Analysis
-
max time kernel
598s -
max time network
601s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-09-2021 04:46
Static task
static1
Behavioral task
behavioral1
Sample
bank swift scan pdf....exe
Resource
win7v20210408
General
-
Target
bank swift scan pdf....exe
-
Size
323KB
-
MD5
6308a0ee4b50deb37f6f6a6205d5b2d6
-
SHA1
0a0f239995f1be45263bc2c96440cfd3dd751cc9
-
SHA256
f3296e298b22250cb64e01c5e737c924410ea4489867b61758a5e0906f3d1161
-
SHA512
96dc213ec553ac61eeda230e74515443f9a7d708f73a6bfa4bf02b33ef7519a41f584ceb6c1db903dd8e0237444f19d33c0e513f785fbfeb5c0a822c2f3d78cc
Malware Config
Extracted
xloader
2.4
di4c
http://www.dropadsmedia.com/di4c/
oscd.store
simplyminiatures.com
famouslovebackbaba.com
turkesteronesupplement.com
most-attractive.com
le-thermoplongeur.com
joydeb.xyz
incomepanther.com
infoterkiinii.xyz
indigocard.website
plasthecnolgy.com
canmamap.com
aviationtrainingworldusa.com
successoffplan.com
desert-breeze.com
nilavarna.com
stanthonyswelfare.com
shezefy.com
shcq08.xyz
spencerpauley.com
breakfastatbrittanys.com
workspace-mex.com
litteratorum.com
illstitute.com
framed-speed.com
buyandsellwithalec.com
xwdnawbx.xyz
mickyyoung.com
bandiu.xyz
planft.store
imaginalworks.com
lid-gb.xyz
ahgongs.com
carrirbuilder.com
neuro-ai-web-online.club
booparade.com
sketchfujitah.online
bayboatnation.com
ink2words.com
modernsolarusa.com
camuci.com
dentonlifetimedentistry.com
1ajpwvkk.icu
hangcheng56.com
suvenifa.com
spacetech-sa.com
emotionevents.xyz
momskitchenassam.com
imyandme.com
premiercattledrenches.com
procard.one
quiestcevin.com
blastofftv.xyz
live2leadinfo.com
jaalifetrx.space
weste-store.store
liquidmelon.restaurant
gjz863.icu
prince-info.com
islandsingle.com
shelazofficial.com
awhjguduahjfsd.com
notariuspublicus24.com
navneetsharma.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1040-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1028-70-0x00000000000D0000-0x00000000000F9000-memory.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
audiodgaz7.exeaudiodgaz7.exepid process 996 audiodgaz7.exe 1716 audiodgaz7.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1616 cmd.exe -
Loads dropped DLL 3 IoCs
Processes:
bank swift scan pdf....exeaudiodgaz7.exepid process 1304 bank swift scan pdf....exe 996 audiodgaz7.exe 996 audiodgaz7.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
chkdsk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\K4XDLDWH54F = "C:\\Program Files (x86)\\Fwnuxv4rh\\audiodgaz7.exe" chkdsk.exe Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run chkdsk.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
bank swift scan pdf....exebank swift scan pdf....exechkdsk.exeaudiodgaz7.exedescription pid process target process PID 1304 set thread context of 1040 1304 bank swift scan pdf....exe bank swift scan pdf....exe PID 1040 set thread context of 1196 1040 bank swift scan pdf....exe Explorer.EXE PID 1028 set thread context of 1196 1028 chkdsk.exe Explorer.EXE PID 996 set thread context of 1716 996 audiodgaz7.exe audiodgaz7.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Explorer.EXEchkdsk.exedescription ioc process File created C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe chkdsk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe nsis_installer_1 C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe nsis_installer_2 C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe nsis_installer_1 C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe nsis_installer_2 \Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe nsis_installer_1 \Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe nsis_installer_2 C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe nsis_installer_1 C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe nsis_installer_2 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Processes:
