Analysis
-
max time kernel
166s -
max time network
166s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-10-2021 09:52
Static task
static1
Behavioral task
behavioral1
Sample
XXX00954345678LK.exe
Resource
win7-en-20210920
General
-
Target
XXX00954345678LK.exe
-
Size
412KB
-
MD5
7efcc253b788f264320f6f7f3afbbaff
-
SHA1
5c25530ed2eb2dff34056aa855bd16e6aef9c3a9
-
SHA256
6fa43d41bcec83773fa6f333655029d886633b7a46153d9f7ffbe3c44de19be9
-
SHA512
aa410052ea52603c1ce87b4b696c62db540e0b903f618aa9384be09efd16c50acad654e8edd908b4724f8caa35e02cdaf125397d2a1c48acb305f7d4363d620e
Malware Config
Extracted
xloader
2.5
iaop
http://www.georgeinnhatherleigh.com/iaop/
oosakichi.com
group1beadles.com
navegadorexclusivo.digital
awefca.xyz
strakerwilliams.com
stone-img.com
radialodge.com
tequesquitengo.net
humanegardens.com
rubberyporqjp.xyz
farazkhak.com
gfsexpornvideos.com
stealth-carrier.com
hemtpi.xyz
tygcj.com
agileiance.com
ioan316.com
kitchendesigns.xyz
shannacarolphotography.com
oheytech88.net
dashiter.com
zijinmenhu.com
dmfiller.com
amberchee.com
farmaciaepspllu.com
help-kmcsupport.com
naxek.com
yuumgo.academy
baopishuizhong.com
appcast-64.com
vpm-vektra.com
privygym.com
texascyclerepair.com
queerstakepool.com
maxicashprokil.xyz
enchantbnuyxc.xyz
heyunshangcheng.info
blockchainsupport.company
consultoriathayanechlad.com
cigreencig.com
enriquelopez.net
ultimateexitstrategy.com
jesuspodcast.biz
wecuxs.com
louroblottoyof2.xyz
12monthmillionairetraining.com
autoecoleamiens.com
kokko-kids.com
uniquecarbonbrush.com
fardaruilen.quest
generalcontractortheodoreal.com
kare-furniture.com
odnglobal.com
rihaltravels.com
jdlpcpa.com
websupportoutlook.com
sonyagivensrealty.com
johnmcnamaraimages.net
fa7777.xyz
northvisiondigital.com
docteurhouyengah.com
contactcenter7.email
lebenohnefleisch.com
sign-egypt.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1192-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1192-118-0x000000000041D4E0-mapping.dmp xloader behavioral2/memory/1496-125-0x0000000002C10000-0x0000000002C39000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
XXX00954345678LK.exepid process 3740 XXX00954345678LK.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
XXX00954345678LK.exeXXX00954345678LK.execmmon32.exedescription pid process target process PID 3740 set thread context of 1192 3740 XXX00954345678LK.exe XXX00954345678LK.exe PID 1192 set thread context of 2792 1192 XXX00954345678LK.exe Explorer.EXE PID 1496 set thread context of 2792 1496 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
XXX00954345678LK.execmmon32.exepid process 1192 XXX00954345678LK.exe 1192 XXX00954345678LK.exe 1192 XXX00954345678LK.exe 1192 XXX00954345678LK.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe 1496 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2792 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
XXX00954345678LK.execmmon32.exepid process 1192 XXX00954345678LK.exe 1192 XXX00954345678LK.exe 1192 XXX00954345678LK.exe 1496 cmmon32.exe 1496 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
XXX00954345678LK.execmmon32.exedescription pid process Token: SeDebugPrivilege 1192 XXX00954345678LK.exe Token: SeDebugPrivilege 1496 cmmon32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
XXX00954345678LK.exeExplorer.EXEcmmon32.exedescription pid process target process PID 3740 wrote to memory of 1192 3740 XXX00954345678LK.exe XXX00954345678LK.exe PID 3740 wrote to memory of 1192 3740 XXX00954345678LK.exe XXX00954345678LK.exe PID 3740 wrote to memory of 1192 3740 XXX00954345678LK.exe XXX00954345678LK.exe PID 3740 wrote to memory of 1192 3740 XXX00954345678LK.exe XXX00954345678LK.exe PID 3740 wrote to memory of 1192 3740 XXX00954345678LK.exe XXX00954345678LK.exe PID 3740 wrote to memory of 1192 3740 XXX00954345678LK.exe XXX00954345678LK.exe PID 2792 wrote to memory of 1496 2792 Explorer.EXE cmmon32.exe PID 2792 wrote to memory of 1496 2792 Explorer.EXE cmmon32.exe PID 2792 wrote to memory of 1496 2792 Explorer.EXE cmmon32.exe PID 1496 wrote to memory of 2300 1496 cmmon32.exe cmd.exe PID 1496 wrote to memory of 2300 1496 cmmon32.exe cmd.exe PID 1496 wrote to memory of 2300 1496 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XXX00954345678LK.exe"C:\Users\Admin\AppData\Local\Temp\XXX00954345678LK.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XXX00954345678LK.exe"C:\Users\Admin\AppData\Local\Temp\XXX00954345678LK.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\XXX00954345678LK.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsz4ED8.tmp\ghuvxtn.dllMD5
17d74b485e249ed2769c1c7ff50ee44b
SHA1776fb735a96320f814d6f511d0b2a9449c019725
SHA2562a8a02db1d8e387f1318ec26d04aaa8bc823c78e6dd38b6692284189f0060938
SHA5124eb12eba9c1ac50b3687998dd27eb68986b4e75ee3584c7264fc63f3104e9edfe5aeaf18a1bc74ac50cab982e8c0c8e06424e0ef44534b3b258ff730b7b153ae
-
memory/1192-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1192-118-0x000000000041D4E0-mapping.dmp
-
memory/1192-121-0x00000000005D0000-0x00000000005E1000-memory.dmpFilesize
68KB
-
memory/1192-120-0x0000000000A60000-0x0000000000D80000-memory.dmpFilesize
3.1MB
-
memory/1496-123-0x0000000000000000-mapping.dmp
-
memory/1496-124-0x0000000000220000-0x000000000022C000-memory.dmpFilesize
48KB
-
memory/1496-126-0x00000000044E0000-0x0000000004800000-memory.dmpFilesize
3.1MB
-
memory/1496-125-0x0000000002C10000-0x0000000002C39000-memory.dmpFilesize
164KB
-
memory/1496-128-0x0000000004340000-0x00000000043D0000-memory.dmpFilesize
576KB
-
memory/2300-127-0x0000000000000000-mapping.dmp
-
memory/2792-122-0x0000000002D70000-0x0000000002E4A000-memory.dmpFilesize
872KB
-
memory/2792-129-0x0000000006E30000-0x0000000006F37000-memory.dmpFilesize
1.0MB