Analysis
-
max time kernel
152s -
max time network
169s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
22-09-2021 13:20
Static task
static1
Behavioral task
behavioral1
Sample
RFQ37548854,PDF.exe
Resource
win7-en-20210920
General
-
Target
RFQ37548854,PDF.exe
-
Size
358KB
-
MD5
a52dd168224f0cdee9acbb6672235873
-
SHA1
ec2752f36ba84ccac2584774b5fb120585c3863c
-
SHA256
c5c262746be953a1731d5682c808ca401d4509446cf409b544c2b5524cce2e69
-
SHA512
3f420de65287e3164430755eac595e14dd4b381ffd6c5b7dc9cc1eb28360fe2d53f1998fb3bc26f53158c8426dbb8feda0385c7826299b8c5dee58018cc8d15b
Malware Config
Extracted
xloader
2.3
gv6d
http://www.breakaway.uk/gv6d/
bigfatgay.com
czrsgd168.com
bnkinvestments.com
uhchearingfl.com
hooktowingco.com
bold2x.com
dirtyhandsdigital.com
princetonreviewes.com
typhoonmusicgroup.com
onlinemathcoach.net
safecareethiopia.net
alvarogdeo.com
access-sca-login.pro
handbagswholesalemaster.com
whoaservices.com
telemunndopr.com
dream2works.com
itemconfirmation.com
kentebags.com
chennaipremium.com
galoresgemsandjewellery.com
waithere123.com
rastrillodefrank.com
itssopersonal.com
foundacious.com
dev-forum.com
forthepig.com
elipbiy01.com
bowserinc.com
lightbarworld.com
argent-flair.today
ruggedbychoice.com
temptationsweet.com
skylineglobalbank.online
zermattsearch.com
djayfa.com
playmomsknowbest.com
pushoverdeclarev.club
urbansmile.net
snailsstory.com
cooperate-win.com
lightdelux.com
cafevoila.net
jiemanwu.com
nicborain.com
servicebayview.com
jiangkunsw.com
dailyplanetportal.info
zoroergonomics.com
maxwrage.com
yetlag.com
comercializadoraprogant.net
homapilot.com
beijinghun2.icu
easymailsend3088.xyz
chipotale.com
sexyonadime.com
cocosuperstore.com
suzysgifts.com
ultrajerseys.com
randomexperience.net
gocenterhome.com
zaredali.site
oyunvega.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1736-57-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/964-65-0x00000000000C0000-0x00000000000E8000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1332 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
RFQ37548854,PDF.exepid process 1348 RFQ37548854,PDF.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
RFQ37548854,PDF.exeRFQ37548854,PDF.execontrol.exedescription pid process target process PID 1348 set thread context of 1736 1348 RFQ37548854,PDF.exe RFQ37548854,PDF.exe PID 1736 set thread context of 1204 1736 RFQ37548854,PDF.exe Explorer.EXE PID 964 set thread context of 1204 964 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
RFQ37548854,PDF.execontrol.exepid process 1736 RFQ37548854,PDF.exe 1736 RFQ37548854,PDF.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe 964 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
RFQ37548854,PDF.exeRFQ37548854,PDF.execontrol.exepid process 1348 RFQ37548854,PDF.exe 1736 RFQ37548854,PDF.exe 1736 RFQ37548854,PDF.exe 1736 RFQ37548854,PDF.exe 964 control.exe 964 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ37548854,PDF.execontrol.exedescription pid process Token: SeDebugPrivilege 1736 RFQ37548854,PDF.exe Token: SeDebugPrivilege 964 control.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
RFQ37548854,PDF.exeExplorer.EXEcontrol.exedescription pid process target process PID 1348 wrote to memory of 1736 1348 RFQ37548854,PDF.exe RFQ37548854,PDF.exe PID 1348 wrote to memory of 1736 1348 RFQ37548854,PDF.exe RFQ37548854,PDF.exe PID 1348 wrote to memory of 1736 1348 RFQ37548854,PDF.exe RFQ37548854,PDF.exe PID 1348 wrote to memory of 1736 1348 RFQ37548854,PDF.exe RFQ37548854,PDF.exe PID 1348 wrote to memory of 1736 1348 RFQ37548854,PDF.exe RFQ37548854,PDF.exe PID 1204 wrote to memory of 964 1204 Explorer.EXE control.exe PID 1204 wrote to memory of 964 1204 Explorer.EXE control.exe PID 1204 wrote to memory of 964 1204 Explorer.EXE control.exe PID 1204 wrote to memory of 964 1204 Explorer.EXE control.exe PID 964 wrote to memory of 1332 964 control.exe cmd.exe PID 964 wrote to memory of 1332 964 control.exe cmd.exe PID 964 wrote to memory of 1332 964 control.exe cmd.exe PID 964 wrote to memory of 1332 964 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\RFQ37548854,PDF.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nslE3BA.tmp\totcxeabva.dllMD5
89aee5fb46042439e7f4688264409ee6
SHA1a2b83ba525c28a4a257cd796eac82fca58ee3616
SHA2561f52fd925d4342b75828f06d797d792ae14eb4be888b1a0a917c93949bd16d8a
SHA5124e4311570b3c1e11d59b31f5942b533d8d89d5c733befc42a9bddfae52cea83d40f5c4f67095233b92727fc4656e4239bde3d9ed6fa7f6711696c9ad0105beb4
-
memory/964-61-0x0000000000000000-mapping.dmp
-
memory/964-67-0x0000000000700000-0x000000000078F000-memory.dmpFilesize
572KB
-
memory/964-66-0x0000000002020000-0x0000000002323000-memory.dmpFilesize
3.0MB
-
memory/964-65-0x00000000000C0000-0x00000000000E8000-memory.dmpFilesize
160KB
-
memory/964-64-0x00000000007A0000-0x00000000007BF000-memory.dmpFilesize
124KB
-
memory/1204-60-0x00000000049E0000-0x0000000004B3E000-memory.dmpFilesize
1.4MB
-
memory/1204-68-0x0000000004B40000-0x0000000004C62000-memory.dmpFilesize
1.1MB
-
memory/1332-63-0x0000000000000000-mapping.dmp
-
memory/1348-54-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB
-
memory/1736-59-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1736-57-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1736-58-0x0000000000210000-0x0000000000220000-memory.dmpFilesize
64KB
-
memory/1736-56-0x000000000041CFC0-mapping.dmp