Analysis
-
max time kernel
152s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
28-09-2021 05:56
Static task
static1
Behavioral task
behavioral1
Sample
PRICE_REQUEST_QUOTATION.exe
Resource
win7-en-20210920
General
-
Target
PRICE_REQUEST_QUOTATION.exe
-
Size
260KB
-
MD5
85589170af713a03ca622f94429c634a
-
SHA1
4e0b9dfd13dd6e4b85bca4352be0cec2be9024d7
-
SHA256
dae6ba220bb0a34de731b57965753391343bfe96f9f3fa4fea48102d3377ccf7
-
SHA512
1379d1dbed880c664d7314018e676970afd192a423e6144f3bac6b15e5f89fb4bc245adbe462046ccfb6692e0054be18b459bc2757e60d700c03758232682dd9
Malware Config
Extracted
xloader
2.5
rgoe
http://www.nudesalon.digital/rgoe/
iamstevekelsey.com
homesofchaparralcountryclub.com
voiceyupcom.com
searchengineeye.com
charsantosart.com
baila.madrid
yota.store
halloweenbaldhills.net
futurodr.com
centercodebase.com
666b20.xyz
4-6-2.com
gspotworld.com
rbb78.com
1kingbet.com
hzhongon.com
dossierinc.com
sustainablefoodfactory.com
golfsol.art
socialenterprisestudio.com
sec-app.pro
mrcsclass.com
apseymarine.com
restate.club
thenewtocsin.com
mingwotech.com
llesman.com
limiteditionft.com
ff4c3dgsp.xyz
travuleaf.com
whatsaauction.com
iktbn-c01.com
dpcqkw.xyz
mahoyaku-exhibition.com
bimcell-tlyuklemezamani.com
thejegroupllc.com
limponomefacil.com
bordandoartes.com
parsvivid.com
lowkeymastery.com
missionsafegame.com
estanciasanpablo.online
overlandshare.com
thevillageplumbers.com
newhollandpurpose.com
eastmillnorthandover.com
patrickandmaxine.com
appleluis.host
immerseinagro.com
vapkey.net
babeshotnud.com
rap8b55d.com
afro-occidentstyle.com
shahjahantravel.com
toptaxxi.store
adronesview.com
kinesio-leman.com
teelandcompany.com
bycracky.com
sehatbersama.store
snackithalal.com
nailsestetic.space
vanmetrecco.com
pondokbali.store
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1212-115-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1212-116-0x000000000041D470-mapping.dmp xloader behavioral2/memory/1340-123-0x0000000000630000-0x0000000000659000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
PRICE_REQUEST_QUOTATION.exepid process 856 PRICE_REQUEST_QUOTATION.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PRICE_REQUEST_QUOTATION.exePRICE_REQUEST_QUOTATION.exeexplorer.exedescription pid process target process PID 856 set thread context of 1212 856 PRICE_REQUEST_QUOTATION.exe PRICE_REQUEST_QUOTATION.exe PID 1212 set thread context of 2740 1212 PRICE_REQUEST_QUOTATION.exe Explorer.EXE PID 1340 set thread context of 2740 1340 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
PRICE_REQUEST_QUOTATION.exeexplorer.exepid process 1212 PRICE_REQUEST_QUOTATION.exe 1212 PRICE_REQUEST_QUOTATION.exe 1212 PRICE_REQUEST_QUOTATION.exe 1212 PRICE_REQUEST_QUOTATION.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe 1340 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2740 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PRICE_REQUEST_QUOTATION.exeexplorer.exepid process 1212 PRICE_REQUEST_QUOTATION.exe 1212 PRICE_REQUEST_QUOTATION.exe 1212 PRICE_REQUEST_QUOTATION.exe 1340 explorer.exe 1340 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
