Analysis
-
max time kernel
151s -
max time network
164s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 03:34
Static task
static1
Behavioral task
behavioral1
Sample
XLOQKH087654560780098765.exe
Resource
win7-en-20210920
General
-
Target
XLOQKH087654560780098765.exe
-
Size
416KB
-
MD5
1a3bcd7f400b0d7a37166c1c5af7f886
-
SHA1
a654cdfc29951ac2e77af3fbbbd7160b5205c8f9
-
SHA256
fe63755f7b7c30e933cb3897136a75a7d1903ca044a04ef9bd91d426596f279d
-
SHA512
47974116e9b5b0cc6407fe7c651619b6fef5af7df0190d3b4e5c906a1520ed66ae7e4e1af6e578bf93af9dbd3625845678fd834aea15db9082dad2abbd77f69f
Malware Config
Extracted
xloader
2.5
iaop
http://www.georgeinnhatherleigh.com/iaop/
oosakichi.com
group1beadles.com
navegadorexclusivo.digital
awefca.xyz
strakerwilliams.com
stone-img.com
radialodge.com
tequesquitengo.net
humanegardens.com
rubberyporqjp.xyz
farazkhak.com
gfsexpornvideos.com
stealth-carrier.com
hemtpi.xyz
tygcj.com
agileiance.com
ioan316.com
kitchendesigns.xyz
shannacarolphotography.com
oheytech88.net
dashiter.com
zijinmenhu.com
dmfiller.com
amberchee.com
farmaciaepspllu.com
help-kmcsupport.com
naxek.com
yuumgo.academy
baopishuizhong.com
appcast-64.com
vpm-vektra.com
privygym.com
texascyclerepair.com
queerstakepool.com
maxicashprokil.xyz
enchantbnuyxc.xyz
heyunshangcheng.info
blockchainsupport.company
consultoriathayanechlad.com
cigreencig.com
enriquelopez.net
ultimateexitstrategy.com
jesuspodcast.biz
wecuxs.com
louroblottoyof2.xyz
12monthmillionairetraining.com
autoecoleamiens.com
kokko-kids.com
uniquecarbonbrush.com
fardaruilen.quest
generalcontractortheodoreal.com
kare-furniture.com
odnglobal.com
rihaltravels.com
jdlpcpa.com
websupportoutlook.com
sonyagivensrealty.com
johnmcnamaraimages.net
fa7777.xyz
northvisiondigital.com
docteurhouyengah.com
contactcenter7.email
lebenohnefleisch.com
sign-egypt.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4344-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4344-117-0x000000000041D4E0-mapping.dmp xloader behavioral2/memory/4336-125-0x0000000000950000-0x0000000000979000-memory.dmp xloader behavioral2/memory/1640-135-0x000000000041D4E0-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
ipconfig.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WP4TRHTPZD = "C:\\Program Files (x86)\\Mal7tuf\\ith8ftbp3f3dufw.exe" ipconfig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ipconfig.exe -
Executes dropped EXE 2 IoCs
Processes:
ith8ftbp3f3dufw.exeith8ftbp3f3dufw.exepid process 4680 ith8ftbp3f3dufw.exe 1640 ith8ftbp3f3dufw.exe -
Loads dropped DLL 2 IoCs
Processes:
XLOQKH087654560780098765.exeith8ftbp3f3dufw.exepid process 1992 XLOQKH087654560780098765.exe 4680 ith8ftbp3f3dufw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
XLOQKH087654560780098765.exeXLOQKH087654560780098765.exeipconfig.exeith8ftbp3f3dufw.exedescription pid process target process PID 1992 set thread context of 4344 1992 XLOQKH087654560780098765.exe XLOQKH087654560780098765.exe PID 4344 set thread context of 3048 4344 XLOQKH087654560780098765.exe Explorer.EXE PID 4336 set thread context of 3048 4336 ipconfig.exe Explorer.EXE PID 4680 set thread context of 1640 4680 ith8ftbp3f3dufw.exe ith8ftbp3f3dufw.exe -
Drops file in Program Files directory 4 IoCs
Processes:
