xloader | f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032

General

Target

triage_dropped_file.exe
Size

253KB
MD5

d0e4c13e6c8ba9fe34d86b554b595d9a
SHA1

83eee2dbe00ae265af9eb13105dc1068b6b034cd
SHA256

f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032
SHA512

72f5fcd367c0f0fdc83827bea529f84a85ace28550a5cd8102cb0cde2829d81defe312fb0d95d3c5a8e8728f4efd8cb433bfab0b3e1f265fffdc4e0ad687247d

Score

10^/10

xloader kqna loader persistence rat spyware stealer

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

kqna

C2

http://www.surfsolutions.info/kqna/

Decoy

achyutlifesciences.com

anthemmg.com

netkopat.com

generationgirlnaturals.com

novatel-network.com

craftstockco.com

thevishantiverse.art

elkerfly.com

haerotechs.com

candypalette.com

gregdokes.com

e-commerce.company

gratitudeland.com

companyintelcloud.com

publicyazilim.com

xc6811.com

aracsozluk.com

janesgalant.quest

fraserstephendop.com

ryan.rentals

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral5/memory/4880-116-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral5/memory/4880-117-0x000000000041D400-mapping.dmp	xloader
behavioral5/memory/4856-124-0x0000000002F50000-0x0000000002F79000-memory.dmp	xloader
behavioral5/memory/4856-126-0x0000000003200000-0x000000000334A000-memory.dmp	xloader
behavioral5/memory/1976-137-0x000000000041D400-mapping.dmp	xloader

Executes dropped EXE 2 IoCs

Processes:

audiodgib28hj.exeaudiodgib28hj.exe

pid process

1488 audiodgib28hj.exe
1976 audiodgib28hj.exe
Loads dropped DLL 2 IoCs

Processes:

triage_dropped_file.exeaudiodgib28hj.exe

pid process

4824 triage_dropped_file.exe
1488 audiodgib28hj.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1488	audiodgib28hj.exe
1976	audiodgib28hj.exe

pid	process
4824	triage_dropped_file.exe
1488	audiodgib28hj.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	NETSTAT.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8P5HFVHXGVE = "C:\\Program Files (x86)\\S5j6\\audiodgib28hj.exe"	NETSTAT.EXE

Drops file in System32 directory 4 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-wal	OfficeC2RClient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shm	OfficeC2RClient.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

triage_dropped_file.exetriage_dropped_file.exeNETSTAT.EXEaudiodgib28hj.exe

description	pid	process	target process
PID 4824 set thread context of 4880	4824	triage_dropped_file.exe	triage_dropped_file.exe
PID 4880 set thread context of 2296	4880	triage_dropped_file.exe	Explorer.EXE
PID 4856 set thread context of 2296	4856	NETSTAT.EXE	Explorer.EXE
PID 1488 set thread context of 1976	1488	audiodgib28hj.exe	audiodgib28hj.exe

Drops file in Program Files directory 4 IoCs

Processes:

NETSTAT.EXEExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\S5j6\audiodgib28hj.exe	NETSTAT.EXE
File opened for modification	C:\Program Files (x86)\S5j6	Explorer.EXE
File created	C:\Program Files (x86)\S5j6\audiodgib28hj.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\S5j6\audiodgib28hj.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\S5j6\audiodgib28hj.exe	nsis_installer_1
C:\Program Files (x86)\S5j6\audiodgib28hj.exe	nsis_installer_2
C:\Program Files (x86)\S5j6\audiodgib28hj.exe	nsis_installer_1
C:\Program Files (x86)\S5j6\audiodgib28hj.exe	nsis_installer_2
C:\Program Files (x86)\S5j6\audiodgib28hj.exe	nsis_installer_1
C:\Program Files (x86)\S5j6\audiodgib28hj.exe	nsis_installer_2

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4856 NETSTAT.EXE

pid	process
4856	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Modifies data under HKEY_USERS 23 IoCs

Processes:

OfficeC2RClient.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\Volatile	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,17110988,7153487,39965824,17962391,17962392,3702920,3462423,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeC2RClient.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,941 10,1329 15,941 15,941 6,1329 100,1329 6"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeC2RClient.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeC2RClient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officec2rclient.exe\ULSMonitor	OfficeC2RClient.exe

Modifies registry class 47 IoCs

Processes:

