Analysis
-
max time kernel
303s -
max time network
311s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-09-2021 04:50
Static task
static1
Behavioral task
behavioral1
Sample
grace $.exe
Resource
win7-en
General
-
Target
grace $.exe
-
Size
482KB
-
MD5
beee308b51db0c02f8eeebf7d2773a6d
-
SHA1
4df5d609ea5b05dfcba4b9e51120a10374f7d450
-
SHA256
7af335cb2a2646ddadf12f730585a217523da868aaeb12ba621b367c1b942693
-
SHA512
d0665aa70d1c1116a36c296bc49ec4b474a086d9741d3439f8b0fe4c8f054ae8ab1d5610b4e4e74758c25947054a569e5b897822e2859c8595b00dc69015a63b
Malware Config
Extracted
xloader
2.3
t75f
http://www.vertexnailsblaine.com/t75f/
onegolfsydney.com
kaizensportscoaching.com
mliacbjv.icu
rinstech.net
midas-parts.com
istmenian.com
ibrahimpike.com
herbspaces.com
gentleman4higher.com
workabusiness.com
isabusive.website
222555dy.com
lwhyzhzb.xyz
gabrielabravoillanes.com
hearthomelife.com
buildswealth.com
printitaz.com
l-mventures.com
baincot3.com
nstaq-labs.com
wikendi.com
newyears21.com
citestaccnt1597730671.com
thecuriousincidentwes.com
alchembiopro.com
stardustanimations.com
ssgasiaw.com
sarajanesstudio.com
whitepointfineart.com
dlglawtx.com
doudiangroup.com
jackpod.team
abvoltprunus.bid
miimamablog.com
selfbuildwithmannok.com
thanhxuan99.online
germantos.com
waterdoor.net
wmscloud.net
services-24hras.com
maneadvisors.com
mosineetowing.com
blockdelightsmart.com
booyaka.design
brewery-run.com
dexteroushandmade.com
minhamochila.com
drawingwoo.com
thesalcombefurniturecompany.net
nashautoglass.com
beenationgear.com
cleanseforlifewellness.com
corecounselingcenter.info
naturalcreativesociety.com
sarcontraders.com
lickitbuddyrehab.com
theweekendrecap.com
cetiya-veluvana.com
w7asd.net
nyctophilia.net
asialion.net
goldentreegrp.com
jacobuspark.com
punchingforce.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3240-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3240-125-0x000000000041D110-mapping.dmp xloader behavioral2/memory/1928-132-0x0000000000760000-0x0000000000789000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
chkdsk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run chkdsk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XRMH7BMXCNY = "C:\\Program Files (x86)\\Bf8fdu\\bj1pqbmxwfkdhxtx.exe" chkdsk.exe -
Executes dropped EXE 1 IoCs
Processes:
bj1pqbmxwfkdhxtx.exepid process 1680 bj1pqbmxwfkdhxtx.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
grace $.exeRegSvcs.exechkdsk.exedescription pid process target process PID 640 set thread context of 3240 640 grace $.exe RegSvcs.exe PID 3240 set thread context of 3052 3240 RegSvcs.exe Explorer.EXE PID 1928 set thread context of 3052 1928 chkdsk.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEchkdsk.exedescription ioc process File created C:\Program Files (x86)\Bf8fdu\bj1pqbmxwfkdhxtx.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Bf8fdu\bj1pqbmxwfkdhxtx.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Bf8fdu\bj1pqbmxwfkdhxtx.exe chkdsk.exe File opened for modification C:\Program Files (x86)\Bf8fdu Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
grace $.exeRegSvcs.exechkdsk.exepid process 640 grace $.exe 640 grace $.exe 640 grace $.exe 640 grace $.exe 3240 RegSvcs.exe 3240 RegSvcs.exe 3240 RegSvcs.exe 3240 RegSvcs.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
RegSvcs.exechkdsk.exepid process 3240 RegSvcs.exe 3240 RegSvcs.exe 3240 RegSvcs.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe 1928 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
grace $.exeRegSvcs.exechkdsk.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 640 grace $.exe Token: SeDebugPrivilege 3240 RegSvcs.exe Token: SeDebugPrivilege 1928 chkdsk.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
