Analysis
-
max time kernel
600s -
max time network
601s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-09-2021 07:15
Static task
static1
Behavioral task
behavioral1
Sample
truck pictures.exe
Resource
win7-en-20210920
General
-
Target
truck pictures.exe
-
Size
634KB
-
MD5
99ed5f72e5742e549a6ec78655fd3cfc
-
SHA1
31a4f6fc81c45e49f4787cebe622256fa74d8a06
-
SHA256
5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
-
SHA512
45abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711
Malware Config
Extracted
xloader
2.5
cuig
http://www.qtih.top/cuig/
sofiathinks-elderly.net
lahamicoast.info
2shengman.com
cbsautoplex.com
arcana-candles.com
genrage.com
kukumiou.xyz
thequizerking.com
sonataproductions.com
rebuildgomnmf.xyz
ubcoin.store
yiyouxue.net
firstlifehome.com
mdx-inc.net
gotbn-c01.com
dinobrindes.store
jcm-iso.com
cliente-mais.com
mloujewelry.com
correoversoi.quest
rc-rental-housing.com
swisstrustcitybank.com
traderjoes-corp.com
mandolinmeditations.com
kathcorp.com
mcdonaldsfastdel.xyz
nielsqanalytics.com
bansity.com
mimosymas.com
atp-cayenne.com
sinterekes.com
nnxsk.com
shushigallery.tech
thgn41.xyz
resporn.tech
growingki.com
themyopiatoolbox.com
angeleyesevents.com
reddishgomjtd.xyz
amazonretailbrickandmotar.net
jewelrybyjma.com
ctroutdoors.pro
357961.com
theakfam.business
skincarefamily.com
xptoempeendimentos.com
tapestrirewards.com
viridilodge.com
bostondowntownrealestate.com
disrepairclaimsuk.com
makaroff.net
thedoublezbar.com
barbicidemalaysia.com
sliv-a.online
showgeini.com
martialartsreigns.online
metamode.space
ch95516.ink
halvorson-pickup.com
mizuno-trouble.net
46dgj.xyz
esylf4vt.xyz
chopaap.com
igorleonardo.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1180-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1180-125-0x000000000041D3F0-mapping.dmp xloader behavioral2/memory/2788-133-0x0000000000D00000-0x0000000000D29000-memory.dmp xloader behavioral2/memory/2496-155-0x000000000041D3F0-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run netsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\BV105FWXX = "C:\\Program Files (x86)\\Vprhpufwx\\kz7pttp0vhzv.exe" netsh.exe -
Executes dropped EXE 2 IoCs
Processes:
kz7pttp0vhzv.exekz7pttp0vhzv.exepid process 1304 kz7pttp0vhzv.exe 2496 kz7pttp0vhzv.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
truck pictures.exetruck pictures.exenetsh.exekz7pttp0vhzv.exedescription pid process target process PID 3628 set thread context of 1180 3628 truck pictures.exe truck pictures.exe PID 1180 set thread context of 3024 1180 truck pictures.exe Explorer.EXE PID 1180 set thread context of 3024 1180 truck pictures.exe Explorer.EXE PID 2788 set thread context of 3024 2788 netsh.exe Explorer.EXE PID 1304 set thread context of 2496 1304 kz7pttp0vhzv.exe kz7pttp0vhzv.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Explorer.EXEnetsh.exedescription ioc process File opened for modification C:\Program Files (x86)\Vprhpufwx\kz7pttp0vhzv.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Vprhpufwx\kz7pttp0vhzv.exe netsh.exe File opened for modification C:\Program Files (x86)\Vprhpufwx Explorer.EXE File created C:\Program Files (x86)\Vprhpufwx\kz7pttp0vhzv.exe Explorer.EXE -
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
truck pictures.exetruck pictures.exenetsh.exepid process 3628 truck pictures.exe 3628 truck pictures.exe 3628 truck pictures.exe 3628 truck pictures.exe 3628 truck pictures.exe 3628 truck pictures.exe 3628 truck pictures.exe 1180 truck pictures.exe 1180 truck pictures.exe 1180 truck pictures.exe 1180 truck pictures.exe 1180 truck pictures.exe 1180 truck pictures.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
truck pictures.exenetsh.exepid process 1180 truck pictures.exe 1180 truck pictures.exe 1180 truck pictures.exe 1180 truck pictures.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe 2788 netsh.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
truck pictures.exetruck pictures.exeExplorer.EXEnetsh.exekz7pttp0vhzv.exekz7pttp0vhzv.exedescription pid process Token: SeDebugPrivilege 3628 truck pictures.exe Token: SeDebugPrivilege 1180 truck pictures.exe Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeDebugPrivilege 2788 netsh.exe Token: SeDebugPrivilege 1304 kz7pttp0vhzv.exe Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeDebugPrivilege 2496 kz7pttp0vhzv.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE 3024 Explorer.EXE 3024 Explorer.EXE 3024 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