FileSyncConfig.exeExplorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

triage_dropped_file.exeNETSTAT.EXE

pid	process
4880	triage_dropped_file.exe
4880	triage_dropped_file.exe
4880	triage_dropped_file.exe
4880	triage_dropped_file.exe
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2296 Explorer.EXE

pid	process
2296	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

triage_dropped_file.exeNETSTAT.EXE

pid	process
4880	triage_dropped_file.exe
4880	triage_dropped_file.exe
4880	triage_dropped_file.exe
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE
4856	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

triage_dropped_file.exeNETSTAT.EXEExplorer.EXEaudiodgib28hj.exe

description	pid	process
Token: SeDebugPrivilege	4880	triage_dropped_file.exe
Token: SeDebugPrivilege	4856	NETSTAT.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeShutdownPrivilege	2296	Explorer.EXE
Token: SeCreatePagefilePrivilege	2296	Explorer.EXE
Token: SeDebugPrivilege	1976	audiodgib28hj.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

2296 Explorer.EXE
2296 Explorer.EXE
2296 Explorer.EXE
2296 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OfficeC2RClient.exe

pid process

4904 OfficeC2RClient.exe

pid	process
2296	Explorer.EXE
2296	Explorer.EXE
2296	Explorer.EXE
2296	Explorer.EXE

pid	process
4904	OfficeC2RClient.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

triage_dropped_file.exeExplorer.EXENETSTAT.EXEaudiodgib28hj.exe

description	pid	process	target process
PID 4824 wrote to memory of 4880	4824	triage_dropped_file.exe	triage_dropped_file.exe
PID 4824 wrote to memory of 4880	4824	triage_dropped_file.exe	triage_dropped_file.exe
PID 4824 wrote to memory of 4880	4824	triage_dropped_file.exe	triage_dropped_file.exe
PID 4824 wrote to memory of 4880	4824	triage_dropped_file.exe	triage_dropped_file.exe
PID 4824 wrote to memory of 4880	4824	triage_dropped_file.exe	triage_dropped_file.exe
PID 4824 wrote to memory of 4880	4824	triage_dropped_file.exe	triage_dropped_file.exe
PID 2296 wrote to memory of 4856	2296	Explorer.EXE	NETSTAT.EXE
PID 2296 wrote to memory of 4856	2296	Explorer.EXE	NETSTAT.EXE
PID 2296 wrote to memory of 4856	2296	Explorer.EXE	NETSTAT.EXE
PID 4856 wrote to memory of 1568	4856	NETSTAT.EXE	cmd.exe
PID 4856 wrote to memory of 1568	4856	NETSTAT.EXE	cmd.exe
PID 4856 wrote to memory of 1568	4856	NETSTAT.EXE	cmd.exe
PID 4856 wrote to memory of 3964	4856	NETSTAT.EXE	cmd.exe
PID 4856 wrote to memory of 3964	4856	NETSTAT.EXE	cmd.exe
PID 4856 wrote to memory of 3964	4856	NETSTAT.EXE	cmd.exe
PID 4856 wrote to memory of 2332	4856	NETSTAT.EXE	Firefox.exe
PID 4856 wrote to memory of 2332	4856	NETSTAT.EXE	Firefox.exe
PID 2296 wrote to memory of 1488	2296	Explorer.EXE	audiodgib28hj.exe
PID 2296 wrote to memory of 1488	2296	Explorer.EXE	audiodgib28hj.exe
PID 2296 wrote to memory of 1488	2296	Explorer.EXE	audiodgib28hj.exe
PID 4856 wrote to memory of 2332	4856	NETSTAT.EXE	Firefox.exe
PID 1488 wrote to memory of 1976	1488	audiodgib28hj.exe	audiodgib28hj.exe
PID 1488 wrote to memory of 1976	1488	audiodgib28hj.exe	audiodgib28hj.exe
PID 1488 wrote to memory of 1976	1488	audiodgib28hj.exe	audiodgib28hj.exe
PID 1488 wrote to memory of 1976	1488	audiodgib28hj.exe	audiodgib28hj.exe
PID 1488 wrote to memory of 1976	1488	audiodgib28hj.exe	audiodgib28hj.exe
PID 1488 wrote to memory of 1976	1488	audiodgib28hj.exe	audiodgib28hj.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2296

C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe
"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe
"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"
3⤵
PID:1568

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3964

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2332

C:\Program Files (x86)\S5j6\audiodgib28hj.exe
"C:\Program Files (x86)\S5j6\audiodgib28hj.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488

C:\Program Files (x86)\S5j6\audiodgib28hj.exe
"C:\Program Files (x86)\S5j6\audiodgib28hj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.196.0921.0007\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:3068

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /frequentupdate SCHEDULEDTASK displaylevel=False
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\S5j6\audiodgib28hj.exe
MD5
d0e4c13e6c8ba9fe34d86b554b595d9a