ipconfig.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe ipconfig.exe File opened for modification C:\Program Files (x86)\Mal7tuf Explorer.EXE File created C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe nsis_installer_1 C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe nsis_installer_2 C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe nsis_installer_1 C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe nsis_installer_2 C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe nsis_installer_1 C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe nsis_installer_2 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4336 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
XLOQKH087654560780098765.exeipconfig.exeith8ftbp3f3dufw.exepid process 4344 XLOQKH087654560780098765.exe 4344 XLOQKH087654560780098765.exe 4344 XLOQKH087654560780098765.exe 4344 XLOQKH087654560780098765.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 1640 ith8ftbp3f3dufw.exe 1640 ith8ftbp3f3dufw.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
XLOQKH087654560780098765.exeipconfig.exepid process 4344 XLOQKH087654560780098765.exe 4344 XLOQKH087654560780098765.exe 4344 XLOQKH087654560780098765.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe 4336 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
XLOQKH087654560780098765.exeipconfig.exeExplorer.EXEith8ftbp3f3dufw.exedescription pid process Token: SeDebugPrivilege 4344 XLOQKH087654560780098765.exe Token: SeDebugPrivilege 4336 ipconfig.exe Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeDebugPrivilege 1640 ith8ftbp3f3dufw.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
XLOQKH087654560780098765.exeExplorer.EXEipconfig.exeith8ftbp3f3dufw.exedescription pid process target process PID 1992 wrote to memory of 4344 1992 XLOQKH087654560780098765.exe XLOQKH087654560780098765.exe PID 1992 wrote to memory of 4344 1992 XLOQKH087654560780098765.exe XLOQKH087654560780098765.exe PID 1992 wrote to memory of 4344 1992 XLOQKH087654560780098765.exe XLOQKH087654560780098765.exe PID 1992 wrote to memory of 4344 1992 XLOQKH087654560780098765.exe XLOQKH087654560780098765.exe PID 1992 wrote to memory of 4344 1992 XLOQKH087654560780098765.exe XLOQKH087654560780098765.exe PID 1992 wrote to memory of 4344 1992 XLOQKH087654560780098765.exe XLOQKH087654560780098765.exe PID 3048 wrote to memory of 4336 3048 Explorer.EXE ipconfig.exe PID 3048 wrote to memory of 4336 3048 Explorer.EXE ipconfig.exe PID 3048 wrote to memory of 4336 3048 Explorer.EXE ipconfig.exe PID 4336 wrote to memory of 4608 4336 ipconfig.exe cmd.exe PID 4336 wrote to memory of 4608 4336 ipconfig.exe cmd.exe PID 4336 wrote to memory of 4608 4336 ipconfig.exe cmd.exe PID 3048 wrote to memory of 4680 3048 Explorer.EXE ith8ftbp3f3dufw.exe PID 3048 wrote to memory of 4680 3048 Explorer.EXE ith8ftbp3f3dufw.exe PID 3048 wrote to memory of 4680 3048 Explorer.EXE ith8ftbp3f3dufw.exe PID 4680 wrote to memory of 1640 4680 ith8ftbp3f3dufw.exe ith8ftbp3f3dufw.exe PID 4680 wrote to memory of 1640 4680 ith8ftbp3f3dufw.exe ith8ftbp3f3dufw.exe PID 4680 wrote to memory of 1640 4680 ith8ftbp3f3dufw.exe ith8ftbp3f3dufw.exe PID 4680 wrote to memory of 1640 4680 ith8ftbp3f3dufw.exe ith8ftbp3f3dufw.exe PID 4680 wrote to memory of 1640 4680 ith8ftbp3f3dufw.exe ith8ftbp3f3dufw.exe PID 4680 wrote to memory of 1640 4680 ith8ftbp3f3dufw.exe ith8ftbp3f3dufw.exe PID 4336 wrote to memory of 1860 4336 ipconfig.exe cmd.exe PID 4336 wrote to memory of 1860 4336 ipconfig.exe cmd.exe PID 4336 wrote to memory of 1860 4336 ipconfig.exe cmd.exe PID 4336 wrote to memory of 2408 4336 ipconfig.exe Firefox.exe PID 4336 wrote to memory of 2408 4336 ipconfig.exe Firefox.exe PID 4336 wrote to memory of 2408 4336 ipconfig.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XLOQKH087654560780098765.exe"C:\Users\Admin\AppData\Local\Temp\XLOQKH087654560780098765.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XLOQKH087654560780098765.exe"C:\Users\Admin\AppData\Local\Temp\XLOQKH087654560780098765.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\XLOQKH087654560780098765.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe"C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe"C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exeMD5
