Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-09-2021 20:06
Static task
static1
Behavioral task
behavioral1
Sample
E20210917ML-RFQ.exe
Resource
win7v20210408
General
-
Target
E20210917ML-RFQ.exe
-
Size
631KB
-
MD5
4bb97838f22e7d33122a38105b252b9e
-
SHA1
770a4807a1e32a8fbb765e3540d54c30bdd5c131
-
SHA256
c507c6ca8c3d71feb2af8d83136736bd2407fef4a26c9e681426be5501d4742c
-
SHA512
fd23aa8b75501d5a09fcb6c8c4ac2bc7406e0a73a7dc0215b3a1de8a4a31a418bee21fc750335c9de4652e62a7a9a4a409bf110d9a1bc49df9318ab38ba08cb5
Malware Config
Extracted
xloader
2.5
a6er
http://www.revivalgomghw.xyz/a6er/
floetic.club
deepspotters.com
tibo-dev.tech
kcmade.xyz
haulseattle.com
ceroli-dolci.com
chenkaichuangke.com
citycloudconsulting.online
rusunmedical.com
ingeborg-art.com
asianm.art
private-clicks.com
metalcorpperu.com
beautifulingodseyes.com
phutungxenangnguoi.com
shots-photo.com
wirlessjuicers.com
sadyrossiiural.com
jiho9jye.xyz
molilii.com
locomotionprogramming.com
greenaou.com
chaturagile.com
mandveni.com
pneuscosta.com
westbridgeboutique.com
goodscroll.com
theliquorb.com
lfaoqiang.com
noonis.xyz
pfbbtdsx.com
jstgwy.com
slopeupanddown.com
guidedlevelreading.com
stealth-emissari.asia
zegiza.xyz
yboutique.store
cijs-icjs.net
tenlog055.xyz
pleasantwakes.com
makemodestohome.com
ramatouliebah.com
klaseraestheticsclinic.com
wka-france.com
secure-dashboard-sosun.com
thecrashingbrains.com
art-han.com
guziwei.com
selu7474.net
chengyuglobal.com
kmkcorporation.com
cmbwqxkcbhtncqw.store
vanwindenbouw.com
limitlessbettings.com
prisonnurselife.com
lovemugzs.com
onionplusfoods.com
kikofriends.com
ahdhstore1.com
minicreators.online
dualmotorelectricscooter.com
banshi.info
amieli.xyz
germancyberacademy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/912-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/912-125-0x000000000041D430-mapping.dmp xloader behavioral2/memory/1056-132-0x0000000003200000-0x0000000003229000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
E20210917ML-RFQ.exeE20210917ML-RFQ.execmstp.exedescription pid process target process PID 580 set thread context of 912 580 E20210917ML-RFQ.exe E20210917ML-RFQ.exe PID 912 set thread context of 2224 912 E20210917ML-RFQ.exe Explorer.EXE PID 1056 set thread context of 2224 1056 cmstp.exe Explorer.EXE -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
E20210917ML-RFQ.execmstp.exepid process 912 E20210917ML-RFQ.exe 912 E20210917ML-RFQ.exe 912 E20210917ML-RFQ.exe 912 E20210917ML-RFQ.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe 1056 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2224 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
E20210917ML-RFQ.execmstp.exepid process 912 E20210917ML-RFQ.exe 912 E20210917ML-RFQ.exe 912 E20210917ML-RFQ.exe 1056 cmstp.exe 1056 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
E20210917ML-RFQ.execmstp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 912 E20210917ML-RFQ.exe Token: SeDebugPrivilege 1056 cmstp.exe Token: SeShutdownPrivilege 2224 Explorer.EXE Token: SeCreatePagefilePrivilege 2224 Explorer.EXE Token: SeShutdownPrivilege 2224 Explorer.EXE Token: SeCreatePagefilePrivilege 2224 Explorer.EXE Token: SeShutdownPrivilege 2224 Explorer.EXE Token: SeCreatePagefilePrivilege 2224 Explorer.EXE Token: SeShutdownPrivilege 2224 Explorer.EXE Token: SeCreatePagefilePrivilege 2224 Explorer.EXE Token: SeShutdownPrivilege 2224 Explorer.EXE Token: SeCreatePagefilePrivilege 2224 Explorer.EXE Token: SeShutdownPrivilege 2224 Explorer.EXE Token: SeCreatePagefilePrivilege 2224 Explorer.EXE Token: SeShutdownPrivilege 2224 Explorer.EXE Token: SeCreatePagefilePrivilege 2224 Explorer.EXE Token: SeShutdownPrivilege 2224 Explorer.EXE Token: SeCreatePagefilePrivilege 2224 Explorer.EXE Token: SeShutdownPrivilege 2224 Explorer.EXE Token: SeCreatePagefilePrivilege 2224 Explorer.EXE Token: SeShutdownPrivilege 2224 Explorer.EXE Token: SeCreatePagefilePrivilege 2224 Explorer.EXE Token: SeShutdownPrivilege 2224 Explorer.EXE Token: SeCreatePagefilePrivilege 2224 Explorer.EXE -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
