Analysis
-
max time kernel
152s -
max time network
139s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
23-09-2021 21:09
Static task
static1
Behavioral task
behavioral1
Sample
HSBC94302,pdf.exe
Resource
win7-en-20210920
General
-
Target
HSBC94302,pdf.exe
-
Size
255KB
-
MD5
f074678a2c588e8741918098804e2a54
-
SHA1
8f6ece4353671a76abea3621a1ae05886bfd181c
-
SHA256
fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1
-
SHA512
21092cf587641e2f00758b98629c086f3d04aa9ef1da4b095c5d98764d57e8ed90ec947e9787fad7dce2a2dddd0444cb3def5c5ea500e43ad081c764f5e888f2
Malware Config
Extracted
xloader
2.5
dhua
http://www.segurosramosroman.com/dhua/
ketostar.club
icanmakeyoufamous.com
claimygdejection.com
garlicinterestedparent.xyz
bits-clicks.com
030atk.xyz
ballwiegand.com
logs-illumidesk.com
785686.com
flnewsfeed.com
transporteshrj.net
agenciamundodigital.online
bowersllc.com
urchncenw.com
wuauwuaumx.com
littlesportsacademy.com
xn--m3chb3ax0abdta3fwhk.com
prmarketings.com
jiaozhanlianmeng.com
whenisthestore.space
ventureagora.net
ditrixmed.store
gitlab-tamskillpage.com
samgravikasnidhi.com
lenti4you.com
reviewallstarscommerce.com
nissimarble.com
md2px.xyz
tristarelectronics.net
you11.net
vaccinationfraud.xyz
bu3helo.com
marcellcheckpoint.com
hassinkandroos.com
socw.quest
screenedscooptoknow-today.info
aciburada.com
edimacare.com
smokenation.net
elga-groupinc.com
26dgj.xyz
chandleenews.com
sugarcanemultisport.com
nichellejonesrealtor.com
architektschnur.com
atehgroup.com
ocoeeboys.com
zanesells.com
878971.com
infringement-notice.com
orzame.com
darlindough.com
bwpassionenterprise.com
switchress.com
willcowblog.online
rsyncpalace.com
ayderstudio.com
ascotintrenational.com
omeducationhelp.com
kimberleydawnwallace.com
thereisnooneway.com
marketobserve.com
sildenafilnrx.com
willowbaldwin.com
Signatures
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/988-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/988-57-0x000000000041D4E0-mapping.dmp xloader behavioral1/memory/1112-64-0x0000000000080000-0x00000000000A9000-memory.dmp xloader behavioral1/memory/1476-76-0x000000000041D4E0-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wininit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wininit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\TP-H0HTHUHS = "C:\\Program Files (x86)\\C_l80wbm\\ms1b0l.exe" wininit.exe -
Executes dropped EXE 2 IoCs
Processes:
ms1b0l.exems1b0l.exepid process 1344 ms1b0l.exe 1476 ms1b0l.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 980 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
HSBC94302,pdf.exems1b0l.exepid process 1628 HSBC94302,pdf.exe 1344 ms1b0l.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
HSBC94302,pdf.exeHSBC94302,pdf.exewininit.exems1b0l.exedescription pid process target process PID 1628 set thread context of 988 1628 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 988 set thread context of 1364 988 HSBC94302,pdf.exe Explorer.EXE PID 1112 set thread context of 1364 1112 wininit.exe Explorer.EXE PID 1344 set thread context of 1476 1344 ms1b0l.exe ms1b0l.exe -
Drops file in Program Files directory 2 IoCs
Processes:
wininit.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\C_l80wbm\ms1b0l.exe wininit.exe File created C:\Program Files (x86)\C_l80wbm\ms1b0l.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\C_l80wbm\ms1b0l.exe nsis_installer_1 C:\Program Files (x86)\C_l80wbm\ms1b0l.exe nsis_installer_2 C:\Program Files (x86)\C_l80wbm\ms1b0l.exe nsis_installer_1 C:\Program Files (x86)\C_l80wbm\ms1b0l.exe nsis_installer_2 C:\Program Files (x86)\C_l80wbm\ms1b0l.exe nsis_installer_1 C:\Program Files (x86)\C_l80wbm\ms1b0l.exe nsis_installer_2 -
