Analysis
-
max time kernel
1798s -
max time network
1799s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 12:24
General
-
Target
51cd4ea4c20552f51824b13af3a93360.exe
-
Size
847KB
-
MD5
51cd4ea4c20552f51824b13af3a93360
-
SHA1
1f85673268160d356cc66056e18e721646a51034
-
SHA256
891ff9447dec210b5897080666b8281d7387206c14dba7587465e16bd2efa117
-
SHA512
add0bc6bec599694cdd9c19101edf0b66a914aa4198ed9f10d23e4c14b8bf2708c992917326974007c59c4e6e5c49063c0e1ade25556cdc19ae9dc1a8c79fbcf
Malware Config
Extracted
xloader
2.5
sb6n
http://www.best5amazon.com/sb6n/
bogosamba.com
inmobiliariapuertalavilla.com
nopressurewellness.com
hairshopamity.com
epicmoments360.com
tutorgpa.com
fucibou.xyz
135631.com
portraydashcam.com
raqsarabia.com
okantis.net
vongquaykimcuongfreefire.online
prodom.online
5537sbishop.info
lisakenneyinc.com
fivetime.xyz
borzv.com
joungla.com
mas-urbano.com
sjczyw.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload 3 IoCs
-
Adds policy Run key to start application 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 52 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\51cd4ea4c20552f51824b13af3a93360.exe"C:\Users\Admin\AppData\Local\Temp\51cd4ea4c20552f51824b13af3a93360.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mobsync.exeC:\Windows\System32\mobsync.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Trast.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "4⤵
- Modifies registry key
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\nest.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f3⤵
- Modifies registry key
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\mobsync.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Qqpg4a\certmgrypt0a.exe"C:\Program Files (x86)\Qqpg4a\certmgrypt0a.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Qqpg4a\certmgrypt0a.exeMD5
cca67bd391cfc9f036323b2522887a6a
SHA102a887df2f485a19a051af0f3d01dac006dd9a83
SHA25679f5bc1ad13a5575a52d39a000d0873b31865659b5efc66a7fef5e43e54c38b9
SHA512964fd8659f8a1f2043ee91245755bd7c053c95f2253de8887d9761aaaaad5c3626e0575340af2461a0827497a76741d070ca23953361af990ab13eaa6e958d95
-
C:\Program Files (x86)\Qqpg4a\certmgrypt0a.exeMD5
cca67bd391cfc9f036323b2522887a6a
SHA102a887df2f485a19a051af0f3d01dac006dd9a83
SHA25679f5bc1ad13a5575a52d39a000d0873b31865659b5efc66a7fef5e43e54c38b9
SHA512964fd8659f8a1f2043ee91245755bd7c053c95f2253de8887d9761aaaaad5c3626e0575340af2461a0827497a76741d070ca23953361af990ab13eaa6e958d95
-
C:\Users\Public\Trast.batMD5
4068c9f69fcd8a171c67f81d4a952a54
SHA14d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA25624222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d
-
C:\Users\Public\UKO.batMD5
eaf8d967454c3bbddbf2e05a421411f8
SHA16170880409b24de75c2dc3d56a506fbff7f6622c
SHA256f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9
-
C:\Users\Public\nest.batMD5
8ada51400b7915de2124baaf75e3414c
SHA11a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA25645aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA5129afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68
-
memory/336-82-0x0000000000000000-mapping.dmp
-
memory/840-67-0x0000000000000000-mapping.dmp
-
memory/1064-68-0x0000000000000000-mapping.dmp
-
memory/1200-65-0x0000000000000000-mapping.dmp
-
memory/1352-75-0x0000000006B50000-0x0000000006CD4000-memory.dmpFilesize
1.5MB
-
memory/1352-85-0x0000000006E00000-0x0000000006F00000-memory.dmpFilesize
1024KB
-
memory/1484-59-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1484-72-0x0000000072480000-0x00000000724A9000-memory.dmpFilesize
164KB
-
memory/1484-71-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1484-73-0x0000000000B60000-0x0000000000E63000-memory.dmpFilesize
3.0MB
-
memory/1484-74-0x0000000000280000-0x0000000000291000-memory.dmpFilesize
68KB
-
memory/1484-61-0x0000000000000000-mapping.dmp
-
memory/1484-58-0x0000000072480000-0x00000000724A9000-memory.dmpFilesize
164KB
-
memory/1516-84-0x0000000000000000-mapping.dmp
-
memory/1584-55-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/1584-56-0x0000000000261000-0x0000000000275000-memory.dmpFilesize
80KB
-
memory/1584-57-0x0000000075D31000-0x0000000075D33000-memory.dmpFilesize
8KB
-
memory/1604-69-0x0000000000000000-mapping.dmp
-
memory/1608-63-0x0000000000000000-mapping.dmp
-
memory/1824-87-0x0000000000000000-mapping.dmp
-
memory/1824-90-0x0000000072E21000-0x0000000072E23000-memory.dmpFilesize
8KB
-
memory/1896-77-0x0000000000000000-mapping.dmp
-
memory/1964-81-0x00000000005D0000-0x0000000000660000-memory.dmpFilesize
576KB
-
memory/1964-78-0x00000000008A0000-0x00000000008A6000-memory.dmpFilesize
24KB
-
memory/1964-80-0x00000000008B0000-0x0000000000BB3000-memory.dmpFilesize
3.0MB
-
memory/1964-79-0x0000000000130000-0x0000000000159000-memory.dmpFilesize
164KB
-
memory/1964-76-0x0000000000000000-mapping.dmp