grace $.exeExplorer.EXEchkdsk.exedescription pid process target process PID 640 wrote to memory of 1572 640 grace $.exe RegSvcs.exe PID 640 wrote to memory of 1572 640 grace $.exe RegSvcs.exe PID 640 wrote to memory of 1572 640 grace $.exe RegSvcs.exe PID 640 wrote to memory of 3240 640 grace $.exe RegSvcs.exe PID 640 wrote to memory of 3240 640 grace $.exe RegSvcs.exe PID 640 wrote to memory of 3240 640 grace $.exe RegSvcs.exe PID 640 wrote to memory of 3240 640 grace $.exe RegSvcs.exe PID 640 wrote to memory of 3240 640 grace $.exe RegSvcs.exe PID 640 wrote to memory of 3240 640 grace $.exe RegSvcs.exe PID 3052 wrote to memory of 1928 3052 Explorer.EXE chkdsk.exe PID 3052 wrote to memory of 1928 3052 Explorer.EXE chkdsk.exe PID 3052 wrote to memory of 1928 3052 Explorer.EXE chkdsk.exe PID 1928 wrote to memory of 1896 1928 chkdsk.exe cmd.exe PID 1928 wrote to memory of 1896 1928 chkdsk.exe cmd.exe PID 1928 wrote to memory of 1896 1928 chkdsk.exe cmd.exe PID 1928 wrote to memory of 504 1928 chkdsk.exe Firefox.exe PID 1928 wrote to memory of 504 1928 chkdsk.exe Firefox.exe PID 1928 wrote to memory of 504 1928 chkdsk.exe Firefox.exe PID 3052 wrote to memory of 1680 3052 Explorer.EXE bj1pqbmxwfkdhxtx.exe PID 3052 wrote to memory of 1680 3052 Explorer.EXE bj1pqbmxwfkdhxtx.exe PID 3052 wrote to memory of 1680 3052 Explorer.EXE bj1pqbmxwfkdhxtx.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\grace $.exe"C:\Users\Admin\AppData\Local\Temp\grace $.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Bf8fdu\bj1pqbmxwfkdhxtx.exe"C:\Program Files (x86)\Bf8fdu\bj1pqbmxwfkdhxtx.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Bf8fdu\bj1pqbmxwfkdhxtx.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
C:\Program Files (x86)\Bf8fdu\bj1pqbmxwfkdhxtx.exeMD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
memory/504-136-0x0000000000000000-mapping.dmp
-
memory/504-144-0x000001B708E00000-0x000001B708EF5000-memory.dmpFilesize
980KB
-
memory/504-143-0x00007FF7B2F80000-0x00007FF7B3013000-memory.dmpFilesize
588KB
-
memory/640-122-0x00000000076E0000-0x000000000773F000-memory.dmpFilesize
380KB
-
memory/640-118-0x0000000005330000-0x0000000005331000-memory.dmpFilesize
4KB
-
memory/640-114-0x0000000000930000-0x0000000000931000-memory.dmpFilesize
4KB
-
memory/640-123-0x0000000009F30000-0x0000000009F5A000-memory.dmpFilesize
168KB
-
memory/640-116-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/640-117-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/640-121-0x00000000056B0000-0x00000000056C6000-memory.dmpFilesize
88KB
-
memory/640-120-0x0000000007750000-0x0000000007751000-memory.dmpFilesize
4KB
-
memory/640-119-0x0000000005320000-0x000000000581E000-memory.dmpFilesize
5.0MB
-
memory/1680-141-0x0000000002BB0000-0x0000000002BB1000-memory.dmpFilesize
4KB
-
memory/1680-140-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/1680-137-0x0000000000000000-mapping.dmp
-
memory/1680-142-0x0000000000E50000-0x0000000000E51000-memory.dmpFilesize
4KB
-
memory/1896-130-0x0000000000000000-mapping.dmp
-
memory/1928-133-0x0000000005090000-0x00000000053B0000-memory.dmpFilesize
3.1MB
-
memory/1928-134-0x0000000004F80000-0x000000000500F000-memory.dmpFilesize
572KB
-
memory/1928-131-0x0000000000920000-0x000000000092A000-memory.dmpFilesize
40KB
-
memory/1928-132-0x0000000000760000-0x0000000000789000-memory.dmpFilesize
164KB
-
memory/1928-129-0x0000000000000000-mapping.dmp
-
memory/3052-135-0x0000000002550000-0x0000000002639000-memory.dmpFilesize
932KB
-
memory/3052-128-0x0000000005C80000-0x0000000005DFC000-memory.dmpFilesize
1.5MB
-
memory/3240-126-0x0000000001870000-0x0000000001B90000-memory.dmpFilesize
3.1MB
-
memory/3240-127-0x0000000000FF0000-0x0000000001000000-memory.dmpFilesize
64KB
-
memory/3240-125-0x000000000041D110-mapping.dmp
-
memory/3240-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB