Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-10-2021 05:11
Static task
static1
Behavioral task
behavioral1
Sample
Shipping_Doc190dk0lwt837.exe
Resource
win7-en-20211014
General
-
Target
Shipping_Doc190dk0lwt837.exe
-
Size
249KB
-
MD5
2d0ac0a8f2d2aea1f05429585c1bdc4c
-
SHA1
3657594459b01c0c918e0deeaf3ad7f05a4efd90
-
SHA256
f1d7ead1ca0f3e39c12bf5b67bb35cfc745acf0f587c2d6ce45eb2904f44aaa7
-
SHA512
863b35e33b0b09aece9268c83ca3411180c23463a01e6b93744b978199c7fc386ecaddf0776588be59bcf41b46f4584e7405a17f1ee3cc64df602655036f92e7
Malware Config
Extracted
xloader
2.5
u5eh
http://www.retonamoss.com/u5eh/
tryafaq.com
bobcathntshop.com
oglead.com
026skz.xyz
brasbux.com
adna17.com
noveltyrofjiy.xyz
realestatecompanys.com
leman-web.com
df5686.com
jonathonhawkins.com
juliedominyfloralartistry.com
classyeventsco.com
aquaticatt.com
iotworld.xyz
hoc8.com
disposablediapers.store
peregovorim.online
advancebits.club
getaburialplan.com
tiger-trails.com
dnbaba.com
492981.com
eclipse-electrical-euless.com
cassandracchase.com
healthrightmeds.club
permkray.club
tawazoun-dz.com
extrabladet.com
offmanage.com
peoplexplants.com
mumkungiyim.com
personal-email-office-mgt.com
bjmysa.com
hopshomes.com
cnj-power.com
trendproduct.tech
chauffeuredaustralia.online
176ssjp0033.xyz
52juns.com
rewriringcanada.com
seabourneboats.com
sevensummittrek.com
retalent.agency
lz4ios.cloud
mindandbodyalignment.com
bedrijfmail-trk.com
bashmoney.net
xc3654.com
infiteltech.com
sh-hywz.com
huataiqche.com
grannyh.com
devinwithani.com
kingstons.info
fakedocshyundaigiveaway.com
bigsyncmusic.info
predstavnuk.com
frontiervalley8.com
timdpr.com
smartgymadmin.com
brsgeniusschool.com
tuckertractorworks.com
espchange.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4208-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4208-117-0x000000000041D3E0-mapping.dmp xloader behavioral2/memory/4024-125-0x0000000000BE0000-0x0000000000C09000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
Shipping_Doc190dk0lwt837.exepid process 1836 Shipping_Doc190dk0lwt837.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Shipping_Doc190dk0lwt837.exeShipping_Doc190dk0lwt837.execmstp.exedescription pid process target process PID 1836 set thread context of 4208 1836 Shipping_Doc190dk0lwt837.exe Shipping_Doc190dk0lwt837.exe PID 4208 set thread context of 3060 4208 Shipping_Doc190dk0lwt837.exe Explorer.EXE PID 4024 set thread context of 3060 4024 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Shipping_Doc190dk0lwt837.execmstp.exepid process 4208 Shipping_Doc190dk0lwt837.exe 4208 Shipping_Doc190dk0lwt837.exe 4208 Shipping_Doc190dk0lwt837.exe 4208 Shipping_Doc190dk0lwt837.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe 4024 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Shipping_Doc190dk0lwt837.execmstp.exepid process 4208 Shipping_Doc190dk0lwt837.exe 4208 Shipping_Doc190dk0lwt837.exe 4208 Shipping_Doc190dk0lwt837.exe 4024 cmstp.exe 4024 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Shipping_Doc190dk0lwt837.execmstp.exedescription pid process Token: SeDebugPrivilege 4208 Shipping_Doc190dk0lwt837.exe Token: SeDebugPrivilege 4024 cmstp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Shipping_Doc190dk0lwt837.exeExplorer.EXEcmstp.exedescription pid process target process PID 1836 wrote to memory of 4208 1836 Shipping_Doc190dk0lwt837.exe Shipping_Doc190dk0lwt837.exe PID 1836 wrote to memory of 4208 1836 Shipping_Doc190dk0lwt837.exe Shipping_Doc190dk0lwt837.exe PID 1836 wrote to memory of 4208 1836 Shipping_Doc190dk0lwt837.exe Shipping_Doc190dk0lwt837.exe PID 1836 wrote to memory of 4208 1836 Shipping_Doc190dk0lwt837.exe Shipping_Doc190dk0lwt837.exe PID 1836 wrote to memory of 4208 1836 Shipping_Doc190dk0lwt837.exe Shipping_Doc190dk0lwt837.exe PID 1836 wrote to memory of 4208 1836 Shipping_Doc190dk0lwt837.exe Shipping_Doc190dk0lwt837.exe PID 3060 wrote to memory of 4024 3060 Explorer.EXE cmstp.exe PID 3060 wrote to memory of 4024 3060 Explorer.EXE cmstp.exe PID 3060 wrote to memory of 4024 3060 Explorer.EXE cmstp.exe PID 4024 wrote to memory of 4008 4024 cmstp.exe cmd.exe PID 4024 wrote to memory of 4008 4024 cmstp.exe cmd.exe PID 4024 wrote to memory of 4008 4024 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shipping_Doc190dk0lwt837.exe"C:\Users\Admin\AppData\Local\Temp\Shipping_Doc190dk0lwt837.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Shipping_Doc190dk0lwt837.exe"C:\Users\Admin\AppData\Local\Temp\Shipping_Doc190dk0lwt837.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Shipping_Doc190dk0lwt837.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsz9D1C.tmp\hkdklixzga.dllMD5
fe53df25d11886ebd5c24164328ca8bf
SHA13d051e82d0bd8bbd4c5647ab11a36e8fe0407631
SHA256d3827d83d541e98cff0bb89a27c2db75e59b62ed57a934cc8c9e6a9623864716
SHA512578a786ea59572ae33b245314493bfda501eadde6bfcad2e20fd45e39e7d2e6e237403ed912f38aebd3fa79c582f27e7846f0896e22e01d1e276abcb8b32eecc
-
memory/3060-121-0x0000000004D30000-0x0000000004EAD000-memory.dmpFilesize
1.5MB
-
memory/3060-128-0x00000000008E0000-0x000000000098B000-memory.dmpFilesize
684KB
-
memory/4008-123-0x0000000000000000-mapping.dmp
-
memory/4024-125-0x0000000000BE0000-0x0000000000C09000-memory.dmpFilesize
164KB
-
memory/4024-122-0x0000000000000000-mapping.dmp
-
memory/4024-124-0x0000000000D60000-0x0000000000D76000-memory.dmpFilesize
88KB
-
memory/4024-126-0x0000000004F50000-0x0000000005270000-memory.dmpFilesize
3.1MB
-
memory/4024-127-0x0000000004CA0000-0x0000000004D30000-memory.dmpFilesize
576KB
-
memory/4208-120-0x0000000000A00000-0x0000000000A11000-memory.dmpFilesize
68KB
-
memory/4208-118-0x0000000000A50000-0x0000000000D70000-memory.dmpFilesize
3.1MB
-
memory/4208-117-0x000000000041D3E0-mapping.dmp
-
memory/4208-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB