Analysis
-
max time kernel
155s -
max time network
158s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
30-08-2021 16:49
Static task
static1
Behavioral task
behavioral1
Sample
Gesuchte Maschinen.js
Resource
win7v20210408
General
-
Target
Gesuchte Maschinen.js
-
Size
313KB
-
MD5
e1c35fbb0a2f810800e6619448f0fec6
-
SHA1
8a84a677134b31b93434e8aedc9cea27e91f6058
-
SHA256
3b9f482300a46bbc1de6579f601e7c77d9c20392dca53733f2c21ba0c2888a06
-
SHA512
1aafd75162a0857a7eea4551b581e40bd1885556da0bb0ae43af35b6810b56039d83d1b2845e7b840bf4855137fd7886dcf89eddbc5bbdf5a8eb76c4d2031c27
Malware Config
Extracted
xloader
2.3
o7ht
http://www.tadrxp.com/o7ht/
crs-onlineshop.com
desertrosecamping.com
frequencyclips.com
andrewhair.com
leuswim.com
revenuecat.net
payplticket593178197.info
replacementrs.com
flnativemilkmilkweed.com
rintashop.com
shonan5656.com
lexingtonclarke.com
alfapvp2020.xyz
buywetsuitsonline.com
gomihuomh.com
rabo-betaling.xyz
thyhotyoga.com
careplayground.com
bitlineage.com
5923699.com
sellercase.com
directcarechiropractor.com
banana-note.com
perfumerhlondon.com
statsbylukas.com
thedeadvampires.com
callisterk.design
dailyalmond.com
kirklandramblerforsale.com
orangecrushexpress.com
cavallanti.com
304038.com
montblanco.com
confusingworld.com
pristinerefresh.com
packerssandmover.online
payment-detail.review
dslmap.com
justoneyoga.com
fractaldemo.net
eropics.xyz
miguapea.com
starmehomes.com
dessert41.com
eskillap.com
kuppers.info
hookito.com
reassignedartwork.com
girlslovecheese.com
va4k.com
qingqingss.club
apartments-makarska.net
sellqui.net
profitableprofit.com
oakcitycontrols.com
sur-pros.com
chotototo.net
uslotsforsale.com
world-248.com
scotrianbank.com
a1medspa.com
digitalcamrepair.com
lyla.info
bakoroast.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\bin.exe xloader C:\Users\Admin\AppData\Roaming\bin.exe xloader behavioral1/memory/1556-74-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Blocklisted process makes network request 17 IoCs
Processes:
wscript.exeflow pid process 6 2008 wscript.exe 7 2008 wscript.exe 8 2008 wscript.exe 12 2008 wscript.exe 15 2008 wscript.exe 20 2008 wscript.exe 24 2008 wscript.exe 27 2008 wscript.exe 28 2008 wscript.exe 33 2008 wscript.exe 36 2008 wscript.exe 39 2008 wscript.exe 45 2008 wscript.exe 49 2008 wscript.exe 55 2008 wscript.exe 59 2008 wscript.exe 63 2008 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
bin.exepid process 1904 bin.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzTHMuWnfp.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzTHMuWnfp.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\bzTHMuWnfp.js\"" wscript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
bin.exesvchost.exedescription pid process target process PID 1904 set thread context of 1244 1904 bin.exe Explorer.EXE PID 1904 set thread context of 1244 1904 bin.exe Explorer.EXE PID 1556 set thread context of 1244 1556 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
bin.exesvchost.exepid process 1904 bin.exe 1904 bin.exe 1904 bin.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe 1556 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
bin.exesvchost.exepid process 1904 bin.exe 1904 bin.exe 1904 bin.exe 1904 bin.exe 1556 svchost.exe 1556 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bin.exesvchost.exedescription pid process Token: SeDebugPrivilege 1904 bin.exe Token: SeDebugPrivilege 1556 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE 1244 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