PRICE_REQUEST_QUOTATION.exeexplorer.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1212 PRICE_REQUEST_QUOTATION.exe Token: SeDebugPrivilege 1340 explorer.exe Token: SeShutdownPrivilege 2740 Explorer.EXE Token: SeCreatePagefilePrivilege 2740 Explorer.EXE Token: SeShutdownPrivilege 2740 Explorer.EXE Token: SeCreatePagefilePrivilege 2740 Explorer.EXE Token: SeShutdownPrivilege 2740 Explorer.EXE Token: SeCreatePagefilePrivilege 2740 Explorer.EXE Token: SeShutdownPrivilege 2740 Explorer.EXE Token: SeCreatePagefilePrivilege 2740 Explorer.EXE Token: SeShutdownPrivilege 2740 Explorer.EXE Token: SeCreatePagefilePrivilege 2740 Explorer.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 2740 Explorer.EXE 2740 Explorer.EXE 2740 Explorer.EXE 2740 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PRICE_REQUEST_QUOTATION.exeExplorer.EXEexplorer.exedescription pid process target process PID 856 wrote to memory of 1212 856 PRICE_REQUEST_QUOTATION.exe PRICE_REQUEST_QUOTATION.exe PID 856 wrote to memory of 1212 856 PRICE_REQUEST_QUOTATION.exe PRICE_REQUEST_QUOTATION.exe PID 856 wrote to memory of 1212 856 PRICE_REQUEST_QUOTATION.exe PRICE_REQUEST_QUOTATION.exe PID 856 wrote to memory of 1212 856 PRICE_REQUEST_QUOTATION.exe PRICE_REQUEST_QUOTATION.exe PID 856 wrote to memory of 1212 856 PRICE_REQUEST_QUOTATION.exe PRICE_REQUEST_QUOTATION.exe PID 856 wrote to memory of 1212 856 PRICE_REQUEST_QUOTATION.exe PRICE_REQUEST_QUOTATION.exe PID 2740 wrote to memory of 1340 2740 Explorer.EXE explorer.exe PID 2740 wrote to memory of 1340 2740 Explorer.EXE explorer.exe PID 2740 wrote to memory of 1340 2740 Explorer.EXE explorer.exe PID 1340 wrote to memory of 1532 1340 explorer.exe cmd.exe PID 1340 wrote to memory of 1532 1340 explorer.exe cmd.exe PID 1340 wrote to memory of 1532 1340 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PRICE_REQUEST_QUOTATION.exe"C:\Users\Admin\AppData\Local\Temp\PRICE_REQUEST_QUOTATION.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PRICE_REQUEST_QUOTATION.exe"C:\Users\Admin\AppData\Local\Temp\PRICE_REQUEST_QUOTATION.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PRICE_REQUEST_QUOTATION.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsq7182.tmp\akepwc.dllMD5
0560ba80e8afe7f5d83eb600602ab426
SHA1a783f03bc76ee70833d61d69d854674f45d5a223
SHA25619013d7428a659774231fd4b5213a463eeab58a0c347dadfaa95536bd89d3f13
SHA512a034974dc569db8064b9bc5699e33b188c581e716862fed95708a1b2caaccaa6ae8ee4f4f23989c68ef838ea71271423501b6aea27a9c216af9db9745356b12c
-
memory/1212-115-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1212-116-0x000000000041D470-mapping.dmp
-
memory/1212-118-0x0000000000E50000-0x0000000000E61000-memory.dmpFilesize
68KB
-
memory/1212-117-0x0000000000990000-0x0000000000CB0000-memory.dmpFilesize
3.1MB
-
memory/1340-120-0x0000000000000000-mapping.dmp
-
memory/1340-122-0x0000000000A10000-0x0000000000E4F000-memory.dmpFilesize
4.2MB
-
memory/1340-123-0x0000000000630000-0x0000000000659000-memory.dmpFilesize
164KB
-
memory/1340-124-0x0000000004A60000-0x0000000004D80000-memory.dmpFilesize
3.1MB
-
memory/1340-125-0x00000000048C0000-0x0000000004950000-memory.dmpFilesize
576KB
-
memory/1532-121-0x0000000000000000-mapping.dmp
-
memory/2740-119-0x0000000007360000-0x00000000074AB000-memory.dmpFilesize
1.3MB
-
memory/2740-126-0x0000000006880000-0x000000000698E000-memory.dmpFilesize
1.1MB