chkdsk.exedescription ioc process Key created \Registry\User\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bank swift scan pdf....exechkdsk.exeaudiodgaz7.exepid process 1040 bank swift scan pdf....exe 1040 bank swift scan pdf....exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1716 audiodgaz7.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
bank swift scan pdf....exebank swift scan pdf....exechkdsk.exeaudiodgaz7.exepid process 1304 bank swift scan pdf....exe 1040 bank swift scan pdf....exe 1040 bank swift scan pdf....exe 1040 bank swift scan pdf....exe 1028 chkdsk.exe 1028 chkdsk.exe 1028 chkdsk.exe 996 audiodgaz7.exe 1028 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
bank swift scan pdf....exechkdsk.exeaudiodgaz7.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1040 bank swift scan pdf....exe Token: SeDebugPrivilege 1028 chkdsk.exe Token: SeDebugPrivilege 1716 audiodgaz7.exe Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
bank swift scan pdf....exeExplorer.EXEchkdsk.exeaudiodgaz7.exedescription pid process target process PID 1304 wrote to memory of 1040 1304 bank swift scan pdf....exe bank swift scan pdf....exe PID 1304 wrote to memory of 1040 1304 bank swift scan pdf....exe bank swift scan pdf....exe PID 1304 wrote to memory of 1040 1304 bank swift scan pdf....exe bank swift scan pdf....exe PID 1304 wrote to memory of 1040 1304 bank swift scan pdf....exe bank swift scan pdf....exe PID 1304 wrote to memory of 1040 1304 bank swift scan pdf....exe bank swift scan pdf....exe PID 1196 wrote to memory of 1028 1196 Explorer.EXE chkdsk.exe PID 1196 wrote to memory of 1028 1196 Explorer.EXE chkdsk.exe PID 1196 wrote to memory of 1028 1196 Explorer.EXE chkdsk.exe PID 1196 wrote to memory of 1028 1196 Explorer.EXE chkdsk.exe PID 1028 wrote to memory of 1616 1028 chkdsk.exe cmd.exe PID 1028 wrote to memory of 1616 1028 chkdsk.exe cmd.exe PID 1028 wrote to memory of 1616 1028 chkdsk.exe cmd.exe PID 1028 wrote to memory of 1616 1028 chkdsk.exe cmd.exe PID 1028 wrote to memory of 784 1028 chkdsk.exe Firefox.exe PID 1028 wrote to memory of 784 1028 chkdsk.exe Firefox.exe PID 1028 wrote to memory of 784 1028 chkdsk.exe Firefox.exe PID 1028 wrote to memory of 784 1028 chkdsk.exe Firefox.exe PID 1196 wrote to memory of 996 1196 Explorer.EXE audiodgaz7.exe PID 1196 wrote to memory of 996 1196 Explorer.EXE audiodgaz7.exe PID 1196 wrote to memory of 996 1196 Explorer.EXE audiodgaz7.exe PID 1196 wrote to memory of 996 1196 Explorer.EXE audiodgaz7.exe PID 996 wrote to memory of 1716 996 audiodgaz7.exe audiodgaz7.exe PID 996 wrote to memory of 1716 996 audiodgaz7.exe audiodgaz7.exe PID 996 wrote to memory of 1716 996 audiodgaz7.exe audiodgaz7.exe PID 996 wrote to memory of 1716 996 audiodgaz7.exe audiodgaz7.exe PID 996 wrote to memory of 1716 996 audiodgaz7.exe audiodgaz7.exe PID 1028 wrote to memory of 784 1028 chkdsk.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bank swift scan pdf....exe"C:\Users\Admin\AppData\Local\Temp\bank swift scan pdf....exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bank swift scan pdf....exe"C:\Users\Admin\AppData\Local\Temp\bank swift scan pdf....exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\bank swift scan pdf....exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe"C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe"C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exeMD5
6308a0ee4b50deb37f6f6a6205d5b2d6
