 set thread context of 1196 656 RegSvcs.exe Explorer.EXE PID 1468 set thread context of 1196 1468 netsh.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
PO_9756-NMNBVC.exeRegSvcs.exenetsh.exepid process 676 PO_9756-NMNBVC.exe 676 PO_9756-NMNBVC.exe 676 PO_9756-NMNBVC.exe 656 RegSvcs.exe 656 RegSvcs.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe 1468 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exenetsh.exepid process 656 RegSvcs.exe 656 RegSvcs.exe 656 RegSvcs.exe 1468 netsh.exe 1468 netsh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO_9756-NMNBVC.exeRegSvcs.exenetsh.exedescription pid process Token: SeDebugPrivilege 676 PO_9756-NMNBVC.exe Token: SeDebugPrivilege 656 RegSvcs.exe Token: SeDebugPrivilege 1468 netsh.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
PO_9756-NMNBVC.exeExplorer.EXEnetsh.exedescription pid process target process PID 676 wrote to memory of 520 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 520 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 520 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 520 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 520 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 520 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 520 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 656 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 656 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 656 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 656 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 656 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 656 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 656 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 656 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 656 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 676 wrote to memory of 656 676 PO_9756-NMNBVC.exe RegSvcs.exe PID 1196 wrote to memory of 1468 1196 Explorer.EXE netsh.exe PID 1196 wrote to memory of 1468 1196 Explorer.EXE netsh.exe PID 1196 wrote to memory of 1468 1196 Explorer.EXE netsh.exe PID 1196 wrote to memory of 1468 1196 Explorer.EXE netsh.exe PID 1468 wrote to memory of 1456 1468 netsh.exe cmd.exe PID 1468 wrote to memory of 1456 1468 netsh.exe cmd.exe PID 1468 wrote to memory of 1456 1468 netsh.exe cmd.exe PID 1468 wrote to memory of 1456 1468 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO_9756-NMNBVC.exe"C:\Users\Admin\AppData\Local\Temp\PO_9756-NMNBVC.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/656-66-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/656-68-0x00000000009D0000-0x0000000000CD3000-memory.dmpFilesize
3.0MB
-
memory/656-69-0x00000000000C0000-0x00000000000D0000-memory.dmpFilesize
64KB
-
memory/656-67-0x000000000041D0D0-mapping.dmp
-
memory/676-65-0x0000000005D00000-0x0000000005D6D000-memory.dmpFilesize
436KB
-
memory/676-60-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/676-64-0x0000000008010000-0x00000000080CB000-memory.dmpFilesize
748KB
-
memory/676-63-0x0000000000330000-0x0000000000332000-memory.dmpFilesize
8KB
-
memory/676-62-0x0000000004CF0000-0x0000000004CF1000-memory.dmpFilesize
4KB
-
memory/1196-70-0x0000000006F60000-0x00000000070FE000-memory.dmpFilesize
1.6MB
-
memory/1196-77-0x0000000003AE0000-0x0000000003BF5000-memory.dmpFilesize
1.1MB
-
memory/1456-72-0x0000000000000000-mapping.dmp
-
memory/1468-71-0x0000000000000000-mapping.dmp
-
memory/1468-74-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1468-75-0x0000000000AA0000-0x0000000000DA3000-memory.dmpFilesize
3.0MB
-
memory/1468-73-0x00000000010A0000-0x00000000010BB000-memory.dmpFilesize
108KB
-
memory/1468-76-0x00000000008E0000-0x000000000096F000-memory.dmpFilesize
572KB