Analysis
-
max time kernel
550s -
max time network
552s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
29-09-2021 08:16
General
-
Target
UPStracking0940292.exe
-
Size
256KB
-
MD5
ecad1092417fae79942a0022ce770621
-
SHA1
661d76ff20089a6926c95a934b4619baefd230c5
-
SHA256
86ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757
-
SHA512
9a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7
Malware Config
Extracted
xloader
2.5
dhua
http://www.segurosramosroman.com/dhua/
ketostar.club
icanmakeyoufamous.com
claimygdejection.com
garlicinterestedparent.xyz
bits-clicks.com
030atk.xyz
ballwiegand.com
logs-illumidesk.com
785686.com
flnewsfeed.com
transporteshrj.net
agenciamundodigital.online
bowersllc.com
urchncenw.com
wuauwuaumx.com
littlesportsacademy.com
xn--m3chb3ax0abdta3fwhk.com
prmarketings.com
jiaozhanlianmeng.com
whenisthestore.space
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 4 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 11 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\UPStracking0940292.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe"C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe"C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exeMD5
ecad1092417fae79942a0022ce770621
SHA1661d76ff20089a6926c95a934b4619baefd230c5
SHA25686ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757
SHA5129a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7
-
C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exeMD5
ecad1092417fae79942a0022ce770621
SHA1661d76ff20089a6926c95a934b4619baefd230c5
SHA25686ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757
SHA5129a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7
-
C:\Program Files (x86)\Zutmlgjwp\yrv8fljf8r6.exeMD5
ecad1092417fae79942a0022ce770621
SHA1661d76ff20089a6926c95a934b4619baefd230c5
SHA25686ccf51a612ccf7c07b1e356636e236abca7bd99b3176e983d777f07fde6a757
SHA5129a428228b6f66d3cd200f698e910c1c0a88f361638a47891a6a5eb59871e536d07f5607483cee31d810984af509f293b09a77261b766ea957bba449de21207e7
-
C:\Users\Admin\AppData\Local\Temp\kk3ingy62g95a4edyMD5
0e99a6626fbe1f9cc3075ebe4ae0307e
SHA14dde1fcbdb2968ea41f2ab515adfe1da5824b795
SHA25644853e5be595d6024247433fd44979510ca819dcab128e09296fbb71f2fd2f79
SHA512560b8b8d208f2bd01ac6dbdba8159b0a08eef8f2c73cbd2e6c607cf79ef298178a7fac41728192b08f593247d3b38257f13c19dcb96ac78174f5b2ebbf98d912
-
\Users\Admin\AppData\Local\Temp\nsh4B34.tmp\zflbzcl.dllMD5
0200fe8ceab8e27bcdeec801d6e8910f
SHA1255d5d2a8b7893d456fe6181764e52558d89834c
SHA256d454fb68308a5bdfb263da7b4dad9c9a074af50e4bb9ac4fd9d5231aa65eaced
SHA51271b862e4530f72c3cbf05d413ad25825670819da2454e9049338e4cb823384f47c96a140891070d9818758b11ef6bf7abd820920844e9faf9d3bb333c3687036
-
\Users\Admin\AppData\Local\Temp\nsw5AED.tmp\zflbzcl.dllMD5
0200fe8ceab8e27bcdeec801d6e8910f
SHA1255d5d2a8b7893d456fe6181764e52558d89834c
SHA256d454fb68308a5bdfb263da7b4dad9c9a074af50e4bb9ac4fd9d5231aa65eaced
SHA51271b862e4530f72c3cbf05d413ad25825670819da2454e9049338e4cb823384f47c96a140891070d9818758b11ef6bf7abd820920844e9faf9d3bb333c3687036
-
memory/8-121-0x0000000000000000-mapping.dmp
-
memory/788-118-0x0000000000E40000-0x0000000000E51000-memory.dmpFilesize
68KB
-
memory/788-117-0x00000000009D0000-0x0000000000CF0000-memory.dmpFilesize
3.1MB
-
memory/788-116-0x000000000041D4E0-mapping.dmp
-
memory/788-115-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/996-123-0x0000000002BA0000-0x0000000002BC9000-memory.dmpFilesize
164KB
-
memory/996-122-0x0000000000A10000-0x0000000000A69000-memory.dmpFilesize
356KB
-
memory/996-124-0x0000000003570000-0x0000000003890000-memory.dmpFilesize
3.1MB
-
memory/996-125-0x00000000034C0000-0x0000000003550000-memory.dmpFilesize
576KB
-
memory/996-120-0x0000000000000000-mapping.dmp
-
memory/2216-127-0x0000000000000000-mapping.dmp
-
memory/2708-126-0x0000000000840000-0x00000000008DC000-memory.dmpFilesize
624KB
-
memory/2708-119-0x0000000006810000-0x000000000693E000-memory.dmpFilesize
1.2MB
-
memory/3736-135-0x0000000000000000-mapping.dmp
-
memory/3736-137-0x00007FF6E6760000-0x00007FF6E67F3000-memory.dmpFilesize
588KB
-
memory/3736-138-0x000001E2A3360000-0x000001E2A34B7000-memory.dmpFilesize
1.3MB
-
memory/3908-133-0x000000000041D4E0-mapping.dmp
-
memory/3908-136-0x00000000009B0000-0x0000000000CD0000-memory.dmpFilesize
3.1MB