Analysis
-
max time kernel
299s -
max time network
296s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
23-09-2021 13:51
Static task
static1
Behavioral task
behavioral1
Sample
RFQ8943.pdf.exe
Resource
win7-en-20210920
General
-
Target
RFQ8943.pdf.exe
-
Size
276KB
-
MD5
89e074f1f6ffd1421078fdab1a00ab5d
-
SHA1
a5c4d75dbbe10ed36f1ffaba930456592e268169
-
SHA256
559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c
-
SHA512
2992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1
Malware Config
Extracted
xloader
2.5
dhua
http://www.segurosramosroman.com/dhua/
ketostar.club
icanmakeyoufamous.com
claimygdejection.com
garlicinterestedparent.xyz
bits-clicks.com
030atk.xyz
ballwiegand.com
logs-illumidesk.com
785686.com
flnewsfeed.com
transporteshrj.net
agenciamundodigital.online
bowersllc.com
urchncenw.com
wuauwuaumx.com
littlesportsacademy.com
xn--m3chb3ax0abdta3fwhk.com
prmarketings.com
jiaozhanlianmeng.com
whenisthestore.space
ventureagora.net
ditrixmed.store
gitlab-tamskillpage.com
samgravikasnidhi.com
lenti4you.com
reviewallstarscommerce.com
nissimarble.com
md2px.xyz
tristarelectronics.net
you11.net
vaccinationfraud.xyz
bu3helo.com
marcellcheckpoint.com
hassinkandroos.com
socw.quest
screenedscooptoknow-today.info
aciburada.com
edimacare.com
smokenation.net
elga-groupinc.com
26dgj.xyz
chandleenews.com
sugarcanemultisport.com
nichellejonesrealtor.com
architektschnur.com
atehgroup.com
ocoeeboys.com
zanesells.com
878971.com
infringement-notice.com
orzame.com
darlindough.com
bwpassionenterprise.com
switchress.com
willcowblog.online
rsyncpalace.com
ayderstudio.com
ascotintrenational.com
omeducationhelp.com
kimberleydawnwallace.com
thereisnooneway.com
marketobserve.com
sildenafilnrx.com
willowbaldwin.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3536-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3420-126-0x00000000003D0000-0x00000000003F9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
3fe4czkvcd.exe3fe4czkvcd.exepid process 752 3fe4czkvcd.exe 3164 3fe4czkvcd.exe -
Loads dropped DLL 2 IoCs
Processes:
RFQ8943.pdf.exe3fe4czkvcd.exepid process 3608 RFQ8943.pdf.exe 752 3fe4czkvcd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BPXTQDJ0 = "C:\\Program Files (x86)\\Yjd80\\3fe4czkvcd.exe" msiexec.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
RFQ8943.pdf.exeRFQ8943.pdf.exemsiexec.exe3fe4czkvcd.exedescription pid process target process PID 3608 set thread context of 3536 3608 RFQ8943.pdf.exe RFQ8943.pdf.exe PID 3536 set thread context of 3048 3536 RFQ8943.pdf.exe Explorer.EXE PID 3420 set thread context of 3048 3420 msiexec.exe Explorer.EXE PID 752 set thread context of 3164 752 3fe4czkvcd.exe 3fe4czkvcd.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEmsiexec.exedescription ioc process File created C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe msiexec.exe File opened for modification C:\Program Files (x86)\Yjd80 Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe nsis_installer_1 C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe nsis_installer_2 C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe nsis_installer_1 C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe nsis_installer_2 C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe nsis_installer_1 C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe nsis_installer_2 -
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RFQ8943.pdf.exemsiexec.exepid process 3536 RFQ8943.pdf.exe 3536 RFQ8943.pdf.exe 3536 RFQ8943.pdf.exe 3536 RFQ8943.pdf.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
RFQ8943.pdf.exeRFQ8943.pdf.exemsiexec.exe3fe4czkvcd.exepid process 3608 RFQ8943.pdf.exe 3536 RFQ8943.pdf.exe 3536 RFQ8943.pdf.exe 3536 RFQ8943.pdf.exe 3420 msiexec.exe 3420 msiexec.exe 3420 msiexec.exe 752 3fe4czkvcd.exe 3420 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
RFQ8943.pdf.exemsiexec.exeExplorer.EXE3fe4czkvcd.exedescription pid process Token: SeDebugPrivilege 3536 RFQ8943.pdf.exe Token: SeDebugPrivilege 3420 msiexec.exe Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeDebugPrivilege 3164 3fe4czkvcd.exe Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
