Analysis
-
max time kernel
152s -
max time network
162s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
28-09-2021 10:05
Static task
static1
Behavioral task
behavioral1
Sample
apmPuZR9VEFCl0d.exe
Resource
win7-en-20210920
General
-
Target
apmPuZR9VEFCl0d.exe
-
Size
417KB
-
MD5
675b5a620f66d0abbd3940ef365ee298
-
SHA1
7baa86b11256ad89b51decfa1fab8fa8d192ff78
-
SHA256
d2c3619f62ee7f09594134678d02e47d6a0b71a5e203f3edae6a9f5dbecb4f48
-
SHA512
ceef3ab4249ae9e2567dc2d349dc22f1cb190d7b908c4f6869c8f81da30df76c9504fa98d8521914a797355f4a1127c50bf19e89441f46c85036b9baa5c7110a
Malware Config
Extracted
xloader
2.5
jdt0
http://www.jen4x.com/jdt0/
william188.com
kmknim.com
freedomnofear.com
industrialohare.com
devopswave.com
g1fz.com
aliceguidi.info
linkared.com
crossboda.com
lpddr3.com
ktnword.xyz
productsdesign.top
dulichnhatviet.com
piazzaassociates.com
inpude.com
kmi.contractors
getkyrobak.com
sportinggoodssuperstore.com
trifoly.info
aspectjudge.com
yangmoo.com
shiftmedicalstaffing.agency
umofan.com
investmentqualityjewels.com
hoteldelpaseocampeche.com
ezhandianfu888.com
liveincare-online.com
riverflowmassage.com
heldyn.com
escueladecampo.com
telecombazaar.com
oshitoishi.net
microexpertise.com
successportal.net
nepll.com
jdqmg.com
aedificeproperty.com
element-light.com
karenellissolutions.com
embutidosdigitales.com
goddistorted.com
wanimi.online
online-ec.biz
staysg.club
roytoys.xyz
loadcenter-dropbox.biz
appcast-70.com
espraycash.com
busizy.com
intellibotz.com
gg-loader.com
rocketdealfinder.com
hosting-premium-online.com
lookyanychev-gallery.store
norllix.com
itooze.com
cbuqn.com
life-lover.com
kelloscosplay.com
memory-information.club
grand-polyana.com
sanieart.com
pavlonmedia.net
edgar-regale.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1480-61-0x000000000041D390-mapping.dmp xloader behavioral1/memory/1480-60-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1592-68-0x0000000000070000-0x0000000000099000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
cscript.exeflow pid process 27 1592 cscript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
apmPuZR9VEFCl0d.exeRegSvcs.execscript.exedescription pid process target process PID 2036 set thread context of 1480 2036 apmPuZR9VEFCl0d.exe RegSvcs.exe PID 1480 set thread context of 1408 1480 RegSvcs.exe Explorer.EXE PID 1592 set thread context of 1408 1592 cscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
apmPuZR9VEFCl0d.exeRegSvcs.execscript.exepid process 2036 apmPuZR9VEFCl0d.exe 2036 apmPuZR9VEFCl0d.exe 1480 RegSvcs.exe 1480 RegSvcs.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe 1592 cscript.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.execscript.exepid process 1480 RegSvcs.exe 1480 RegSvcs.exe 1480 RegSvcs.exe 1592 cscript.exe 1592 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
apmPuZR9VEFCl0d.exeRegSvcs.execscript.exedescription pid process Token: SeDebugPrivilege 2036 apmPuZR9VEFCl0d.exe Token: SeDebugPrivilege 1480 RegSvcs.exe Token: SeDebugPrivilege 1592 cscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1408 Explorer.EXE 1408 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1408 Explorer.EXE 1408 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
apmPuZR9VEFCl0d.exeExplorer.EXEcscript.exedescription pid process target process PID 2036 wrote to memory of 1480 2036 apmPuZR9VEFCl0d.exe RegSvcs.exe PID 2036 wrote to memory of 1480 2036 apmPuZR9VEFCl0d.exe RegSvcs.exe PID 2036 wrote to memory of 1480 2036 apmPuZR9VEFCl0d.exe RegSvcs.exe PID 2036 wrote to memory of 1480 2036 apmPuZR9VEFCl0d.exe RegSvcs.exe PID 2036 wrote to memory of 1480 2036 apmPuZR9VEFCl0d.exe RegSvcs.exe PID 2036 wrote to memory of 1480 2036 apmPuZR9VEFCl0d.exe RegSvcs.exe PID 2036 wrote to memory of 1480 2036 apmPuZR9VEFCl0d.exe RegSvcs.exe PID 2036 wrote to memory of 1480 2036 apmPuZR9VEFCl0d.exe RegSvcs.exe PID 2036 wrote to memory of 1480 2036 apmPuZR9VEFCl0d.exe RegSvcs.exe PID 2036 wrote to memory of 1480 2036 apmPuZR9VEFCl0d.exe RegSvcs.exe PID 1408 wrote to memory of 1592 1408 Explorer.EXE cscript.exe PID 1408 wrote to memory of 1592 1408 Explorer.EXE cscript.exe PID 1408 wrote to memory of 1592 1408 Explorer.EXE cscript.exe PID 1408 wrote to memory of 1592 1408 Explorer.EXE cscript.exe PID 1592 wrote to memory of 1580 1592 cscript.exe cmd.exe PID 1592 wrote to memory of 1580 1592 cscript.exe cmd.exe PID 1592 wrote to memory of 1580 1592 cscript.exe cmd.exe PID 1592 wrote to memory of 1580 1592 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\apmPuZR9VEFCl0d.exe"C:\Users\Admin\AppData\Local\Temp\apmPuZR9VEFCl0d.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1408-71-0x0000000006890000-0x00000000069FB000-memory.dmpFilesize
1.4MB
-
memory/1408-64-0x00000000040A0000-0x0000000004183000-memory.dmpFilesize
908KB
-
memory/1480-63-0x00000000002E0000-0x00000000002F1000-memory.dmpFilesize
68KB
-
memory/1480-62-0x0000000000A20000-0x0000000000D23000-memory.dmpFilesize
3.0MB
-
memory/1480-61-0x000000000041D390-mapping.dmp
-
memory/1480-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1580-66-0x0000000000000000-mapping.dmp
-
memory/1592-67-0x0000000000180000-0x00000000001A2000-memory.dmpFilesize
136KB
-
memory/1592-65-0x0000000000000000-mapping.dmp
-
memory/1592-68-0x0000000000070000-0x0000000000099000-memory.dmpFilesize
164KB
-
memory/1592-69-0x0000000001F20000-0x0000000002223000-memory.dmpFilesize
3.0MB
-
memory/1592-70-0x0000000002230000-0x00000000022C0000-memory.dmpFilesize
576KB
-
memory/1592-72-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/2036-59-0x0000000000640000-0x000000000066C000-memory.dmpFilesize
176KB
-
memory/2036-58-0x00000000050B0000-0x000000000510A000-memory.dmpFilesize
360KB
-
memory/2036-57-0x0000000000320000-0x000000000032E000-memory.dmpFilesize
56KB
-
memory/2036-54-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2036-56-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB