Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-en -
submitted
05-09-2021 06:09
Static task
static1
Behavioral task
behavioral1
Sample
POSH service quotation..exe
Resource
win7-en
General
-
Target
POSH service quotation..exe
-
Size
548KB
-
MD5
38f0e944212962eca78d2209e614aa41
-
SHA1
7b638710352c0374f41374bde07aa2d57263e8f1
-
SHA256
2579540806631bf43383d340bf445855f71106614b40854ca9cf33265a24f900
-
SHA512
3a1178bcf072d554c3c758cf2a4f3a083e027069f2d3c13d55a0e27162a14822ce0ecb5c526b27e1d281c995a6d617cf0c27359f9c23a2a433b1afcf8f12ad96
Malware Config
Extracted
xloader
2.3
n58i
http://www.mack3sleeve.com/n58i/
nl-cafe.com
votetedjaleta.com
britrobertsrealtor.com
globipark.com
citysucces.com
verisignwebsite-verified.com
riddlepc.com
rosecityclimbing.com
oleandrinextract.com
salmankonstruksi.com
needhamchannel.com
refreshx2z.com
youth66.com
pla-russia.com
halloweenmaskpro.com
exdysis.com
1gcz.com
lookgoodman.com
rlxagva.com
stlcityc.com
writingleagues.com
biodunandewaoluwa.com
whitepetalsboutiques.com
idirtivio.com
ministerioslodj.com
bachelors.win
floortak.co.uk
naturaldogseltzer.com
hypermediarus.online
grandrapidsvirtualboatshow.com
usabrokersgroup.net
marketlala.com
5923599.com
oldhousechicago.com
crucial.company
chickaboom.net
fashionelixirs.com
robertstevensonphotography.com
goddessruby.com
hostings.company
freeganyachtclub.com
shierxing.com
sfca01.com
ahhtcd.com
yournumberoneteam.com
w88linklogin.com
worldchampsfootball.club
arcadems.com
rutroms.club
oxfordholidaycottage.com
science-laboratory.info
wecarefamilyphysicians.com
cdaaesthetics.com
defyesthetics.com
haselwoodvwevents.com
promoterss.com
gromov-plc.com
themaximogroup.com
litlidin.com
guangheng-sh.com
cashcowlending.com
foxelpie.com
bppublicschool.com
terapiademuerdago.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1356-58-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1356-59-0x000000000041D070-mapping.dmp xloader behavioral1/memory/1680-67-0x0000000000070000-0x0000000000099000-memory.dmp xloader -
Suspicious use of SetThreadContext 4 IoCs
Processes:
POSH service quotation..exeRegSvcs.execscript.exedescription pid process target process PID 2008 set thread context of 1356 2008 POSH service quotation..exe RegSvcs.exe PID 1356 set thread context of 1392 1356 RegSvcs.exe Explorer.EXE PID 1356 set thread context of 1392 1356 RegSvcs.exe Explorer.EXE PID 1680 set thread context of 1392 1680 cscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
POSH service quotation..exeRegSvcs.execscript.exepid process 2008 POSH service quotation..exe 2008 POSH service quotation..exe 1356 RegSvcs.exe 1356 RegSvcs.exe 1356 RegSvcs.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe 1680 cscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
RegSvcs.execscript.exepid process 1356 RegSvcs.exe 1356 RegSvcs.exe 1356 RegSvcs.exe 1356 RegSvcs.exe 1680 cscript.exe 1680 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
POSH service quotation..exeRegSvcs.execscript.exedescription pid process Token: SeDebugPrivilege 2008 POSH service quotation..exe Token: SeDebugPrivilege 1356 RegSvcs.exe Token: SeDebugPrivilege 1680 cscript.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE 1392 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
POSH service quotation..exeExplorer.EXEcscript.exedescription pid process target process PID 2008 wrote to memory of 1356 2008 POSH service quotation..exe RegSvcs.exe PID 2008 wrote to memory of 1356 2008 POSH service quotation..exe RegSvcs.exe PID 2008 wrote to memory of 1356 2008 POSH service quotation..exe RegSvcs.exe PID 2008 wrote to memory of 1356 2008 POSH service quotation..exe RegSvcs.exe PID 2008 wrote to memory of 1356 2008 POSH service quotation..exe RegSvcs.exe PID 2008 wrote to memory of 1356 2008 POSH service quotation..exe RegSvcs.exe PID 2008 wrote to memory of 1356 2008 POSH service quotation..exe RegSvcs.exe PID 2008 wrote to memory of 1356 2008 POSH service quotation..exe RegSvcs.exe PID 2008 wrote to memory of 1356 2008 POSH service quotation..exe RegSvcs.exe PID 2008 wrote to memory of 1356 2008 POSH service quotation..exe RegSvcs.exe PID 1392 wrote to memory of 1680 1392 Explorer.EXE cscript.exe PID 1392 wrote to memory of 1680 1392 Explorer.EXE cscript.exe PID 1392 wrote to memory of 1680 1392 Explorer.EXE cscript.exe PID 1392 wrote to memory of 1680 1392 Explorer.EXE cscript.exe PID 1680 wrote to memory of 1368 1680 cscript.exe cmd.exe PID 1680 wrote to memory of 1368 1680 cscript.exe cmd.exe PID 1680 wrote to memory of 1368 1680 cscript.exe cmd.exe PID 1680 wrote to memory of 1368 1680 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\POSH service quotation..exe"C:\Users\Admin\AppData\Local\Temp\POSH service quotation..exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1356-63-0x00000000003A0000-0x00000000003B1000-memory.dmpFilesize
68KB
-
memory/1356-58-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1356-59-0x000000000041D070-mapping.dmp
-
memory/1356-61-0x0000000000270000-0x0000000000281000-memory.dmpFilesize
68KB
-
memory/1356-60-0x0000000000820000-0x0000000000B23000-memory.dmpFilesize
3.0MB
-
memory/1368-68-0x0000000000000000-mapping.dmp
-
memory/1392-62-0x0000000006CE0000-0x0000000006E30000-memory.dmpFilesize
1.3MB
-
memory/1392-71-0x0000000006E30000-0x0000000006F93000-memory.dmpFilesize
1.4MB
-
memory/1392-64-0x0000000004380000-0x0000000004472000-memory.dmpFilesize
968KB
-
memory/1680-65-0x0000000000000000-mapping.dmp
-
memory/1680-67-0x0000000000070000-0x0000000000099000-memory.dmpFilesize
164KB
-
memory/1680-66-0x0000000000E20000-0x0000000000E42000-memory.dmpFilesize
136KB
-
memory/1680-69-0x0000000002250000-0x0000000002553000-memory.dmpFilesize
3.0MB
-
memory/1680-70-0x0000000000980000-0x0000000000A10000-memory.dmpFilesize
576KB
-
memory/2008-57-0x0000000005120000-0x0000000005152000-memory.dmpFilesize
200KB
-
memory/2008-56-0x0000000004B90000-0x0000000004BF7000-memory.dmpFilesize
412KB
-
memory/2008-52-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2008-55-0x00000000004F0000-0x0000000000506000-memory.dmpFilesize
88KB
-
memory/2008-54-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB