Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
30-09-2021 10:05
Static task
static1
Behavioral task
behavioral1
Sample
Original Scan_Doc Ref 28538013241899233.exe
Resource
win7-en-20210920
General
-
Target
Original Scan_Doc Ref 28538013241899233.exe
-
Size
912KB
-
MD5
6fb08a5130cdfc1ba7da0133a916733c
-
SHA1
4c781c859da4a76de1e8c942b4d712c37fb8ca72
-
SHA256
18421819d1c37b2be9b6ce90781a538e28f1238486a2f3d60ef682e0fb80f529
-
SHA512
5572042fab4d2d8d88bb42745ffc33da8af5c9b763cbd8a8a2d50442b46db6b120a79f2cc7c47bbabf10aaff4a7de97251ea3f7148e2d8c1bf0ad90917cbf4fc
Malware Config
Extracted
xloader
2.5
epns
http://www.lnvietnam.online/epns/
mmfaccao.com
blttsperma.quest
946abe.net
indispensablehands.com
jkformationfrance.com
phonerepaire.com
lienquan-trian.com
youkuti.com
empowermindbodystudios.com
seunicapf.com
fk-link.xyz
kunai.tech
difficultbutdoablebrand.com
ejworkspace.com
teracorp.biz
thekids.today
quintaalentejana.com
annaviruksham.com
jshengrong.com
nsmetalmakina.xyz
hentainftd.com
alphabet-chicken-farms.com
erotikchat.red
skintipsllc.com
expressofertachegou.com
ygraeriotexniki.com
thesidehustler.net
visionries.com
deployinghigh.com
havana-smile.com
exclusivegift7.com
ephraimhomedeals.com
westquartier.com
kiingear.com
officecom-myaccount.com
lemomentconcept.com
royalteacherclass.com
alltart.com
hustlershandbook.biz
mxpvlv.biz
canalcorporate.com
carcity.toys
k6tkuwrnjake.biz
acrobike69.com
4000518883.com
katia-magnetisme.com
shiningproent.com
ikmbc-b02.com
thoughtsbig.com
baba.clinic
blazestead.com
12monthmillionairetraining.com
goodtasteonline.com
nokushop.com
teneses.com
215oldtoby.com
pampelina.com
eimzaizmir.com
newnetteline.com
discovertexasbeaches.com
farrukhportfolio.website
bombers.xyz
melissacarbonell.group
5402506.win
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/692-57-0x000000000041D410-mapping.dmp xloader behavioral1/memory/692-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1580-65-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 13 1580 msiexec.exe 33 1580 msiexec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Original Scan_Doc Ref 28538013241899233.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\Whwpmnj = "C:\\Users\\Public\\Libraries\\jnmpwhW.url" Original Scan_Doc Ref 28538013241899233.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Original Scan_Doc Ref 28538013241899233.exeOriginal Scan_Doc Ref 28538013241899233.exemsiexec.exedescription pid process target process PID 2008 set thread context of 692 2008 Original Scan_Doc Ref 28538013241899233.exe Original Scan_Doc Ref 28538013241899233.exe PID 692 set thread context of 1392 692 Original Scan_Doc Ref 28538013241899233.exe Explorer.EXE PID 1580 set thread context of 1392 1580 msiexec.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 27 IoCs
Processes:
Original Scan_Doc Ref 28538013241899233.exemsiexec.exepid process 692 Original Scan_Doc Ref 28538013241899233.exe 692 Original Scan_Doc Ref 28538013241899233.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe 1580 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Original Scan_Doc Ref 28538013241899233.exemsiexec.exepid process 692 Original Scan_Doc Ref 28538013241899233.exe 692 Original Scan_Doc Ref 28538013241899233.exe 692 Original Scan_Doc Ref 28538013241899233.exe 1580 msiexec.exe 1580 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Original Scan_Doc Ref 28538013241899233.exemsiexec.exedescription pid process Token: SeDebugPrivilege 692 Original Scan_Doc Ref 28538013241899233.exe Token: SeDebugPrivilege 1580 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Original Scan_Doc Ref 28538013241899233.exeExplorer.EXEdescription pid process target process PID 2008 wrote to memory of 692 2008 Original Scan_Doc Ref 28538013241899233.exe Original Scan_Doc Ref 28538013241899233.exe PID 2008 wrote to memory of 692 2008 Original Scan_Doc Ref 28538013241899233.exe Original Scan_Doc Ref 28538013241899233.exe PID 2008 wrote to memory of 692 2008 Original Scan_Doc Ref 28538013241899233.exe Original Scan_Doc Ref 28538013241899233.exe PID 2008 wrote to memory of 692 2008 Original Scan_Doc Ref 28538013241899233.exe Original Scan_Doc Ref 28538013241899233.exe PID 2008 wrote to memory of 692 2008 Original Scan_Doc Ref 28538013241899233.exe Original Scan_Doc Ref 28538013241899233.exe PID 2008 wrote to memory of 692 2008 Original Scan_Doc Ref 28538013241899233.exe Original Scan_Doc Ref 28538013241899233.exe PID 1392 wrote to memory of 1580 1392 Explorer.EXE msiexec.exe PID 1392 wrote to memory of 1580 1392 Explorer.EXE msiexec.exe PID 1392 wrote to memory of 1580 1392 Explorer.EXE msiexec.exe PID 1392 wrote to memory of 1580 1392 Explorer.EXE msiexec.exe PID 1392 wrote to memory of 1580 1392 Explorer.EXE msiexec.exe PID 1392 wrote to memory of 1580 1392 Explorer.EXE msiexec.exe PID 1392 wrote to memory of 1580 1392 Explorer.EXE msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Original Scan_Doc Ref 28538013241899233.exe"C:\Users\Admin\AppData\Local\Temp\Original Scan_Doc Ref 28538013241899233.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Original Scan_Doc Ref 28538013241899233.exe"C:\Users\Admin\AppData\Local\Temp\Original Scan_Doc Ref 28538013241899233.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/692-58-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/692-59-0x00000000006E0000-0x00000000006F1000-memory.dmpFilesize
68KB
-
memory/692-57-0x000000000041D410-mapping.dmp
-
memory/692-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1392-60-0x00000000068A0000-0x00000000069D5000-memory.dmpFilesize
1.2MB
-
memory/1392-67-0x00000000069E0000-0x0000000006AAB000-memory.dmpFilesize
812KB
-
memory/1580-61-0x0000000000000000-mapping.dmp
-
memory/1580-63-0x0000000000D00000-0x0000000000D14000-memory.dmpFilesize
80KB
-
memory/1580-64-0x0000000002120000-0x0000000002423000-memory.dmpFilesize
3.0MB
-
memory/1580-65-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1580-66-0x0000000000BB0000-0x0000000000C40000-memory.dmpFilesize
576KB
-
memory/2008-55-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/2008-54-0x0000000075FA1000-0x0000000075FA3000-memory.dmpFilesize
8KB