Analysis
-
max time kernel
155s -
max time network
163s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-08-2021 12:53
Static task
static1
Behavioral task
behavioral1
Sample
Gesuchte Maschinen.js
Resource
win7v20210408
General
-
Target
Gesuchte Maschinen.js
-
Size
313KB
-
MD5
e1c35fbb0a2f810800e6619448f0fec6
-
SHA1
8a84a677134b31b93434e8aedc9cea27e91f6058
-
SHA256
3b9f482300a46bbc1de6579f601e7c77d9c20392dca53733f2c21ba0c2888a06
-
SHA512
1aafd75162a0857a7eea4551b581e40bd1885556da0bb0ae43af35b6810b56039d83d1b2845e7b840bf4855137fd7886dcf89eddbc5bbdf5a8eb76c4d2031c27
Malware Config
Extracted
xloader
2.3
o7ht
http://www.tadrxp.com/o7ht/
crs-onlineshop.com
desertrosecamping.com
frequencyclips.com
andrewhair.com
leuswim.com
revenuecat.net
payplticket593178197.info
replacementrs.com
flnativemilkmilkweed.com
rintashop.com
shonan5656.com
lexingtonclarke.com
alfapvp2020.xyz
buywetsuitsonline.com
gomihuomh.com
rabo-betaling.xyz
thyhotyoga.com
careplayground.com
bitlineage.com
5923699.com
sellercase.com
directcarechiropractor.com
banana-note.com
perfumerhlondon.com
statsbylukas.com
thedeadvampires.com
callisterk.design
dailyalmond.com
kirklandramblerforsale.com
orangecrushexpress.com
cavallanti.com
304038.com
montblanco.com
confusingworld.com
pristinerefresh.com
packerssandmover.online
payment-detail.review
dslmap.com
justoneyoga.com
fractaldemo.net
eropics.xyz
miguapea.com
starmehomes.com
dessert41.com
eskillap.com
kuppers.info
hookito.com
reassignedartwork.com
girlslovecheese.com
va4k.com
qingqingss.club
apartments-makarska.net
sellqui.net
profitableprofit.com
oakcitycontrols.com
sur-pros.com
chotototo.net
uslotsforsale.com
world-248.com
scotrianbank.com
a1medspa.com
digitalcamrepair.com
lyla.info
bakoroast.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\bin.exe xloader C:\Users\Admin\AppData\Roaming\bin.exe xloader behavioral2/memory/2816-125-0x00000000001D0000-0x00000000001F8000-memory.dmp xloader -
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 13 3368 wscript.exe 16 3368 wscript.exe 18 3368 wscript.exe 20 3368 wscript.exe 25 3368 wscript.exe 27 3368 wscript.exe 31 3368 wscript.exe 34 3368 wscript.exe 35 3368 wscript.exe 38 3368 wscript.exe 43 3368 wscript.exe 45 3368 wscript.exe 48 3368 wscript.exe 53 3368 wscript.exe 56 3368 wscript.exe 59 3368 wscript.exe 62 3368 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 1420 bin.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzTHMuWnfp.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzTHMuWnfp.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\bzTHMuWnfp.js\"" wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
bin.exesystray.exedescription pid process target process PID 1420 set thread context of 3052 1420 bin.exe Explorer.EXE PID 2816 set thread context of 3052 2816 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
bin.exesystray.exepid process 1420 bin.exe 1420 bin.exe 1420 bin.exe 1420 bin.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe 2816 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
bin.exesystray.exepid process 1420 bin.exe 1420 bin.exe 1420 bin.exe 2816 systray.exe 2816 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bin.exesystray.exedescription pid process Token: SeDebugPrivilege 1420 bin.exe Token: SeDebugPrivilege 2816 systray.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exeExplorer.EXEsystray.exedescription pid process target process PID 808 wrote to memory of 3368 808 wscript.exe wscript.exe PID 808 wrote to memory of 3368 808 wscript.exe wscript.exe PID 808 wrote to memory of 1420 808 wscript.exe bin.exe PID 808 wrote to memory of 1420 808 wscript.exe bin.exe PID 808 wrote to memory of 1420 808 wscript.exe bin.exe PID 3052 wrote to memory of 2816 3052 Explorer.EXE systray.exe PID 3052 wrote to memory of 2816 3052 Explorer.EXE systray.exe PID 3052 wrote to memory of 2816 3052 Explorer.EXE systray.exe PID 2816 wrote to memory of 1272 2816 systray.exe cmd.exe PID 2816 wrote to memory of 1272 2816 systray.exe cmd.exe PID 2816 wrote to memory of 1272 2816 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Gesuchte Maschinen.js"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bzTHMuWnfp.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\bin.exe"C:\Users\Admin\AppData\Roaming\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\bin.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\bin.exeMD5
387be3e3c86fc9d6a2c1923863f39a7d
SHA1a5143eaf39ac1c94e4dcb0519fc1910ee63a31c2
SHA2561e5a34f0b9021f1760bf583f28a7c1ab4157b09b2b78cf8d9a9ff34c6221efe6
SHA5127333ed1f0880146796d49dddb50999feccc8e9c1ad40f7323c8550f302a925ec99402fab71cf71c87ddcdfe7aa2cbeb3e0865b402655491e1362aea6cfd02b5d
-
C:\Users\Admin\AppData\Roaming\bin.exeMD5
387be3e3c86fc9d6a2c1923863f39a7d
SHA1a5143eaf39ac1c94e4dcb0519fc1910ee63a31c2
SHA2561e5a34f0b9021f1760bf583f28a7c1ab4157b09b2b78cf8d9a9ff34c6221efe6
SHA5127333ed1f0880146796d49dddb50999feccc8e9c1ad40f7323c8550f302a925ec99402fab71cf71c87ddcdfe7aa2cbeb3e0865b402655491e1362aea6cfd02b5d
-
C:\Users\Admin\AppData\Roaming\bzTHMuWnfp.jsMD5
e2e1a525cffad9ed1e32f5c5c2f182aa
SHA14009388a60a33416e81f6b6ebe4ee752f2eedeb8
SHA25641609d1f9bbf9fbefba7505632a5de15e8379fa0d468482665ea050e73927030
SHA512609f4d04f638766034b5cdf3d15df25b96652e737ff0afbb655609e51c55accfe410dc9722d8191c615d93f59b6c60820393f8e44b362896499e10d7c7aac792
-
memory/1272-123-0x0000000000000000-mapping.dmp
-
memory/1420-116-0x0000000000000000-mapping.dmp
-
memory/1420-119-0x0000000001690000-0x00000000019B0000-memory.dmpFilesize
3.1MB
-
memory/1420-120-0x00000000010D0000-0x00000000010E0000-memory.dmpFilesize
64KB
-
memory/2816-122-0x0000000000000000-mapping.dmp
-
memory/2816-125-0x00000000001D0000-0x00000000001F8000-memory.dmpFilesize
160KB
-
memory/2816-124-0x0000000000F60000-0x0000000000F66000-memory.dmpFilesize
24KB
-
memory/2816-126-0x0000000004370000-0x0000000004690000-memory.dmpFilesize
3.1MB
-
memory/2816-127-0x0000000000CB0000-0x0000000000D3F000-memory.dmpFilesize
572KB
-
memory/3052-121-0x0000000004DA0000-0x0000000004ECF000-memory.dmpFilesize
1.2MB
-
memory/3052-128-0x0000000004C80000-0x0000000004D70000-memory.dmpFilesize
960KB
-
memory/3368-114-0x0000000000000000-mapping.dmp