wscript.exebin.exesvchost.exedescription pid process target process PID 792 wrote to memory of 2008 792 wscript.exe wscript.exe PID 792 wrote to memory of 2008 792 wscript.exe wscript.exe PID 792 wrote to memory of 2008 792 wscript.exe wscript.exe PID 792 wrote to memory of 1904 792 wscript.exe bin.exe PID 792 wrote to memory of 1904 792 wscript.exe bin.exe PID 792 wrote to memory of 1904 792 wscript.exe bin.exe PID 792 wrote to memory of 1904 792 wscript.exe bin.exe PID 1904 wrote to memory of 1556 1904 bin.exe svchost.exe PID 1904 wrote to memory of 1556 1904 bin.exe svchost.exe PID 1904 wrote to memory of 1556 1904 bin.exe svchost.exe PID 1904 wrote to memory of 1556 1904 bin.exe svchost.exe PID 1556 wrote to memory of 1140 1556 svchost.exe cmd.exe PID 1556 wrote to memory of 1140 1556 svchost.exe cmd.exe PID 1556 wrote to memory of 1140 1556 svchost.exe cmd.exe PID 1556 wrote to memory of 1140 1556 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Gesuchte Maschinen.js"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\bzTHMuWnfp.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\bin.exe"C:\Users\Admin\AppData\Roaming\bin.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\bin.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\bin.exeMD5
387be3e3c86fc9d6a2c1923863f39a7d
SHA1a5143eaf39ac1c94e4dcb0519fc1910ee63a31c2
SHA2561e5a34f0b9021f1760bf583f28a7c1ab4157b09b2b78cf8d9a9ff34c6221efe6
SHA5127333ed1f0880146796d49dddb50999feccc8e9c1ad40f7323c8550f302a925ec99402fab71cf71c87ddcdfe7aa2cbeb3e0865b402655491e1362aea6cfd02b5d
-
C:\Users\Admin\AppData\Roaming\bin.exeMD5
387be3e3c86fc9d6a2c1923863f39a7d
SHA1a5143eaf39ac1c94e4dcb0519fc1910ee63a31c2
SHA2561e5a34f0b9021f1760bf583f28a7c1ab4157b09b2b78cf8d9a9ff34c6221efe6
SHA5127333ed1f0880146796d49dddb50999feccc8e9c1ad40f7323c8550f302a925ec99402fab71cf71c87ddcdfe7aa2cbeb3e0865b402655491e1362aea6cfd02b5d
-
C:\Users\Admin\AppData\Roaming\bzTHMuWnfp.jsMD5
e2e1a525cffad9ed1e32f5c5c2f182aa
SHA14009388a60a33416e81f6b6ebe4ee752f2eedeb8
SHA25641609d1f9bbf9fbefba7505632a5de15e8379fa0d468482665ea050e73927030
SHA512609f4d04f638766034b5cdf3d15df25b96652e737ff0afbb655609e51c55accfe410dc9722d8191c615d93f59b6c60820393f8e44b362896499e10d7c7aac792
-
memory/792-60-0x000007FEFB561000-0x000007FEFB563000-memory.dmpFilesize
8KB
-
memory/1140-70-0x0000000000000000-mapping.dmp
-
memory/1244-77-0x00000000048E0000-0x00000000049DE000-memory.dmpFilesize
1016KB
-
memory/1244-72-0x0000000004220000-0x00000000042EF000-memory.dmpFilesize
828KB
-
memory/1244-66-0x00000000078A0000-0x0000000007A33000-memory.dmpFilesize
1.6MB
-
memory/1556-68-0x0000000000000000-mapping.dmp
-
memory/1556-75-0x00000000008C0000-0x0000000000BC3000-memory.dmpFilesize
3.0MB
-
memory/1556-74-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/1556-76-0x0000000000490000-0x000000000051F000-memory.dmpFilesize
572KB
-
memory/1556-73-0x0000000000DF0000-0x0000000000DF8000-memory.dmpFilesize
32KB
-
memory/1556-78-0x0000000075041000-0x0000000075043000-memory.dmpFilesize
8KB
-
memory/1904-67-0x0000000000110000-0x0000000000120000-memory.dmpFilesize
64KB
-
memory/1904-65-0x0000000000AA0000-0x0000000000DA3000-memory.dmpFilesize
3.0MB
-
memory/1904-63-0x0000000000000000-mapping.dmp
-
memory/1904-71-0x0000000000160000-0x0000000000170000-memory.dmpFilesize
64KB
-
memory/2008-61-0x0000000000000000-mapping.dmp