Processes:
wininit.exedescription ioc process Key created \Registry\User\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wininit.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
HSBC94302,pdf.exewininit.exems1b0l.exepid process 988 HSBC94302,pdf.exe 988 HSBC94302,pdf.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1476 ms1b0l.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1364 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
HSBC94302,pdf.exewininit.exepid process 988 HSBC94302,pdf.exe 988 HSBC94302,pdf.exe 988 HSBC94302,pdf.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe 1112 wininit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
HSBC94302,pdf.exewininit.exems1b0l.exedescription pid process Token: SeDebugPrivilege 988 HSBC94302,pdf.exe Token: SeDebugPrivilege 1112 wininit.exe Token: SeDebugPrivilege 1476 ms1b0l.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Explorer.EXEpid process 1364 Explorer.EXE 1364 Explorer.EXE 1364 Explorer.EXE 1364 Explorer.EXE 1364 Explorer.EXE 1364 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Explorer.EXEpid process 1364 Explorer.EXE 1364 Explorer.EXE 1364 Explorer.EXE 1364 Explorer.EXE 1364 Explorer.EXE 1364 Explorer.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
HSBC94302,pdf.exeExplorer.EXEwininit.exems1b0l.exedescription pid process target process PID 1628 wrote to memory of 988 1628 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 1628 wrote to memory of 988 1628 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 1628 wrote to memory of 988 1628 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 1628 wrote to memory of 988 1628 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 1628 wrote to memory of 988 1628 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 1628 wrote to memory of 988 1628 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 1628 wrote to memory of 988 1628 HSBC94302,pdf.exe HSBC94302,pdf.exe PID 1364 wrote to memory of 1112 1364 Explorer.EXE wininit.exe PID 1364 wrote to memory of 1112 1364 Explorer.EXE wininit.exe PID 1364 wrote to memory of 1112 1364 Explorer.EXE wininit.exe PID 1364 wrote to memory of 1112 1364 Explorer.EXE wininit.exe PID 1112 wrote to memory of 980 1112 wininit.exe cmd.exe PID 1112 wrote to memory of 980 1112 wininit.exe cmd.exe PID 1112 wrote to memory of 980 1112 wininit.exe cmd.exe PID 1112 wrote to memory of 980 1112 wininit.exe cmd.exe PID 1112 wrote to memory of 1948 1112 wininit.exe Firefox.exe PID 1112 wrote to memory of 1948 1112 wininit.exe Firefox.exe PID 1112 wrote to memory of 1948 1112 wininit.exe Firefox.exe PID 1112 wrote to memory of 1948 1112 wininit.exe Firefox.exe PID 1364 wrote to memory of 1344 1364 Explorer.EXE ms1b0l.exe PID 1364 wrote to memory of 1344 1364 Explorer.EXE ms1b0l.exe PID 1364 wrote to memory of 1344 1364 Explorer.EXE ms1b0l.exe PID 1364 wrote to memory of 1344 1364 Explorer.EXE ms1b0l.exe PID 1344 wrote to memory of 1476 1344 ms1b0l.exe ms1b0l.exe PID 1344 wrote to memory of 1476 1344 ms1b0l.exe ms1b0l.exe PID 1344 wrote to memory of 1476 1344 ms1b0l.exe ms1b0l.exe PID 1344 wrote to memory of 1476 1344 ms1b0l.exe ms1b0l.exe PID 1344 wrote to memory of 1476 1344 ms1b0l.exe ms1b0l.exe PID 1344 wrote to memory of 1476 1344 ms1b0l.exe ms1b0l.exe PID 1344 wrote to memory of 1476 1344 ms1b0l.exe ms1b0l.exe PID 1112 wrote to memory of 1948 1112 wininit.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\HSBC94302,pdf.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\C_l80wbm\ms1b0l.exe"C:\Program Files (x86)\C_l80wbm\ms1b0l.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\C_l80wbm\ms1b0l.exe"C:\Program Files (x86)\C_l80wbm\ms1b0l.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\C_l80wbm\ms1b0l.exeMD5