Explorer.EXEpid process 2224 Explorer.EXE 2224 Explorer.EXE 2224 Explorer.EXE 2224 Explorer.EXE 2224 Explorer.EXE 2224 Explorer.EXE 2224 Explorer.EXE 2224 Explorer.EXE 2224 Explorer.EXE 2224 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 2224 Explorer.EXE 2224 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2224 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
E20210917ML-RFQ.exeExplorer.EXEcmstp.exedescription pid process target process PID 580 wrote to memory of 912 580 E20210917ML-RFQ.exe E20210917ML-RFQ.exe PID 580 wrote to memory of 912 580 E20210917ML-RFQ.exe E20210917ML-RFQ.exe PID 580 wrote to memory of 912 580 E20210917ML-RFQ.exe E20210917ML-RFQ.exe PID 580 wrote to memory of 912 580 E20210917ML-RFQ.exe E20210917ML-RFQ.exe PID 580 wrote to memory of 912 580 E20210917ML-RFQ.exe E20210917ML-RFQ.exe PID 580 wrote to memory of 912 580 E20210917ML-RFQ.exe E20210917ML-RFQ.exe PID 2224 wrote to memory of 1056 2224 Explorer.EXE cmstp.exe PID 2224 wrote to memory of 1056 2224 Explorer.EXE cmstp.exe PID 2224 wrote to memory of 1056 2224 Explorer.EXE cmstp.exe PID 1056 wrote to memory of 1292 1056 cmstp.exe cmd.exe PID 1056 wrote to memory of 1292 1056 cmstp.exe cmd.exe PID 1056 wrote to memory of 1292 1056 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\E20210917ML-RFQ.exe"C:\Users\Admin\AppData\Local\Temp\E20210917ML-RFQ.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Local\Temp\E20210917ML-RFQ.exe"C:\Users\Admin\AppData\Local\Temp\E20210917ML-RFQ.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:912 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\E20210917ML-RFQ.exe"3⤵PID:1292
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/580-114-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/580-116-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/580-117-0x0000000004A80000-0x0000000004A81000-memory.dmpFilesize
4KB
-
memory/580-118-0x0000000004A30000-0x0000000004A31000-memory.dmpFilesize
4KB
-
memory/580-119-0x0000000007F20000-0x0000000007F21000-memory.dmpFilesize
4KB
-
memory/580-120-0x00000000049A0000-0x00000000049A1000-memory.dmpFilesize
4KB
-
memory/580-121-0x0000000004E60000-0x0000000004E67000-memory.dmpFilesize
28KB
-
memory/580-122-0x00000000083E0000-0x000000000843F000-memory.dmpFilesize
380KB
-
memory/580-123-0x0000000008450000-0x000000000847F000-memory.dmpFilesize
188KB
-
memory/912-125-0x000000000041D430-mapping.dmp
-
memory/912-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/912-126-0x0000000001270000-0x0000000001590000-memory.dmpFilesize
3.1MB
-
memory/912-127-0x0000000000E00000-0x0000000000F4A000-memory.dmpFilesize
1.3MB
-
memory/1056-129-0x0000000000000000-mapping.dmp
-
memory/1056-132-0x0000000003200000-0x0000000003229000-memory.dmpFilesize
164KB
-
memory/1056-131-0x0000000000140000-0x0000000000156000-memory.dmpFilesize
88KB
-
memory/1056-133-0x00000000047B0000-0x0000000004AD0000-memory.dmpFilesize
3.1MB
-
memory/1056-134-0x0000000004B60000-0x0000000004BF0000-memory.dmpFilesize
576KB
-
memory/1292-130-0x0000000000000000-mapping.dmp
-
memory/2224-128-0x0000000005120000-0x000000000525B000-memory.dmpFilesize
1.2MB
-
memory/2224-135-0x0000000006320000-0x0000000006435000-memory.dmpFilesize
1.1MB