RFQ8943.pdf.exeExplorer.EXEmsiexec.exe3fe4czkvcd.exedescription pid process target process PID 3608 wrote to memory of 3536 3608 RFQ8943.pdf.exe RFQ8943.pdf.exe PID 3608 wrote to memory of 3536 3608 RFQ8943.pdf.exe RFQ8943.pdf.exe PID 3608 wrote to memory of 3536 3608 RFQ8943.pdf.exe RFQ8943.pdf.exe PID 3608 wrote to memory of 3536 3608 RFQ8943.pdf.exe RFQ8943.pdf.exe PID 3048 wrote to memory of 3420 3048 Explorer.EXE msiexec.exe PID 3048 wrote to memory of 3420 3048 Explorer.EXE msiexec.exe PID 3048 wrote to memory of 3420 3048 Explorer.EXE msiexec.exe PID 3420 wrote to memory of 1992 3420 msiexec.exe cmd.exe PID 3420 wrote to memory of 1992 3420 msiexec.exe cmd.exe PID 3420 wrote to memory of 1992 3420 msiexec.exe cmd.exe PID 3420 wrote to memory of 4516 3420 msiexec.exe cmd.exe PID 3420 wrote to memory of 4516 3420 msiexec.exe cmd.exe PID 3420 wrote to memory of 4516 3420 msiexec.exe cmd.exe PID 3420 wrote to memory of 728 3420 msiexec.exe Firefox.exe PID 3420 wrote to memory of 728 3420 msiexec.exe Firefox.exe PID 3048 wrote to memory of 752 3048 Explorer.EXE 3fe4czkvcd.exe PID 3048 wrote to memory of 752 3048 Explorer.EXE 3fe4czkvcd.exe PID 3048 wrote to memory of 752 3048 Explorer.EXE 3fe4czkvcd.exe PID 752 wrote to memory of 3164 752 3fe4czkvcd.exe 3fe4czkvcd.exe PID 752 wrote to memory of 3164 752 3fe4czkvcd.exe 3fe4czkvcd.exe PID 752 wrote to memory of 3164 752 3fe4czkvcd.exe 3fe4czkvcd.exe PID 752 wrote to memory of 3164 752 3fe4czkvcd.exe 3fe4czkvcd.exe PID 3420 wrote to memory of 728 3420 msiexec.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe"C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\RFQ8943.pdf.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe"C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe"C:\Program Files (x86)\Yjd80\3fe4czkvcd.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exeMD5
89e074f1f6ffd1421078fdab1a00ab5d
SHA1a5c4d75dbbe10ed36f1ffaba930456592e268169
SHA256559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c
SHA5122992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1
-
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exeMD5
89e074f1f6ffd1421078fdab1a00ab5d
SHA1a5c4d75dbbe10ed36f1ffaba930456592e268169
SHA256559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c
SHA5122992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1
-
C:\Program Files (x86)\Yjd80\3fe4czkvcd.exeMD5
89e074f1f6ffd1421078fdab1a00ab5d
SHA1a5c4d75dbbe10ed36f1ffaba930456592e268169
SHA256559e207d1e3a1217b69796fc762cb2eb9db98717b983b789097faf774985bb6c
SHA5122992a62c4d11a605429dea066336141701852d3866c9f6ba034f753e76714deaafd0a4a51108f0bca34ca561707a47abb28870048a27efd63344249cf0b1f3c1
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\g7psd4htl39wovdj7sMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\nsf7B80.tmp\qrtethbaa.dllMD5
15f7482c81007eff5abdca2a8fcf93b9
SHA1c6aad787f62ee9e6421cd8d7bcce78cdd812df4e
SHA256acc5d7029dd7c89f300f07f3743772417081e3acc13e054f4dbfb8bf84796569
SHA512ab6e6d602d156dc408275e03043a6f5096c31b9f9668adfe5b62335fefe43637a4a10941b011a88ac6cbbf2e0ec50ddf21c4b835a275a80cfdc9bc86d526fcf5
-
\Users\Admin\AppData\Local\Temp\nskB4D1.tmp\qrtethbaa.dllMD5
15f7482c81007eff5abdca2a8fcf93b9
SHA1c6aad787f62ee9e6421cd8d7bcce78cdd812df4e
SHA256acc5d7029dd7c89f300f07f3743772417081e3acc13e054f4dbfb8bf84796569
SHA512ab6e6d602d156dc408275e03043a6f5096c31b9f9668adfe5b62335fefe43637a4a10941b011a88ac6cbbf2e0ec50ddf21c4b835a275a80cfdc9bc86d526fcf5
-
memory/728-141-0x00007FF77F550000-0x00007FF77F5E3000-memory.dmpFilesize
588KB
-
memory/728-142-0x0000018E5BD30000-0x0000018E5BE3F000-memory.dmpFilesize
1.1MB
-
memory/728-140-0x0000000000000000-mapping.dmp
-
memory/752-132-0x0000000000000000-mapping.dmp
-
memory/1992-124-0x0000000000000000-mapping.dmp
-
memory/3048-129-0x0000000002400000-0x00000000024F9000-memory.dmpFilesize
996KB
-
memory/3048-120-0x00000000049F0000-0x0000000004B47000-memory.dmpFilesize
1.3MB
-
memory/3164-137-0x000000000041D4E0-mapping.dmp
-
memory/3164-139-0x0000000000AE0000-0x0000000000E00000-memory.dmpFilesize
3.1MB
-
memory/3420-125-0x00000000009A0000-0x00000000009B2000-memory.dmpFilesize
72KB
-
memory/3420-126-0x00000000003D0000-0x00000000003F9000-memory.dmpFilesize
164KB
-
memory/3420-121-0x0000000000000000-mapping.dmp
-
memory/3420-127-0x0000000004440000-0x0000000004760000-memory.dmpFilesize
3.1MB
-
memory/3420-128-0x00000000042A0000-0x0000000004330000-memory.dmpFilesize
576KB
-
memory/3536-119-0x0000000000E80000-0x0000000000E91000-memory.dmpFilesize
68KB
-
memory/3536-118-0x0000000000A00000-0x0000000000D20000-memory.dmpFilesize
3.1MB
-
memory/3536-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3536-116-0x000000000041D4E0-mapping.dmp
-
memory/4516-130-0x0000000000000000-mapping.dmp