Analysis
-
max time kernel
550s -
max time network
552s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-09-2021 08:16
Static task
static1
Behavioral task
behavioral1
Sample
UPStracking0940292.exe
Resource
win7-en-20210920
General
-
Target
UPStracking0940292.exe
-
Size
256KB
-
MD5
ecad1092417fae79942a0022ce770621
-
SHA1
661d76ff20089a6926c95a934b4619baefd230c5
-
SHA256
86ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757
-
SHA512
9a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7
Malware Config
Extracted
xloader
2.5
dhua
http://www.segurosramosroman.com/dhua/
ketostar.club
icanmakeyoufamous.com
claimygdejection.com
garlicinterestedparent.xyz
bits-clicks.com
030atk.xyz
ballwiegand.com
logs-illumidesk.com
785686.com
flnewsfeed.com
transporteshrj.net
agenciamundodigital.online
bowersllc.com
urchncenw.com
wuauwuaumx.com
littlesportsacademy.com
xn--m3chb3ax0abdta3fwhk.com
prmarketings.com
jiaozhanlianmeng.com
whenisthestore.space
ventureagora.net
ditrixmed.store
gitlab-tamskillpage.com
samgravikasnidhi.com
lenti4you.com
reviewallstarscommerce.com
nissimarble.com
md2px.xyz
tristarelectronics.net
you11.net
vaccinationfraud.xyz
bu3helo.com
marcellcheckpoint.com
hassinkandroos.com
socw.quest
screenedscooptoknow-today.info
aciburada.com
edimacare.com
smokenation.net
elga-groupinc.com
26dgj.xyz
chandleenews.com
sugarcanemultisport.com
nichellejonesrealtor.com
architektschnur.com
atehgroup.com
ocoeeboys.com
zanesells.com
878971.com
infringement-notice.com
orzame.com
darlindough.com
bwpassionenterprise.com
switchress.com
willcowblog.online
rsyncpalace.com
ayderstudio.com
ascotintrenational.com
omeducationhelp.com
kimberleydawnwallace.com
thereisnooneway.com
marketobserve.com
sildenafilnrx.com
willowbaldwin.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/788-115-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/788-116-0x000000000041D4E0-mapping.dmp xloader behavioral2/memory/996-123-0x0000000002BA0000-0x0000000002BC9000-memory.dmp xloader behavioral2/memory/3908-133-0x000000000041D4E0-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PB6HZLD87VJ = "C:\\Program Files (x86)\\Zutmlgjwp\\yrv8fljf8r6.exe" cmd.exe -
Executes dropped EXE 2 IoCs
Processes:
yrv8fljf8r6.exeyrv8fljf8r6.exepid process 2216 yrv8fljf8r6.exe 3908 yrv8fljf8r6.exe -
Loads dropped DLL 2 IoCs
Processes:
UPStracking0940292.exeyrv8fljf8r6.exepid process 568 UPStracking0940292.exe 2216 yrv8fljf8r6.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
UPStracking0940292.exeUPStracking0940292.execmd.exeyrv8fljf8r6.exedescription pid process target process PID 568 set thread context of 788 568 UPStracking0940292.exe UPStracking0940292.exe PID 788 set thread context of 2708 788 UPStracking0940292.exe Explorer.EXE PID 996 set thread context of 2708 996 cmd.exe Explorer.EXE PID 2216 set thread context of 3908 2216 yrv8fljf8r6.exe yrv8fljf8r6.exe -
Drops file in Program Files directory 4 IoCs
Processes:
cmd.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe cmd.exe File opened for modification C:\Program Files (x86)\Zutmlgjwp Explorer.EXE File created C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe nsis_installer_1 C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe nsis_installer_2 C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe nsis_installer_1 C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe nsis_installer_2 C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe nsis_installer_1 C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe nsis_installer_2 -
Processes:
cmd.exedescription ioc process Key created \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
UPStracking0940292.execmd.exeyrv8fljf8r6.exepid process 788 UPStracking0940292.exe 788 UPStracking0940292.exe 788 UPStracking0940292.exe 788 UPStracking0940292.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 3908 yrv8fljf8r6.exe 3908 yrv8fljf8r6.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2708 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
UPStracking0940292.execmd.exepid process 788 UPStracking0940292.exe 788 UPStracking0940292.exe 788 UPStracking0940292.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe 996 cmd.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
UPStracking0940292.execmd.exeExplorer.EXEyrv8fljf8r6.exedescription pid process Token: SeDebugPrivilege 788 UPStracking0940292.exe Token: SeDebugPrivilege 996 cmd.exe Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE Token: SeDebugPrivilege 3908 yrv8fljf8r6.exe Token: SeShutdownPrivilege 2708 Explorer.EXE Token: SeCreatePagefilePrivilege 2708 Explorer.EXE -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid process 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE -
Suspicious use of SendNotifyMessage 11 IoCs
Processes:
Explorer.EXEpid process 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE 2708 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