1a3bcd7f400b0d7a37166c1c5af7f886
SHA1a654cdfc29951ac2e77af3fbbbd7160b5205c8f9
SHA256fe63755f7b7c30e933cb3897136a75a7d1903ca044a04ef9bd91d426596f279d
SHA51247974116e9b5b0cc6407fe7c651619b6fef5af7df0190d3b4e5c906a1520ed66ae7e4e1af6e578bf93af9dbd3625845678fd834aea15db9082dad2abbd77f69f
-
C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exeMD5
1a3bcd7f400b0d7a37166c1c5af7f886
SHA1a654cdfc29951ac2e77af3fbbbd7160b5205c8f9
SHA256fe63755f7b7c30e933cb3897136a75a7d1903ca044a04ef9bd91d426596f279d
SHA51247974116e9b5b0cc6407fe7c651619b6fef5af7df0190d3b4e5c906a1520ed66ae7e4e1af6e578bf93af9dbd3625845678fd834aea15db9082dad2abbd77f69f
-
C:\Program Files (x86)\Mal7tuf\ith8ftbp3f3dufw.exeMD5
1a3bcd7f400b0d7a37166c1c5af7f886
SHA1a654cdfc29951ac2e77af3fbbbd7160b5205c8f9
SHA256fe63755f7b7c30e933cb3897136a75a7d1903ca044a04ef9bd91d426596f279d
SHA51247974116e9b5b0cc6407fe7c651619b6fef5af7df0190d3b4e5c906a1520ed66ae7e4e1af6e578bf93af9dbd3625845678fd834aea15db9082dad2abbd77f69f
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\xmwdsxgcbxMD5
28c36cfcee2bff9f2af905e973e386c5
SHA13db60e28dd7050e9b0bfea09ba0354b8016c2c8f
SHA256611be1073851b5062133dc67ae178e3b1c2ae43e16b2fb54a80d5c38b335a81b
SHA512456d1dc1f811be740a3c8cbc3adc19f3e48aa9fe03a4d05173a64f90323db441be78a88024e1f029f4ea8dae3e450eee6e5b4e6a5c5b0b90b497804d7ac53f55
-
\Users\Admin\AppData\Local\Temp\nsiBB49.tmp\wvhivcwcy.dllMD5
5d0d2589c6c859b43bb0e6c6b88fa767
SHA14085e250109fefddf1a35b3fb3fadc66714effda
SHA2566de76b65e1561c0897a3261b9fe55ac75ef4d1e2456a302a9257dc38dcb81d1e
SHA5128ef33f865ed19fd6779e7520590bbe1aa864cc5f7e3222f314f6953abcbc7537aaf2397f0b91a720db3e220cea1c3da15ec453ea1d5bb82a7d783bf5853b68af
-
\Users\Admin\AppData\Local\Temp\nssCAE3.tmp\wvhivcwcy.dllMD5
5d0d2589c6c859b43bb0e6c6b88fa767
SHA14085e250109fefddf1a35b3fb3fadc66714effda
SHA2566de76b65e1561c0897a3261b9fe55ac75ef4d1e2456a302a9257dc38dcb81d1e
SHA5128ef33f865ed19fd6779e7520590bbe1aa864cc5f7e3222f314f6953abcbc7537aaf2397f0b91a720db3e220cea1c3da15ec453ea1d5bb82a7d783bf5853b68af
-
memory/1640-138-0x0000000000AD0000-0x0000000000DF0000-memory.dmpFilesize
3.1MB
-
memory/1640-135-0x000000000041D4E0-mapping.dmp
-
memory/1860-137-0x0000000000000000-mapping.dmp
-
memory/3048-121-0x00000000049F0000-0x0000000004B78000-memory.dmpFilesize
1.5MB
-
memory/3048-128-0x0000000004B80000-0x0000000004D0D000-memory.dmpFilesize
1.6MB
-
memory/4336-127-0x0000000003130000-0x00000000031C0000-memory.dmpFilesize
576KB
-
memory/4336-126-0x0000000003460000-0x0000000003780000-memory.dmpFilesize
3.1MB
-
memory/4336-124-0x0000000001120000-0x000000000112B000-memory.dmpFilesize
44KB
-
memory/4336-125-0x0000000000950000-0x0000000000979000-memory.dmpFilesize
164KB
-
memory/4336-122-0x0000000000000000-mapping.dmp
-
memory/4344-120-0x00000000005C0000-0x00000000005D1000-memory.dmpFilesize
68KB
-
memory/4344-118-0x0000000000A90000-0x0000000000DB0000-memory.dmpFilesize
3.1MB
-
memory/4344-117-0x000000000041D4E0-mapping.dmp
-
memory/4344-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4608-123-0x0000000000000000-mapping.dmp
-
memory/4680-129-0x0000000000000000-mapping.dmp