truck pictures.exeExplorer.EXEnetsh.exekz7pttp0vhzv.exedescription pid process target process PID 3628 wrote to memory of 1180 3628 truck pictures.exe truck pictures.exe PID 3628 wrote to memory of 1180 3628 truck pictures.exe truck pictures.exe PID 3628 wrote to memory of 1180 3628 truck pictures.exe truck pictures.exe PID 3628 wrote to memory of 1180 3628 truck pictures.exe truck pictures.exe PID 3628 wrote to memory of 1180 3628 truck pictures.exe truck pictures.exe PID 3628 wrote to memory of 1180 3628 truck pictures.exe truck pictures.exe PID 3024 wrote to memory of 2788 3024 Explorer.EXE netsh.exe PID 3024 wrote to memory of 2788 3024 Explorer.EXE netsh.exe PID 3024 wrote to memory of 2788 3024 Explorer.EXE netsh.exe PID 2788 wrote to memory of 3500 2788 netsh.exe cmd.exe PID 2788 wrote to memory of 3500 2788 netsh.exe cmd.exe PID 2788 wrote to memory of 3500 2788 netsh.exe cmd.exe PID 2788 wrote to memory of 3712 2788 netsh.exe Firefox.exe PID 2788 wrote to memory of 3712 2788 netsh.exe Firefox.exe PID 3024 wrote to memory of 1304 3024 Explorer.EXE kz7pttp0vhzv.exe PID 3024 wrote to memory of 1304 3024 Explorer.EXE kz7pttp0vhzv.exe PID 3024 wrote to memory of 1304 3024 Explorer.EXE kz7pttp0vhzv.exe PID 2788 wrote to memory of 3712 2788 netsh.exe Firefox.exe PID 1304 wrote to memory of 2496 1304 kz7pttp0vhzv.exe kz7pttp0vhzv.exe PID 1304 wrote to memory of 2496 1304 kz7pttp0vhzv.exe kz7pttp0vhzv.exe PID 1304 wrote to memory of 2496 1304 kz7pttp0vhzv.exe kz7pttp0vhzv.exe PID 1304 wrote to memory of 2496 1304 kz7pttp0vhzv.exe kz7pttp0vhzv.exe PID 1304 wrote to memory of 2496 1304 kz7pttp0vhzv.exe kz7pttp0vhzv.exe PID 1304 wrote to memory of 2496 1304 kz7pttp0vhzv.exe kz7pttp0vhzv.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\truck pictures.exe"C:\Users\Admin\AppData\Local\Temp\truck pictures.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\truck pictures.exe"C:\Users\Admin\AppData\Local\Temp\truck pictures.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\truck pictures.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Vprhpufwx\kz7pttp0vhzv.exe"C:\Program Files (x86)\Vprhpufwx\kz7pttp0vhzv.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Vprhpufwx\kz7pttp0vhzv.exe"C:\Program Files (x86)\Vprhpufwx\kz7pttp0vhzv.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Vprhpufwx\kz7pttp0vhzv.exeMD5
99ed5f72e5742e549a6ec78655fd3cfc
SHA131a4f6fc81c45e49f4787cebe622256fa74d8a06
SHA2565c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
SHA51245abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711
-
C:\Program Files (x86)\Vprhpufwx\kz7pttp0vhzv.exeMD5
99ed5f72e5742e549a6ec78655fd3cfc
SHA131a4f6fc81c45e49f4787cebe622256fa74d8a06
SHA2565c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
SHA51245abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711
-
C:\Program Files (x86)\Vprhpufwx\kz7pttp0vhzv.exeMD5
99ed5f72e5742e549a6ec78655fd3cfc
SHA131a4f6fc81c45e49f4787cebe622256fa74d8a06
SHA2565c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
SHA51245abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711
-
memory/1180-127-0x0000000001790000-0x00000000017A1000-memory.dmpFilesize
68KB
-
memory/1180-129-0x0000000003190000-0x00000000031A1000-memory.dmpFilesize
68KB
-
memory/1180-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1180-125-0x000000000041D3F0-mapping.dmp
-
memory/1180-126-0x0000000001420000-0x0000000001740000-memory.dmpFilesize
3.1MB
-
memory/1304-148-0x00000000054C0000-0x00000000059BE000-memory.dmpFilesize
5.0MB
-
memory/1304-138-0x0000000000000000-mapping.dmp
-
memory/2496-157-0x0000000001830000-0x0000000001B50000-memory.dmpFilesize
3.1MB
-
memory/2496-155-0x000000000041D3F0-mapping.dmp
-
memory/2788-131-0x0000000000000000-mapping.dmp
-
memory/2788-136-0x00000000033C0000-0x0000000003450000-memory.dmpFilesize
576KB
-
memory/2788-133-0x0000000000D00000-0x0000000000D29000-memory.dmpFilesize
164KB
-
memory/2788-132-0x0000000001080000-0x000000000109E000-memory.dmpFilesize
120KB
-
memory/2788-135-0x00000000030A0000-0x00000000033C0000-memory.dmpFilesize
3.1MB
-
memory/3024-128-0x0000000005240000-0x0000000005361000-memory.dmpFilesize
1.1MB
-
memory/3024-130-0x0000000005370000-0x000000000543A000-memory.dmpFilesize
808KB
-
memory/3024-137-0x0000000006050000-0x0000000006132000-memory.dmpFilesize
904KB
-
memory/3500-134-0x0000000000000000-mapping.dmp
-
memory/3628-122-0x00000000057C0000-0x0000000005820000-memory.dmpFilesize
384KB
-
memory/3628-114-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/3628-123-0x0000000007D00000-0x0000000007D2B000-memory.dmpFilesize
172KB
-
memory/3628-121-0x0000000004D90000-0x0000000004D91000-memory.dmpFilesize
4KB
-
memory/3628-120-0x0000000004CD0000-0x0000000004CD7000-memory.dmpFilesize
28KB
-
memory/3628-119-0x0000000004C30000-0x0000000004C31000-memory.dmpFilesize
4KB
-
memory/3628-118-0x0000000004A50000-0x0000000004AE2000-memory.dmpFilesize
584KB
-
memory/3628-117-0x0000000004B60000-0x0000000004B61000-memory.dmpFilesize
4KB
-
memory/3628-116-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/3712-149-0x0000000000000000-mapping.dmp
-
memory/3712-151-0x0000024337840000-0x00000243378EA000-memory.dmpFilesize
680KB
-
memory/3712-150-0x00007FF758630000-0x00007FF7586C3000-memory.dmpFilesize
588KB