Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
10-08-2021 12:44
Static task
static1
Behavioral task
behavioral1
Sample
VESSEL BOOKING DETAILS_pdf.exe
Resource
win7v20210410
General
-
Target
VESSEL BOOKING DETAILS_pdf.exe
-
Size
245KB
-
MD5
cf3a28df3cd2682651ced75c40b06155
-
SHA1
df85d8f256b8fd779d660f633eca94a7ea6c3cea
-
SHA256
3357b4a89dc623781355fe7a673329975777b2a5ce8a2051c538dcb7d4969c8e
-
SHA512
89c8d75516d889c8993abe926ddf5713e4fe207d459dafffa01d90df01e7f7fea63ffa0ca7428d15b0940f01c9290706c776b0b2461e160cebe2eb23a097b3b5
Malware Config
Extracted
xloader
2.3
b6a4
http://www.miraculousventures.com/b6a4/
reviewsresolutions.com
binhminhgardenshophouse.com
nebulacom.com
kadhambaristudio.com
viltoom.club
supmomma.com
tjszxddc.com
darlingmemories.com
hyperultrapure.com
vibembrio.com
reallycoolmask.com
cumbukita.com
brian-newby.com
abstractaccessories.com
marykinky.com
minnesotareversemtgloans.com
prasetlement.com
xplpgi.com
xn--gdask-y7a.com
uababaseball.com
intesmartscale.com
hmwcin.com
pavel-levakov.com
esmebonnell.com
hdyfworldwide.com
shanghaino1milpitas.com
abrosnm3.com
millenialife.info
cgfia.com
sk275.com
anwaltmaier.wien
adminlagu.com
halaltory.com
ketofoodfight.club
mossymilecouture.com
toinfinityandabroad.com
goldstreamradio.com
hs-ciq.net
shedajackson.com
kussharoko.net
superpackersmovers.com
thecarbonbox.store
kayfkitchen.com
remedicore.com
zfozxr.icu
bloodbluemoons.com
vistaonlinedemo.com
tucirculodeideas.com
saanythinghealth.com
codenevisi.com
pickyclick.com
streammsex.com
ledtorchtr.com
louisgrech.com
realdocumentsforsale.com
compragospel.com
starlet5.xyz
phasmaelectro.com
kos-living.com
casamattapm.com
ievapavulane.com
wakeupwithfreedom.com
matkomiljevic.com
leonaprojects.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2836-125-0x0000000002DA0000-0x0000000002DC8000-memory.dmp xloader -
Suspicious use of SetThreadContext 4 IoCs
Processes:
VESSEL BOOKING DETAILS_pdf.exesvchost.exemstsc.exedescription pid process target process PID 992 set thread context of 3152 992 VESSEL BOOKING DETAILS_pdf.exe svchost.exe PID 3152 set thread context of 3020 3152 svchost.exe Explorer.EXE PID 3152 set thread context of 3020 3152 svchost.exe Explorer.EXE PID 2836 set thread context of 3020 2836 mstsc.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
svchost.exemstsc.exepid process 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe 2836 mstsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
VESSEL BOOKING DETAILS_pdf.exesvchost.exemstsc.exepid process 992 VESSEL BOOKING DETAILS_pdf.exe 992 VESSEL BOOKING DETAILS_pdf.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 3152 svchost.exe 2836 mstsc.exe 2836 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
svchost.exeExplorer.EXEmstsc.exedescription pid process Token: SeDebugPrivilege 3152 svchost.exe Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeDebugPrivilege 2836 mstsc.exe Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
VESSEL BOOKING DETAILS_pdf.exeExplorer.EXEmstsc.exedescription pid process target process PID 992 wrote to memory of 3152 992 VESSEL BOOKING DETAILS_pdf.exe svchost.exe PID 992 wrote to memory of 3152 992 VESSEL BOOKING DETAILS_pdf.exe svchost.exe PID 992 wrote to memory of 3152 992 VESSEL BOOKING DETAILS_pdf.exe svchost.exe PID 992 wrote to memory of 3152 992 VESSEL BOOKING DETAILS_pdf.exe svchost.exe PID 3020 wrote to memory of 2836 3020 Explorer.EXE mstsc.exe PID 3020 wrote to memory of 2836 3020 Explorer.EXE mstsc.exe PID 3020 wrote to memory of 2836 3020 Explorer.EXE mstsc.exe PID 2836 wrote to memory of 3472 2836 mstsc.exe cmd.exe PID 2836 wrote to memory of 3472 2836 mstsc.exe cmd.exe PID 2836 wrote to memory of 3472 2836 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VESSEL BOOKING DETAILS_pdf.exe"C:\Users\Admin\AppData\Local\Temp\VESSEL BOOKING DETAILS_pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\VESSEL BOOKING DETAILS_pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/992-117-0x00000000001D0000-0x00000000001F3000-memory.dmpFilesize
140KB
-
memory/2836-124-0x0000000000A90000-0x0000000000D8C000-memory.dmpFilesize
3.0MB
-
memory/2836-128-0x0000000004D20000-0x0000000004DAF000-memory.dmpFilesize
572KB
-
memory/2836-127-0x0000000004E70000-0x0000000005190000-memory.dmpFilesize
3.1MB
-
memory/2836-123-0x0000000000000000-mapping.dmp
-
memory/2836-125-0x0000000002DA0000-0x0000000002DC8000-memory.dmpFilesize
160KB
-
memory/3020-129-0x0000000006C40000-0x0000000006D8F000-memory.dmpFilesize
1.3MB
-
memory/3020-120-0x0000000009320000-0x00000000094A9000-memory.dmpFilesize
1.5MB
-
memory/3020-122-0x00000000097A0000-0x000000000992F000-memory.dmpFilesize
1.6MB
-
memory/3152-119-0x0000000000700000-0x000000000084A000-memory.dmpFilesize
1.3MB
-
memory/3152-121-0x0000000000850000-0x0000000000860000-memory.dmpFilesize
64KB
-
memory/3152-114-0x000000000033D040-mapping.dmp
-
memory/3152-118-0x0000000003020000-0x0000000003340000-memory.dmpFilesize
3.1MB
-
memory/3472-126-0x0000000000000000-mapping.dmp