Analysis
-
max time kernel
148s -
max time network
178s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
10-08-2021 12:44
Static task
static1
Behavioral task
behavioral1
Sample
VESSEL BOOKING DETAILS_pdf.exe
Resource
win7v20210410
General
-
Target
VESSEL BOOKING DETAILS_pdf.exe
-
Size
245KB
-
MD5
cf3a28df3cd2682651ced75c40b06155
-
SHA1
df85d8f256b8fd779d660f633eca94a7ea6c3cea
-
SHA256
3357b4a89dc623781355fe7a673329975777b2a5ce8a2051c538dcb7d4969c8e
-
SHA512
89c8d75516d889c8993abe926ddf5713e4fe207d459dafffa01d90df01e7f7fea63ffa0ca7428d15b0940f01c9290706c776b0b2461e160cebe2eb23a097b3b5
Malware Config
Extracted
xloader
2.3
b6a4
http://www.miraculousventures.com/b6a4/
reviewsresolutions.com
binhminhgardenshophouse.com
nebulacom.com
kadhambaristudio.com
viltoom.club
supmomma.com
tjszxddc.com
darlingmemories.com
hyperultrapure.com
vibembrio.com
reallycoolmask.com
cumbukita.com
brian-newby.com
abstractaccessories.com
marykinky.com
minnesotareversemtgloans.com
prasetlement.com
xplpgi.com
xn--gdask-y7a.com
uababaseball.com
intesmartscale.com
hmwcin.com
pavel-levakov.com
esmebonnell.com
hdyfworldwide.com
shanghaino1milpitas.com
abrosnm3.com
millenialife.info
cgfia.com
sk275.com
anwaltmaier.wien
adminlagu.com
halaltory.com
ketofoodfight.club
mossymilecouture.com
toinfinityandabroad.com
goldstreamradio.com
hs-ciq.net
shedajackson.com
kussharoko.net
superpackersmovers.com
thecarbonbox.store
kayfkitchen.com
remedicore.com
zfozxr.icu
bloodbluemoons.com
vistaonlinedemo.com
tucirculodeideas.com
saanythinghealth.com
codenevisi.com
pickyclick.com
streammsex.com
ledtorchtr.com
louisgrech.com
realdocumentsforsale.com
compragospel.com
starlet5.xyz
phasmaelectro.com
kos-living.com
casamattapm.com
ievapavulane.com
wakeupwithfreedom.com
matkomiljevic.com
leonaprojects.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1700-62-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1280-70-0x0000000000090000-0x00000000000B8000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
VESSEL BOOKING DETAILS_pdf.exesvchost.exemsiexec.exedescription pid process target process PID 1652 set thread context of 1700 1652 VESSEL BOOKING DETAILS_pdf.exe svchost.exe PID 1700 set thread context of 1240 1700 svchost.exe Explorer.EXE PID 1280 set thread context of 1240 1280 msiexec.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
svchost.exemsiexec.exepid process 1700 svchost.exe 1700 svchost.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe 1280 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
VESSEL BOOKING DETAILS_pdf.exesvchost.exemsiexec.exepid process 1652 VESSEL BOOKING DETAILS_pdf.exe 1700 svchost.exe 1700 svchost.exe 1700 svchost.exe 1280 msiexec.exe 1280 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1700 svchost.exe Token: SeDebugPrivilege 1280 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE 1240 Explorer.EXE 1240 Explorer.EXE 1240 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE 1240 Explorer.EXE 1240 Explorer.EXE 1240 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
VESSEL BOOKING DETAILS_pdf.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1652 wrote to memory of 1700 1652 VESSEL BOOKING DETAILS_pdf.exe svchost.exe PID 1652 wrote to memory of 1700 1652 VESSEL BOOKING DETAILS_pdf.exe svchost.exe PID 1652 wrote to memory of 1700 1652 VESSEL BOOKING DETAILS_pdf.exe svchost.exe PID 1652 wrote to memory of 1700 1652 VESSEL BOOKING DETAILS_pdf.exe svchost.exe PID 1652 wrote to memory of 1700 1652 VESSEL BOOKING DETAILS_pdf.exe svchost.exe PID 1240 wrote to memory of 1280 1240 Explorer.EXE msiexec.exe PID 1240 wrote to memory of 1280 1240 Explorer.EXE msiexec.exe PID 1240 wrote to memory of 1280 1240 Explorer.EXE msiexec.exe PID 1240 wrote to memory of 1280 1240 Explorer.EXE msiexec.exe PID 1240 wrote to memory of 1280 1240 Explorer.EXE msiexec.exe PID 1240 wrote to memory of 1280 1240 Explorer.EXE msiexec.exe PID 1240 wrote to memory of 1280 1240 Explorer.EXE msiexec.exe PID 1280 wrote to memory of 268 1280 msiexec.exe cmd.exe PID 1280 wrote to memory of 268 1280 msiexec.exe cmd.exe PID 1280 wrote to memory of 268 1280 msiexec.exe cmd.exe PID 1280 wrote to memory of 268 1280 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VESSEL BOOKING DETAILS_pdf.exe"C:\Users\Admin\AppData\Local\Temp\VESSEL BOOKING DETAILS_pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\VESSEL BOOKING DETAILS_pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-68-0x0000000000000000-mapping.dmp
-
memory/1240-65-0x0000000004050000-0x00000000041C4000-memory.dmpFilesize
1.5MB
-
memory/1240-73-0x0000000006970000-0x0000000006A7B000-memory.dmpFilesize
1.0MB
-
memory/1280-70-0x0000000000090000-0x00000000000B8000-memory.dmpFilesize
160KB
-
memory/1280-66-0x0000000000000000-mapping.dmp
-
memory/1280-67-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1280-69-0x0000000000790000-0x00000000007A4000-memory.dmpFilesize
80KB
-
memory/1280-71-0x00000000021A0000-0x00000000024A3000-memory.dmpFilesize
3.0MB
-
memory/1280-72-0x0000000001ED0000-0x0000000001F5F000-memory.dmpFilesize
572KB
-
memory/1652-61-0x0000000000300000-0x0000000000302000-memory.dmpFilesize
8KB
-
memory/1700-64-0x0000000000170000-0x0000000000180000-memory.dmpFilesize
64KB
-
memory/1700-63-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB
-
memory/1700-62-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1700-60-0x000000000041D040-mapping.dmp