f074678a2c588e8741918098804e2a54
SHA18f6ece4353671a76abea3621a1ae05886bfd181c
SHA256fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1
SHA51221092cf587641e2f00758b98629c086f3d04aa9ef1da4b095c5d98764d57e8ed90ec947e9787fad7dce2a2dddd0444cb3def5c5ea500e43ad081c764f5e888f2
-
C:\Program Files (x86)\C_l80wbm\ms1b0l.exeMD5
f074678a2c588e8741918098804e2a54
SHA18f6ece4353671a76abea3621a1ae05886bfd181c
SHA256fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1
SHA51221092cf587641e2f00758b98629c086f3d04aa9ef1da4b095c5d98764d57e8ed90ec947e9787fad7dce2a2dddd0444cb3def5c5ea500e43ad081c764f5e888f2
-
C:\Program Files (x86)\C_l80wbm\ms1b0l.exeMD5
f074678a2c588e8741918098804e2a54
SHA18f6ece4353671a76abea3621a1ae05886bfd181c
SHA256fa76022bffd0d6d87ad3baab7b9839f0b172ce1ccd264759d88e9df1a77291f1
SHA51221092cf587641e2f00758b98629c086f3d04aa9ef1da4b095c5d98764d57e8ed90ec947e9787fad7dce2a2dddd0444cb3def5c5ea500e43ad081c764f5e888f2
-
C:\Users\Admin\AppData\Local\Temp\b132iy3n65ngxMD5
8ee59d610eb0cbd98fa1f78e25c1e0ca
SHA1da69b87f81e27b54dc668d893f49ea08ccc60880
SHA256bd5fb90655c8a62769c382ba17d0fdf2d396b2d59c4f2db3fd00d07868c338f5
SHA5121cf95fc5c6e9c1f0441bf5f3d1618f62ccaed7ae455dc0a79abb96b7d1098e260abb02bef6a4b3eb5e2c77c89a0a69c5a4e4de57522e7316447306052e9562d5
-
\Users\Admin\AppData\Local\Temp\nsqE38B.tmp\injpp.dllMD5
52230408da822ac77450b0e11c41d28d
SHA17c5394bb747a4a6fea18955e1da878cd87a7e86a
SHA2567318f7a1bb662ba2d27530ec87866144ac7a0532a642a27e1924987e498af153
SHA512fae0a23cb2e3bcecaca88307c1584462645db1c7fab08fc9327419fdae533e213e5968604d7ea49b4705f62c29824e171bb004b9ae426bff3aa7ae0dd4079ef1
-
\Users\Admin\AppData\Local\Temp\nsrC764.tmp\injpp.dllMD5
52230408da822ac77450b0e11c41d28d
SHA17c5394bb747a4a6fea18955e1da878cd87a7e86a
SHA2567318f7a1bb662ba2d27530ec87866144ac7a0532a642a27e1924987e498af153
SHA512fae0a23cb2e3bcecaca88307c1584462645db1c7fab08fc9327419fdae533e213e5968604d7ea49b4705f62c29824e171bb004b9ae426bff3aa7ae0dd4079ef1
-
memory/980-62-0x0000000000000000-mapping.dmp
-
memory/988-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/988-57-0x000000000041D4E0-mapping.dmp
-
memory/988-59-0x00000000002D0000-0x00000000002E1000-memory.dmpFilesize
68KB
-
memory/988-58-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB
-
memory/1112-66-0x0000000000490000-0x0000000000520000-memory.dmpFilesize
576KB
-
memory/1112-61-0x0000000000000000-mapping.dmp
-
memory/1112-63-0x0000000000470000-0x000000000048A000-memory.dmpFilesize
104KB
-
memory/1112-64-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1112-65-0x00000000020A0000-0x00000000023A3000-memory.dmpFilesize
3.0MB
-
memory/1344-69-0x0000000000000000-mapping.dmp
-
memory/1364-67-0x0000000006FE0000-0x000000000713C000-memory.dmpFilesize
1.4MB
-
memory/1364-60-0x0000000003FB0000-0x0000000004073000-memory.dmpFilesize
780KB
-
memory/1476-76-0x000000000041D4E0-mapping.dmp
-
memory/1476-78-0x00000000008E0000-0x0000000000BE3000-memory.dmpFilesize
3.0MB
-
memory/1628-54-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB
-
memory/1948-79-0x0000000000000000-mapping.dmp
-
memory/1948-80-0x000000013FC10000-0x000000013FCA3000-memory.dmpFilesize
588KB
-
memory/1948-81-0x00000000024B0000-0x0000000002631000-memory.dmpFilesize
1.5MB