Analysis
-
max time kernel
149s -
max time network
170s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
25-10-2021 09:18
Static task
static1
Behavioral task
behavioral1
Sample
??__ ? __ ?????__ ??? __ ...pdf.....exe
Resource
win7-en-20210920
General
-
Target
??__ ? __ ?????__ ??? __ ...pdf.....exe
-
Size
395KB
-
MD5
b68d6bb055b0fb1367900eaee876dd20
-
SHA1
46721ae469d81070727744a16f02d8c88144e99f
-
SHA256
b0fe839ee84678c067828ee5d5d48a30e2588c4a29fd9402609a335fe667c91d
-
SHA512
890f7cf60b16ed5d7edb935fb5e2c4a4397751e67e01654d09022a45290fd7d46f24786be99af3bc99a9964458be757d82756c074cd07d032197c27cb00b6e9e
Malware Config
Extracted
xloader
2.5
s86j
http://www.emboldenlife.net/s86j/
getlumichargeserver.com
act-vitaalcoach.store
craftgeekz.com
monetflowerfarm.com
morakotislandrealty.com
onlineastrologeruk.com
evvpsml.com
hnbtc.net
auxiliacapitalpartnersllc.com
rdwoodworksstore.com
shulwinfitness.com
arterialhealthgrids.com
cryptork.biz
solomini-tech.com
porttownsendapartments.com
poprumor.com
assetsauctioneer.com
electronics2anyone.com
upskillpme.online
247fooddelivery.com
mceservicesnc.com
folge-meinempaket-de.com
saharaparkhurghada.com
flokitheshibainu.com
javcobra.com
hendrik-michels.com
pouyatec.com
vimaset.com
yourhockeyskates.com
nutri6si.com
sb019.com
green1994.com
gisellajewelry.com
nautical.store
babysneakersparis.com
seasonwiththereason.com
awonder.website
tamiltalks.com
klantbeheer.xyz
gangsishuawang.com
silverhavencap.com
pinksalt.care
456fuli.com
gabesfish.online
myveguiolcusbyopapp.com
sexwihmuslims.com
katiedraznin.com
sodavaranmali.com
rwcfrance2023tv.com
a2zroofingrepairs.com
safehousecamera.com
hinge.wtf
alphiver.com
corcentric-intl.com
moonenterprise.guru
cheburgent.com
elitecouriercs.com
raj56i.biz
incorporamovimiento.com
veritypedia.com
bamasaltwatercookbook.com
spdh04.xyz
thewayweseetheworld.info
ella.tech
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1292-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1292-63-0x000000000041D4F0-mapping.dmp xloader behavioral1/memory/1120-72-0x0000000000090000-0x00000000000B9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1468 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
____ _ __ _______ ___ __ ...pdf.....exe____ _ __ _______ ___ __ ...pdf.....execmstp.exedescription pid process target process PID 1364 set thread context of 1292 1364 ____ _ __ _______ ___ __ ...pdf.....exe ____ _ __ _______ ___ __ ...pdf.....exe PID 1292 set thread context of 1204 1292 ____ _ __ _______ ___ __ ...pdf.....exe Explorer.EXE PID 1120 set thread context of 1204 1120 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
____ _ __ _______ ___ __ ...pdf.....exe____ _ __ _______ ___ __ ...pdf.....execmstp.exepid process 1364 ____ _ __ _______ ___ __ ...pdf.....exe 1364 ____ _ __ _______ ___ __ ...pdf.....exe 1292 ____ _ __ _______ ___ __ ...pdf.....exe 1292 ____ _ __ _______ ___ __ ...pdf.....exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe 1120 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
____ _ __ _______ ___ __ ...pdf.....execmstp.exepid process 1292 ____ _ __ _______ ___ __ ...pdf.....exe 1292 ____ _ __ _______ ___ __ ...pdf.....exe 1292 ____ _ __ _______ ___ __ ...pdf.....exe 1120 cmstp.exe 1120 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
____ _ __ _______ ___ __ ...pdf.....exe____ _ __ _______ ___ __ ...pdf.....execmstp.exedescription pid process Token: SeDebugPrivilege 1364 ____ _ __ _______ ___ __ ...pdf.....exe Token: SeDebugPrivilege 1292 ____ _ __ _______ ___ __ ...pdf.....exe Token: SeDebugPrivilege 1120 cmstp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1204 Explorer.