Analysis
-
max time kernel
418s -
max time network
451s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-09-2021 11:59
Static task
static1
Behavioral task
behavioral1
Sample
B1o.exe
Resource
win7v20210408
General
-
Target
B1o.exe
-
Size
614KB
-
MD5
5e3dc4e700d55cb8232bdbeade8ca8ad
-
SHA1
8a4c46e292dafb7db736c03f784a997b6dece9aa
-
SHA256
00aa65bb6c94d28f04933ebc90a56bf75d62ac3cd246afa1ef60d671a40ee978
-
SHA512
6b1d6e010c303ea7663f33d82255eea9f0c0c2b941301788b3e811138c1f08021b922e4a63426b2f3deb00d5b36e4d2eed3ea640a7562998836b87e2bfa02cf9
Malware Config
Extracted
xloader
2.3
chg
http://www.chiaketo.com/chg/
worldvaypg.com
cremationprosguiding.info
counterpub.com
steamed-chicken.com
bethhavencemetery.com
wanda12.com
thejdot.com
juliusbuckley.com
realloveawaitsnow.com
healthandenergyadvisors.com
stockholmfasadputs.com
uvsafetysolutions.com
mamucosmetic.com
konoozalyemen.com
grillschalen.com
zljmys.com
paradseautos.com
home360.asia
domentemenegi37.com
farazahmadosama.com
phpman.info
momenwang.com
globalstressengineers.info
syu38.com
thegiftsofmentalillness.com
bytephunk.com
boutiquedmcretreats.com
jialongvideo.com
736spadina.com
omicai.com
brandonneffdesign.com
simranmahindrakar.com
kashmirishoping.com
pinggutech.com
shangjingtang.com
sweetdesignsbykathy.com
rcengichem.com
smart-money-gal.com
ilbfoundation.com
hairstage.xyz
xn--buildenv-bdb.com
covidrecess.com
masihkecewa.com
mnt-sa.net
arcturus-realty.com
gameonaustralia.com
khanamericantools.com
grabbarquote.com
mamentos.info
zero-nezumi.com
fastfoodchicago.com
bikalu.com
powersmoney.com
ninisex.com
hntbank.com
aacj.ink
84streetchamber.com
saharamoverspackers.com
ellibromagico.com
itscat.xyz
woodlandsandthyme.com
avcitoptan.com
industrialareadirectory.com
glendadestatesteam.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1400-62-0x0000000000400000-0x0000000000428000-memory.dmp xloader behavioral1/memory/1400-64-0x000000000041D030-mapping.dmp xloader behavioral1/memory/1656-70-0x0000000000080000-0x00000000000A8000-memory.dmp xloader -
Blocklisted process makes network request 10 IoCs
Processes:
cmd.exeflow pid process 18 1656 cmd.exe 22 1656 cmd.exe 29 1656 cmd.exe 30 1656 cmd.exe 52 1656 cmd.exe 55 1656 cmd.exe 56 1656 cmd.exe 71 1656 cmd.exe 73 1656 cmd.exe 74 1656 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
B1o.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yjvkalu = "C:\\Users\\Public\\Libraries\\ulakvjY.url" B1o.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
B1o.exeB1o.execmd.exedescription pid process target process PID 1652 set thread context of 1400 1652 B1o.exe B1o.exe PID 1400 set thread context of 1208 1400 B1o.exe Explorer.EXE PID 1656 set thread context of 1208 1656 cmd.exe Explorer.EXE -
Processes:
cmd.exedescription ioc process Key created \Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
B1o.execmd.exepid process 1400 B1o.exe 1400 B1o.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
B1o.execmd.exepid process 1400 B1o.exe 1400 B1o.exe 1400 B1o.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe 1656 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
B1o.execmd.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1400 B1o.exe Token: SeDebugPrivilege 1656 cmd.exe Token: SeShutdownPrivilege 1208 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
B1o.exeExplorer.EXEcmd.exedescription pid process target process PID 1652 wrote to memory of 1400 1652 B1o.exe B1o.exe PID 1652 wrote to memory of 1400 1652 B1o.exe B1o.exe PID 1652 wrote to memory of 1400 1652 B1o.exe B1o.exe PID 1652 wrote to memory of 1400 1652 B1o.exe B1o.exe PID 1652 wrote to memory of 1400 1652 B1o.exe B1o.exe PID 1652 wrote to memory of 1400 1652 B1o.exe B1o.exe PID 1652 wrote to memory of 1400 1652 B1o.exe B1o.exe PID 1208 wrote to memory of 1656 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1656 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1656 1208 Explorer.EXE cmd.exe PID 1208 wrote to memory of 1656 1208 Explorer.EXE cmd.exe PID 1656 wrote to memory of 1256 1656 cmd.exe Firefox.exe PID 1656 wrote to memory of 1256 1656 cmd.exe Firefox.exe PID 1656 wrote to memory of 1256 1656 cmd.exe Firefox.exe PID 1656 wrote to memory of 1256 1656 cmd.exe Firefox.exe PID 1656 wrote to memory of 1256 1656 cmd.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B1o.exe"C:\Users\Admin\AppData\Local\Temp\B1o.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B1o.exe"C:\Users\Admin\AppData\Local\Temp\B1o.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1208-67-0x0000000007340000-0x00000000074B7000-memory.dmpFilesize
1.5MB
-
memory/1208-73-0x00000000074C0000-0x00000000075EF000-memory.dmpFilesize
1.2MB
-
memory/1256-77-0x00000000023F0000-0x0000000002542000-memory.dmpFilesize
1.3MB
-
memory/1256-76-0x000000013F650000-0x000000013F6E3000-memory.dmpFilesize
588KB
-
memory/1256-75-0x0000000000000000-mapping.dmp
-
memory/1400-65-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1400-66-0x0000000000290000-0x00000000002A0000-memory.dmpFilesize
64KB
-
memory/1400-64-0x000000000041D030-mapping.dmp
-
memory/1400-62-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1652-60-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1652-61-0x0000000076641000-0x0000000076643000-memory.dmpFilesize
8KB
-
memory/1656-68-0x0000000000000000-mapping.dmp
-
memory/1656-69-0x000000004ACB0000-0x000000004ACFC000-memory.dmpFilesize
304KB
-
memory/1656-70-0x0000000000080000-0x00000000000A8000-memory.dmpFilesize
160KB
-
memory/1656-71-0x00000000020A0000-0x00000000023A3000-memory.dmpFilesize
3.0MB
-
memory/1656-72-0x0000000001DD0000-0x0000000001E5F000-memory.dmpFilesize
572KB