UPStracking0940292.exeExplorer.EXEcmd.exeyrv8fljf8r6.exedescription pid process target process PID 568 wrote to memory of 788 568 UPStracking0940292.exe UPStracking0940292.exe PID 568 wrote to memory of 788 568 UPStracking0940292.exe UPStracking0940292.exe PID 568 wrote to memory of 788 568 UPStracking0940292.exe UPStracking0940292.exe PID 568 wrote to memory of 788 568 UPStracking0940292.exe UPStracking0940292.exe PID 568 wrote to memory of 788 568 UPStracking0940292.exe UPStracking0940292.exe PID 568 wrote to memory of 788 568 UPStracking0940292.exe UPStracking0940292.exe PID 2708 wrote to memory of 996 2708 Explorer.EXE cmd.exe PID 2708 wrote to memory of 996 2708 Explorer.EXE cmd.exe PID 2708 wrote to memory of 996 2708 Explorer.EXE cmd.exe PID 996 wrote to memory of 8 996 cmd.exe cmd.exe PID 996 wrote to memory of 8 996 cmd.exe cmd.exe PID 996 wrote to memory of 8 996 cmd.exe cmd.exe PID 996 wrote to memory of 3736 996 cmd.exe Firefox.exe PID 996 wrote to memory of 3736 996 cmd.exe Firefox.exe PID 2708 wrote to memory of 2216 2708 Explorer.EXE yrv8fljf8r6.exe PID 2708 wrote to memory of 2216 2708 Explorer.EXE yrv8fljf8r6.exe PID 2708 wrote to memory of 2216 2708 Explorer.EXE yrv8fljf8r6.exe PID 2216 wrote to memory of 3908 2216 yrv8fljf8r6.exe yrv8fljf8r6.exe PID 2216 wrote to memory of 3908 2216 yrv8fljf8r6.exe yrv8fljf8r6.exe PID 2216 wrote to memory of 3908 2216 yrv8fljf8r6.exe yrv8fljf8r6.exe PID 2216 wrote to memory of 3908 2216 yrv8fljf8r6.exe yrv8fljf8r6.exe PID 2216 wrote to memory of 3908 2216 yrv8fljf8r6.exe yrv8fljf8r6.exe PID 2216 wrote to memory of 3908 2216 yrv8fljf8r6.exe yrv8fljf8r6.exe PID 996 wrote to memory of 3736 996 cmd.exe Firefox.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe"C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe"C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exeMD5
ecad1092417fae79942a0022ce770621
SHA1661d76ff20089a6926c95a934b4619baefd230c5
SHA25686ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757
SHA5129a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7
-
C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exeMD5
ecad1092417fae79942a0022ce770621
SHA1661d76ff20089a6926c95a934b4619baefd230c5
SHA25686ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757
SHA5129a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7
-
C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exeMD5
ecad1092417fae79942a0022ce770621
SHA1661d76ff20089a6926c95a934b4619baefd230c5
SHA25686ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757
SHA5129a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7
-
C:\Users\Admin\AppData\Local\Temp\kk3ingy62g95a4edyMD5
0e99a6626fbe1f9cc3075ebe4ae0307e
SHA14dde1fcbdb2968ea41f2ab515adfe1da5824b795
SHA25644853e5be595d6024247433fd44979510ca819dcab128e09296fbb71f2fd2f79
SHA512560b8b8d208f2bd01ac6dbdba8159b0a08eef8f2c73cbd2e6c607cf79ef298178a7fac41728192b08f593247d3b38257f13c19dcb96ac78174f5b2ebbf98d912
-
\Users\Admin\AppData\Local\Temp\nsh4B34.tmp\zflbzcl.dllMD5
0200fe8ceab8e27bcdeec801d6e8910f
SHA1255d5d2a8b7893d456fe6181764e52558d89834c
SHA256d454fb68308a5bdfb263da7b4dad9c9a074af50e4bb9ac4fd9d5231aa65eaced
SHA51271b862e4530f72c3cbf05d413ad25825670819da2454e9049338e4cb823384f47c96a140891070d9818758b11ef6bf7abd820920844e9faf9d3bb333c3687036
-
\Users\Admin\AppData\Local\Temp\nsw5AED.tmp\zflbzcl.dllMD5
0200fe8ceab8e27bcdeec801d6e8910f
SHA1255d5d2a8b7893d456fe6181764e52558d89834c
SHA256d454fb68308a5bdfb263da7b4dad9c9a074af50e4bb9ac4fd9d5231aa65eaced
SHA51271b862e4530f72c3cbf05d413ad25825670819da2454e9049338e4cb823384f47c96a140891070d9818758b11ef6bf7abd820920844e9faf9d3bb333c3687036
-
memory/8-121-0x0000000000000000-mapping.dmp
-
memory/788-118-0x0000000000E40000-0x0000000000E51000-memory.dmpFilesize
68KB
-
memory/788-117-0x00000000009D0000-0x0000000000CF0000-memory.dmpFilesize
3.1MB
-
memory/788-116-0x000000000041D4E0-mapping.dmp
-
memory/788-115-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/996-123-0x0000000002BA0000-0x0000000002BC9000-memory.dmpFilesize
164KB
-
memory/996-122-0x0000000000A10000-0x0000000000A69000-memory.dmpFilesize
356KB
-
memory/996-124-0x0000000003570000-0x0000000003890000-memory.dmpFilesize
3.1MB
-
memory/996-125-0x00000000034C0000-0x0000000003550000-memory.dmpFilesize
576KB
-
memory/996-120-0x0000000000000000-mapping.dmp
-
memory/2216-127-0x0000000000000000-mapping.dmp
-
memory/2708-126-0x0000000000840000-0x00000000008DC000-memory.dmpFilesize
624KB
-
memory/2708-119-0x0000000006810000-0x000000000693E000-memory.dmpFilesize
1.2MB
-
memory/3736-135-0x0000000000000000-mapping.dmp
-
memory/3736-137-0x00007FF6E6760000-0x00007FF6E67F3000-memory.dmpFilesize
588KB
-
memory/3736-138-0x000001E2A3360000-0x000001E2A34B7000-memory.dmpFilesize
1.3MB
-
memory/3908-133-0x000000000041D4E0-mapping.dmp
-
memory/3908-136-0x00000000009B0000-0x0000000000CD0000-memory.dmpFilesize
3.1MB