Analysis
-
max time kernel
147s -
max time network
168s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 18:22
Static task
static1
Behavioral task
behavioral1
Sample
DHL invoice KULIR00895239.pdf.exe
Resource
win7-en-20210920
General
-
Target
DHL invoice KULIR00895239.pdf.exe
-
Size
438KB
-
MD5
f668e4c9cc8a691b159e2033f30f50b5
-
SHA1
3ef37ae10df8f196b68f69db29a7f369fa181970
-
SHA256
07826de5569163107133c374c0f4fde7f494118f127cce285a2a280d98b2dd3b
-
SHA512
92cef7c693652fbd31f878b2f5a759c6bacfc07e479a64cf0ce8ddb9cf35468c4a0630eac572185b90b1fc7e7076e3b6f6859d1ad39c7da7d1fdffb8cf67d90d
Malware Config
Extracted
xloader
2.5
m6t2
http://www.vmhenterprise.com/m6t2/
somethinghaatke.net
bluehubwriters.com
ptfitnet.com
coastelevatorinteriors.com
hellensilvamkd.com
feekyfeeky.com
studioemiko.com
high-clicks2.com
troyleedesigns.club
peopletrucksinsurance.com
lameducation.com
pundiajaib.com
photosonunderwear.com
hautegirlmarket.com
groopadamce.quest
ignitivehq.com
partyprintable.digital
unlimitedrehab.com
awaytraveltnpasumo6.xyz
hourly.limo
meituandh.xyz
gpwconstrutoraincorporadora.com
azshalomcenter.com
tripeater.com
howzat.academy
certifiedprotradebot.icu
aigreen-ls.com
kwuthh.com
septum.xyz
lifeguardingcoursenearme.com
cupsnax.com
037atk.xyz
movingtolincolnca.com
cherrywoodranchvacationhome.com
tryandmiss.com
socialviralup.com
huiying666.xyz
contact6.email
bindraussen.info
feltamazeballs.com
vulkan-mirror.space
financialwebservices.com
crownexpresssglobal.com
koffishop.com
theawesomesavings.com
respiratoryathome.net
takut9.com
pittboss-bbq.one
brailion.com
ophthalmologyignite.com
flg1819.com
1258200.com
soflovrlnd.com
phillermusic.com
kingstonwff.com
realsteelsoftwarecampaign.com
litunity.com
antiquitynaturalstone.biz
gemmagem.com
luxehairbyjen.com
zakwolff.com
ooiase.com
andrewsenphotography.com
paulapossetto.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/908-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/908-63-0x000000000041D450-mapping.dmp xloader behavioral1/memory/908-68-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1808-74-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1036 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
DHL invoice KULIR00895239.pdf.exeDHL invoice KULIR00895239.pdf.execontrol.exedescription pid process target process PID 1044 set thread context of 908 1044 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 908 set thread context of 1204 908 DHL invoice KULIR00895239.pdf.exe Explorer.EXE PID 908 set thread context of 1204 908 DHL invoice KULIR00895239.pdf.exe Explorer.EXE PID 1808 set thread context of 1204 1808 control.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
DHL invoice KULIR00895239.pdf.execontrol.exepid process 908 DHL invoice KULIR00895239.pdf.exe 908 DHL invoice KULIR00895239.pdf.exe 908 DHL invoice KULIR00895239.pdf.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe 1808 control.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
DHL invoice KULIR00895239.pdf.execontrol.exepid process 908 DHL invoice KULIR00895239.pdf.exe 908 DHL invoice KULIR00895239.pdf.exe 908 DHL invoice KULIR00895239.pdf.exe 908 DHL invoice KULIR00895239.pdf.exe 1808 control.exe 1808 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL invoice KULIR00895239.pdf.execontrol.exedescription pid process Token: SeDebugPrivilege 908 DHL invoice KULIR00895239.pdf.exe Token: SeDebugPrivilege 1808 control.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DHL invoice KULIR00895239.pdf.exeExplorer.EXEcontrol.exedescription pid process target process PID 1044 wrote to memory of 908 1044 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 1044 wrote to memory of 908 1044 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 1044 wrote to memory of 908 1044 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 1044 wrote to memory of 908 1044 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 1044 wrote to memory of 908 1044 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 1044 wrote to memory of 908 1044 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 1044 wrote to memory of 908 1044 DHL invoice KULIR00895239.pdf.exe DHL invoice KULIR00895239.pdf.exe PID 1204 wrote to memory of 1808 1204 Explorer.EXE control.exe PID 1204 wrote to memory of 1808 1204 Explorer.EXE control.exe PID 1204 wrote to memory of 1808 1204 Explorer.EXE control.exe PID 1204 wrote to memory of 1808 1204 Explorer.EXE control.exe PID 1808 wrote to memory of 1036 1808 control.exe cmd.exe PID 1808 wrote to memory of 1036 1808 control.exe cmd.exe PID 1808 wrote to memory of 1036 1808 control.exe cmd.exe PID 1808 wrote to memory of 1036 1808 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL invoice KULIR00895239.pdf.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/908-66-0x00000000001C0000-0x00000000001D1000-memory.dmpFilesize
68KB
-
memory/908-65-0x0000000000AB0000-0x0000000000DB3000-memory.dmpFilesize
3.0MB
-
memory/908-69-0x00000000002A0000-0x00000000002B1000-memory.dmpFilesize
68KB
-
memory/908-63-0x000000000041D450-mapping.dmp
-
memory/908-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/908-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/908-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/908-68-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1036-76-0x0000000000000000-mapping.dmp
-
memory/1044-57-0x0000000000A90000-0x0000000000A97000-memory.dmpFilesize
28KB
-
memory/1044-56-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB
-
memory/1044-59-0x0000000002050000-0x000000000209B000-memory.dmpFilesize
300KB
-
memory/1044-58-0x0000000004D40000-0x0000000004D41000-memory.dmpFilesize
4KB
-
memory/1044-54-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1204-78-0x0000000004C40000-0x0000000004D23000-memory.dmpFilesize
908KB
-
memory/1204-70-0x0000000004B40000-0x0000000004C33000-memory.dmpFilesize
972KB
-
memory/1204-67-0x00000000049E0000-0x0000000004B31000-memory.dmpFilesize
1.3MB
-
memory/1808-71-0x0000000000000000-mapping.dmp
-
memory/1808-74-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/1808-73-0x0000000000C20000-0x0000000000C3F000-memory.dmpFilesize
124KB
-
memory/1808-75-0x0000000002040000-0x0000000002343000-memory.dmpFilesize
3.0MB
-
memory/1808-77-0x0000000000840000-0x00000000008D0000-memory.dmpFilesize
576KB