SHA1
83eee2dbe00ae265af9eb13105dc1068b6b034cd

SHA256
f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032

SHA512
72f5fcd367c0f0fdc83827bea529f84a85ace28550a5cd8102cb0cde2829d81defe312fb0d95d3c5a8e8728f4efd8cb433bfab0b3e1f265fffdc4e0ad687247d

Download Submit
C:\Program Files (x86)\S5j6\audiodgib28hj.exe
MD5
d0e4c13e6c8ba9fe34d86b554b595d9a

SHA1
83eee2dbe00ae265af9eb13105dc1068b6b034cd

SHA256
f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032

SHA512
72f5fcd367c0f0fdc83827bea529f84a85ace28550a5cd8102cb0cde2829d81defe312fb0d95d3c5a8e8728f4efd8cb433bfab0b3e1f265fffdc4e0ad687247d

Download Submit
C:\Program Files (x86)\S5j6\audiodgib28hj.exe
MD5
d0e4c13e6c8ba9fe34d86b554b595d9a

SHA1
83eee2dbe00ae265af9eb13105dc1068b6b034cd

SHA256
f8d9fbcef6907460baa7c91e53d1a40865901bb50906b5519cba440fdbc65032

SHA512
72f5fcd367c0f0fdc83827bea529f84a85ace28550a5cd8102cb0cde2829d81defe312fb0d95d3c5a8e8728f4efd8cb433bfab0b3e1f265fffdc4e0ad687247d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9o87lv0ox9o
MD5
6dd6b2f57140830efdc0592e13806717

SHA1
309088c2e4ace855e4befd9973eaf9fd6b942ddb

SHA256
f2ef3b579ffd5f12c77522967c2b41725d0f72a1865ee0e32bc5747324fb9cdb

SHA512
8edbc94afc1ebce3d2a41c6b72b8270326f16b5a1ab6718edbd0554dfb7433ec34c82158fb12d561aeb51ab9c3e77cbc31b8307cf7f954e728975667f9057caf

Download Submit
\Users\Admin\AppData\Local\Temp\nsaEB6B.tmp\oirygpbyia.dll
MD5
6d2a0ca8aac6594e4f037d3cecdace3b

SHA1
2fdc815752d2483ae536ed60dd2104b0e5cc2abd

SHA256
f7a3aa43e037f6b25c8070b3aaac9f0c5037abb1c4d01afd30a6f52f7c44f468

SHA512
cacc25100aedd926141416ef443dd40f03cb6b1512129bd707fc8ece1c9db2ad9a1de559e8cb3d29b569e2b1b843822f4ef681c4ea33bc5a6a290a3f17bdb7ee

Download Submit
\Users\Admin\AppData\Local\Temp\nspD530.tmp\oirygpbyia.dll
MD5
6d2a0ca8aac6594e4f037d3cecdace3b

SHA1
2fdc815752d2483ae536ed60dd2104b0e5cc2abd

SHA256
f7a3aa43e037f6b25c8070b3aaac9f0c5037abb1c4d01afd30a6f52f7c44f468

SHA512
cacc25100aedd926141416ef443dd40f03cb6b1512129bd707fc8ece1c9db2ad9a1de559e8cb3d29b569e2b1b843822f4ef681c4ea33bc5a6a290a3f17bdb7ee

Download Submit
memory/1488-131-0x0000000000000000-mapping.dmp

Download
memory/1568-125-0x0000000000000000-mapping.dmp

Download
memory/1976-137-0x000000000041D400-mapping.dmp

Download
memory/1976-139-0x0000000000B00000-0x0000000000E20000-memory.dmp

Filesize
3.1MB

Download
memory/2296-121-0x0000000002D20000-0x0000000002DE2000-memory.dmp

Filesize
776KB

Download
memory/2296-128-0x0000000002EA0000-0x0000000002F5A000-memory.dmp

Filesize
744KB

Download
memory/3964-129-0x0000000000000000-mapping.dmp

Download
memory/4856-126-0x0000000003200000-0x000000000334A000-memory.dmp

Filesize
1.3MB

Download
memory/4856-127-0x00000000036F0000-0x0000000003780000-memory.dmp

Filesize
576KB

Download
memory/4856-124-0x0000000002F50000-0x0000000002F79000-memory.dmp

Filesize
164KB

Download
memory/4856-123-0x0000000000EA0000-0x0000000000EAB000-memory.dmp

Filesize
44KB

Download
memory/4856-122-0x0000000000000000-mapping.dmp

Download
memory/4880-119-0x0000000000AD0000-0x0000000000DF0000-memory.dmp

Filesize
3.1MB

Download
memory/4880-120-0x00000000009D0000-0x00000000009E1000-memory.dmp

Filesize
68KB

Download
memory/4880-117-0x000000000041D400-mapping.dmp

Download
memory/4880-116-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads