Analysis
-
max time kernel
599s -
max time network
599s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 03:40
Static task
static1
Behavioral task
behavioral1
Sample
QUOTE PRICE.exe
Resource
win7v20210408
General
-
Target
QUOTE PRICE.exe
-
Size
558KB
-
MD5
3a35017603b428f692151484ad54ded0
-
SHA1
ac071c363f33e2a28aaffc77e5a34642d8246fe0
-
SHA256
45f5e2a682896ac3380522e26a0398b8112bafc42948666c9fecafa3dcab69e3
-
SHA512
6a2c113565aca37d63de00cdd59354400e901bb731d35e53a42951463662374dec5dfb83d109f059b59733abaf3c0f2057a87c22f69b2d738af37b6f19409d8d
Malware Config
Extracted
xloader
2.5
m6rs
http://www.litediv.com/m6rs/
globalsovereignbank.com
ktnrape.xyz
churchybulletin.com
ddyla.com
imatge.cat
iwholesalestore.com
cultivapro.club
ibcfcl.com
refurbisheddildo.com
killerinktnpasumo4.xyz
mdphotoart.com
smi-ity.com
stanprolearningcenter.com
companyintelapp.com
tacticarc.com
soolls.com
gra68.net
cedricettori.digital
mossobuy.com
way2liv.com
j9b.xyz
bmfgi.com
gargantua-traiteur.com
tavolabread.com
neoplus-create.com
tracks-clicks.com
santsp.com
tokusa-f.com
yardparx.online
seinvestments-sg.com
elegantbrushes.net
restaurantemachupicchu.com
ha0313.com
dock7rods.com
emphatictrifles.com
onefunline.top
caulsshop.com
kittyol.com
thehealthyheifer.net
plotmyplot.com
leewaysvcs.com
eur86.com
lightsinwall.com
jiankangkyw.com
travilent.com
dvaccounts.com
wittyon.com
tommywoodenski.com
dividendoylibertad.com
aqscksw.com
familiapena2475.com
australianmeatandwine.com
leading.delivery
giftcards2you.com
bethlehemsmith.com
osterparrots.com
getignore.com
joyandsatisfy.club
sanibelislandhomesearch.com
smedivision.com
kitcycle.com
hills-renta.com
brownbeargraphics.com
46sheridan.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3732-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3732-125-0x000000000041D3D0-mapping.dmp xloader behavioral2/memory/2628-132-0x0000000001150000-0x0000000001179000-memory.dmp xloader behavioral2/memory/3544-153-0x000000000041D3D0-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run netsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\OVUHMBMXCNY = "C:\\Program Files (x86)\\Gofrp\\-zhyvyl3zix.exe" netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
-zhyvyl3zix.exe-zhyvyl3zix.exepid process 2528 -zhyvyl3zix.exe 3544 -zhyvyl3zix.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
QUOTE PRICE.exeQUOTE PRICE.exenetsh.exe-zhyvyl3zix.exedescription pid process target process PID 796 set thread context of 3732 796 QUOTE PRICE.exe QUOTE PRICE.exe PID 3732 set thread context of 3024 3732 QUOTE PRICE.exe Explorer.EXE PID 2628 set thread context of 3024 2628 netsh.exe Explorer.EXE PID 2528 set thread context of 3544 2528 -zhyvyl3zix.exe -zhyvyl3zix.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEnetsh.exedescription ioc process File created C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe netsh.exe File opened for modification C:\Program Files (x86)\Gofrp Explorer.EXE -
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
QUOTE PRICE.exenetsh.exepid process 3732 QUOTE PRICE.exe 3732 QUOTE PRICE.exe 3732 QUOTE PRICE.exe 3732 QUOTE PRICE.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
QUOTE PRICE.exenetsh.exepid process 3732 QUOTE PRICE.exe 3732 QUOTE PRICE.exe 3732 QUOTE PRICE.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe 2628 netsh.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
QUOTE PRICE.exenetsh.exeExplorer.EXE-zhyvyl3zix.exedescription pid process Token: SeDebugPrivilege 3732 QUOTE PRICE.exe Token: SeDebugPrivilege 2628 netsh.exe Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeDebugPrivilege 3544 -zhyvyl3zix.exe Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
QUOTE PRICE.exeExplorer.EXEnetsh.exe-zhyvyl3zix.exedescription pid process target process PID 796 wrote to memory of 3732 796 QUOTE PRICE.exe QUOTE PRICE.exe PID 796 wrote to memory of 3732 796 QUOTE PRICE.exe QUOTE PRICE.exe PID 796 wrote to memory of 3732 796 QUOTE PRICE.exe QUOTE PRICE.exe PID 796 wrote to memory of 3732 796 QUOTE PRICE.exe QUOTE PRICE.exe PID 796 wrote to memory of 3732 796 QUOTE PRICE.exe QUOTE PRICE.exe PID 796 wrote to memory of 3732 796 QUOTE PRICE.exe QUOTE PRICE.exe PID 3024 wrote to memory of 2628 3024 Explorer.EXE netsh.exe PID 3024 wrote to memory of 2628 3024 Explorer.EXE netsh.exe PID 3024 wrote to memory of 2628 3024 Explorer.EXE netsh.exe PID 2628 wrote to memory