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
____ _ __ _______ ___ __ ...pdf.....exeExplorer.EXEcmstp.exedescription pid process target process PID 1364 wrote to memory of 968 1364 ____ _ __ _______ ___ __ ...pdf.....exe schtasks.exe PID 1364 wrote to memory of 968 1364 ____ _ __ _______ ___ __ ...pdf.....exe schtasks.exe PID 1364 wrote to memory of 968 1364 ____ _ __ _______ ___ __ ...pdf.....exe schtasks.exe PID 1364 wrote to memory of 968 1364 ____ _ __ _______ ___ __ ...pdf.....exe schtasks.exe PID 1364 wrote to memory of 1292 1364 ____ _ __ _______ ___ __ ...pdf.....exe ____ _ __ _______ ___ __ ...pdf.....exe PID 1364 wrote to memory of 1292 1364 ____ _ __ _______ ___ __ ...pdf.....exe ____ _ __ _______ ___ __ ...pdf.....exe PID 1364 wrote to memory of 1292 1364 ____ _ __ _______ ___ __ ...pdf.....exe ____ _ __ _______ ___ __ ...pdf.....exe PID 1364 wrote to memory of 1292 1364 ____ _ __ _______ ___ __ ...pdf.....exe ____ _ __ _______ ___ __ ...pdf.....exe PID 1364 wrote to memory of 1292 1364 ____ _ __ _______ ___ __ ...pdf.....exe ____ _ __ _______ ___ __ ...pdf.....exe PID 1364 wrote to memory of 1292 1364 ____ _ __ _______ ___ __ ...pdf.....exe ____ _ __ _______ ___ __ ...pdf.....exe PID 1364 wrote to memory of 1292 1364 ____ _ __ _______ ___ __ ...pdf.....exe ____ _ __ _______ ___ __ ...pdf.....exe PID 1204 wrote to memory of 1120 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 1120 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 1120 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 1120 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 1120 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 1120 1204 Explorer.EXE cmstp.exe PID 1204 wrote to memory of 1120 1204 Explorer.EXE cmstp.exe PID 1120 wrote to memory of 1468 1120 cmstp.exe cmd.exe PID 1120 wrote to memory of 1468 1120 cmstp.exe cmd.exe PID 1120 wrote to memory of 1468 1120 cmstp.exe cmd.exe PID 1120 wrote to memory of 1468 1120 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\____ _ __ _______ ___ __ ...pdf.....exe"C:\Users\Admin\AppData\Local\Temp\____ _ __ _______ ___ __ ...pdf.....exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uEZCQueLPHvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp980B.tmp"3⤵
- Creates scheduled task(s)
PID:968 -
C:\Users\Admin\AppData\Local\Temp\____ _ __ _______ ___ __ ...pdf.....exe"C:\Users\Admin\AppData\Local\Temp\____ _ __ _______ ___ __ ...pdf.....exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1292 -
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\____ _ __ _______ ___ __ ...pdf.....exe"3⤵
- Deletes itself
PID:1468
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/968-59-0x0000000000000000-mapping.dmp
-
memory/1120-74-0x0000000001D80000-0x0000000001E10000-memory.dmpFilesize
576KB
-
memory/1120-73-0x0000000001F10000-0x0000000002213000-memory.dmpFilesize
3.0MB
-
memory/1120-72-0x0000000000090000-0x00000000000B9000-memory.dmpFilesize
164KB
-
memory/1120-71-0x0000000000440000-0x0000000000458000-memory.dmpFilesize
96KB
-
memory/1120-69-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB
-
memory/1120-68-0x0000000000000000-mapping.dmp
-
memory/1204-67-0x0000000004820000-0x0000000004911000-memory.dmpFilesize
964KB
-
memory/1204-75-0x0000000004A60000-0x0000000004AF8000-memory.dmpFilesize
608KB
-
memory/1292-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1292-66-0x00000000002A0000-0x00000000002B1000-memory.dmpFilesize
68KB
-
memory/1292-65-0x0000000000840000-0x0000000000B43000-memory.dmpFilesize
3.0MB
-
memory/1292-63-0x000000000041D4F0-mapping.dmp
-
memory/1292-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1292-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1364-54-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/1364-58-0x0000000004690000-0x00000000046DB000-memory.dmpFilesize
300KB
-
memory/1364-57-0x0000000006EA0000-0x0000000006EA1000-memory.dmpFilesize
4KB
-
memory/1364-56-0x00000000004B0000-0x00000000004B7000-memory.dmpFilesize
28KB
-
memory/1468-70-0x0000000000000000-mapping.dmp