SHA10a0f239995f1be45263bc2c96440cfd3dd751cc9
SHA256f3296e298b22250cb64e01c5e737c924410ea4489867b61758a5e0906f3d1161
SHA51296dc213ec553ac61eeda230e74515443f9a7d708f73a6bfa4bf02b33ef7519a41f584ceb6c1db903dd8e0237444f19d33c0e513f785fbfeb5c0a822c2f3d78cc
-
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exeMD5
6308a0ee4b50deb37f6f6a6205d5b2d6
SHA10a0f239995f1be45263bc2c96440cfd3dd751cc9
SHA256f3296e298b22250cb64e01c5e737c924410ea4489867b61758a5e0906f3d1161
SHA51296dc213ec553ac61eeda230e74515443f9a7d708f73a6bfa4bf02b33ef7519a41f584ceb6c1db903dd8e0237444f19d33c0e513f785fbfeb5c0a822c2f3d78cc
-
C:\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exeMD5
6308a0ee4b50deb37f6f6a6205d5b2d6
SHA10a0f239995f1be45263bc2c96440cfd3dd751cc9
SHA256f3296e298b22250cb64e01c5e737c924410ea4489867b61758a5e0906f3d1161
SHA51296dc213ec553ac61eeda230e74515443f9a7d708f73a6bfa4bf02b33ef7519a41f584ceb6c1db903dd8e0237444f19d33c0e513f785fbfeb5c0a822c2f3d78cc
-
C:\Users\Admin\AppData\Local\Temp\guh0enx88idzpfgMD5
18ca13a9fd7e368e0d52cc8818837849
SHA182d71db26417db8d604fc8e627d900869cfd90a3
SHA25651202e8200d2369f29ff0078a6ff489b1aac07f7855387afcd7aca322808a377
SHA512e93be6a911f730dc43b2796c9ea85149e259a2f771c92d4504f3893d33d34c25e371ee985f4af765520ae69ae2aa556d9fe3040371ea2b1ed9c8317ef1cae7a9
-
\Program Files (x86)\Fwnuxv4rh\audiodgaz7.exeMD5
6308a0ee4b50deb37f6f6a6205d5b2d6
SHA10a0f239995f1be45263bc2c96440cfd3dd751cc9
SHA256f3296e298b22250cb64e01c5e737c924410ea4489867b61758a5e0906f3d1161
SHA51296dc213ec553ac61eeda230e74515443f9a7d708f73a6bfa4bf02b33ef7519a41f584ceb6c1db903dd8e0237444f19d33c0e513f785fbfeb5c0a822c2f3d78cc
-
\Users\Admin\AppData\Local\Temp\nsf4402.tmp\fplpyn.dllMD5
c86ab83feeeb519425ab355b5dfac558
SHA1a73a950c1d7e9e93c61d5e1ae9f728191a73aa70
SHA2563f72aec204fa837e016d24ea563309d3814ead06fa8a4c2d651066f46cb85b37
SHA512ef6c81291b1b5a9e27dc0485b1e3c926efabd56141d67ec9873ee68628e4dfa536ddc30798a6bc9dfa6e1a66637ab1c6cac4ac9a84c134b721774a45994c89a5
-
\Users\Admin\AppData\Local\Temp\nsm7723.tmp\fplpyn.dllMD5
c86ab83feeeb519425ab355b5dfac558
SHA1a73a950c1d7e9e93c61d5e1ae9f728191a73aa70
SHA2563f72aec204fa837e016d24ea563309d3814ead06fa8a4c2d651066f46cb85b37
SHA512ef6c81291b1b5a9e27dc0485b1e3c926efabd56141d67ec9873ee68628e4dfa536ddc30798a6bc9dfa6e1a66637ab1c6cac4ac9a84c134b721774a45994c89a5
-
memory/784-88-0x0000000000060000-0x0000000000144000-memory.dmpFilesize
912KB
-
memory/784-87-0x000000013FDB0000-0x000000013FE43000-memory.dmpFilesize
588KB
-
memory/784-86-0x0000000000000000-mapping.dmp
-
memory/996-76-0x0000000000000000-mapping.dmp
-
memory/1028-72-0x00000000004C0000-0x0000000000550000-memory.dmpFilesize
576KB
-
memory/1028-71-0x0000000002090000-0x0000000002393000-memory.dmpFilesize
3.0MB
-
memory/1028-70-0x00000000000D0000-0x00000000000F9000-memory.dmpFilesize
164KB
-
memory/1028-69-0x0000000000560000-0x0000000000567000-memory.dmpFilesize
28KB
-
memory/1028-67-0x0000000000000000-mapping.dmp
-
memory/1040-64-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB
-
memory/1040-62-0x000000000041D4B0-mapping.dmp
-
memory/1040-65-0x00000000003D0000-0x00000000003E1000-memory.dmpFilesize
68KB
-
memory/1040-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1196-73-0x0000000004280000-0x0000000004341000-memory.dmpFilesize
772KB
-
memory/1196-74-0x0000000003A30000-0x0000000003A40000-memory.dmpFilesize
64KB
-
memory/1196-66-0x0000000006D20000-0x0000000006E11000-memory.dmpFilesize
964KB
-
memory/1304-60-0x0000000075AD1000-0x0000000075AD3000-memory.dmpFilesize
8KB
-
memory/1616-68-0x0000000000000000-mapping.dmp
-
memory/1716-85-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1716-83-0x000000000041D4B0-mapping.dmp