of 1020 2628 netsh.exe cmd.exe PID 2628 wrote to memory of 1020 2628 netsh.exe cmd.exe PID 2628 wrote to memory of 1020 2628 netsh.exe cmd.exe PID 2628 wrote to memory of 1164 2628 netsh.exe Firefox.exe PID 2628 wrote to memory of 1164 2628 netsh.exe Firefox.exe PID 3024 wrote to memory of 2528 3024 Explorer.EXE -zhyvyl3zix.exe PID 3024 wrote to memory of 2528 3024 Explorer.EXE -zhyvyl3zix.exe PID 3024 wrote to memory of 2528 3024 Explorer.EXE -zhyvyl3zix.exe PID 2628 wrote to memory of 1164 2628 netsh.exe Firefox.exe PID 2528 wrote to memory of 3544 2528 -zhyvyl3zix.exe -zhyvyl3zix.exe PID 2528 wrote to memory of 3544 2528 -zhyvyl3zix.exe -zhyvyl3zix.exe PID 2528 wrote to memory of 3544 2528 -zhyvyl3zix.exe -zhyvyl3zix.exe PID 2528 wrote to memory of 3544 2528 -zhyvyl3zix.exe -zhyvyl3zix.exe PID 2528 wrote to memory of 3544 2528 -zhyvyl3zix.exe -zhyvyl3zix.exe PID 2528 wrote to memory of 3544 2528 -zhyvyl3zix.exe -zhyvyl3zix.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QUOTE PRICE.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICE.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\QUOTE PRICE.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE PRICE.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\QUOTE PRICE.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe"C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe"C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exeMD5
3a35017603b428f692151484ad54ded0
SHA1ac071c363f33e2a28aaffc77e5a34642d8246fe0
SHA25645f5e2a682896ac3380522e26a0398b8112bafc42948666c9fecafa3dcab69e3
SHA5126a2c113565aca37d63de00cdd59354400e901bb731d35e53a42951463662374dec5dfb83d109f059b59733abaf3c0f2057a87c22f69b2d738af37b6f19409d8d
-
C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exeMD5
3a35017603b428f692151484ad54ded0
SHA1ac071c363f33e2a28aaffc77e5a34642d8246fe0
SHA25645f5e2a682896ac3380522e26a0398b8112bafc42948666c9fecafa3dcab69e3
SHA5126a2c113565aca37d63de00cdd59354400e901bb731d35e53a42951463662374dec5dfb83d109f059b59733abaf3c0f2057a87c22f69b2d738af37b6f19409d8d
-
C:\Program Files (x86)\Gofrp\-zhyvyl3zix.exeMD5
3a35017603b428f692151484ad54ded0
SHA1ac071c363f33e2a28aaffc77e5a34642d8246fe0
SHA25645f5e2a682896ac3380522e26a0398b8112bafc42948666c9fecafa3dcab69e3
SHA5126a2c113565aca37d63de00cdd59354400e901bb731d35e53a42951463662374dec5dfb83d109f059b59733abaf3c0f2057a87c22f69b2d738af37b6f19409d8d
-
memory/796-123-0x0000000007B50000-0x0000000007B8A000-memory.dmpFilesize
232KB
-
memory/796-119-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/796-120-0x00000000052C0000-0x00000000052DD000-memory.dmpFilesize
116KB
-
memory/796-121-0x00000000078A0000-0x00000000078A1000-memory.dmpFilesize
4KB
-
memory/796-122-0x0000000007AE0000-0x0000000007B49000-memory.dmpFilesize
420KB
-
memory/796-114-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/796-118-0x00000000051B0000-0x0000000005242000-memory.dmpFilesize
584KB
-
memory/796-117-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/796-116-0x00000000057F0000-0x00000000057F1000-memory.dmpFilesize
4KB
-
memory/1020-130-0x0000000000000000-mapping.dmp
-
memory/1164-147-0x00007FF639090000-0x00007FF639123000-memory.dmpFilesize
588KB
-
memory/1164-148-0x000002E960250000-0x000002E9603CF000-memory.dmpFilesize
1.5MB
-
memory/1164-146-0x0000000000000000-mapping.dmp
-
memory/2528-136-0x0000000000000000-mapping.dmp
-
memory/2528-145-0x0000000005610000-0x0000000005B0E000-memory.dmpFilesize
5.0MB
-
memory/2628-131-0x0000000001600000-0x000000000161E000-memory.dmpFilesize
120KB
-
memory/2628-133-0x0000000003AE0000-0x0000000003E00000-memory.dmpFilesize
3.1MB
-
memory/2628-134-0x0000000003930000-0x00000000039C0000-memory.dmpFilesize
576KB
-
memory/2628-132-0x0000000001150000-0x0000000001179000-memory.dmpFilesize
164KB
-
memory/2628-129-0x0000000000000000-mapping.dmp
-
memory/3024-128-0x0000000005CB0000-0x0000000005DAC000-memory.dmpFilesize
1008KB
-
memory/3024-135-0x0000000005E30000-0x0000000005F43000-memory.dmpFilesize
1.1MB
-
memory/3544-153-0x000000000041D3D0-mapping.dmp
-
memory/3544-155-0x00000000016F0000-0x0000000001A10000-memory.dmpFilesize
3.1MB
-
memory/3732-127-0x00000000013B0000-0x000000000145E000-memory.dmpFilesize
696KB
-
memory/3732-126-0x0000000001920000-0x0000000001C40000-memory.dmpFilesize
3.1MB
-
memory/3732-125-0x000000000041D3D0-mapping.dmp
-
memory/3732-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB