Analysis
-
max time kernel
146s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
25-10-2021 09:02
Static task
static1
Behavioral task
behavioral1
Sample
HSBC_2021-25-10-017822019.exe
Resource
win7-en-20211014
General
-
Target
HSBC_2021-25-10-017822019.exe
-
Size
331KB
-
MD5
21dc547b12a42d23141c3a6321518e83
-
SHA1
3f42a80a0ae6b917c0bc8486ea9b0b488e1619d2
-
SHA256
754ba27dca23858f64933493e0162b9745b93a6c87cd0868bfec0019c88ed4e0
-
SHA512
414ca9a23af8acf0e6158f596ead3af66bb8d7ce59f60820fa2f3a54a8df5f4977b8f3a5dfd48ec75eca195a7d2324394674bcbf221685ea01e89d942ffe2b1c
Malware Config
Extracted
xloader
2.5
ntfs
http://www.164661.com/ntfs/
cast-host.com
sheenwoman.com
cateringpairs.com
butikgamis.com
esd66.com
beautystaze.com
findavetnearme.com
lyketigers.com
nesboutiqe.com
jadeutil.com
survivalfresh.com
realestatebramlett.com
glorynap.com
awards.institute
huangtapps.com
beyondwithyou.com
cryptocustomerhelp.com
plataformasoma.net
lstpark.com
noalareelecionindefinida.com
supersconti.xyz
emotors-invoice.com
adamelsouk.com
pellondo.com
itstimewashington.com
ss9n.xyz
wecuxs.com
wonderfulwithyou.com
livetvnews24.com
humanblessings.com
soins-sophro.website
pailuanshizhi.com
balanzasdeplataformaperu.com
wingboxonline.com
importexportjessi.com
revenberggmemergencyupgrade.com
comicvan.com
docomoaj.xyz
accelerate6.com
englishforbreakfast.com
braapboxclub.com
damana-vetements.com
corinnewehby.com
tonesify.com
growversa.com
cemetrasbeautyboutique.com
newbalancecore.xyz
cqguipu.com
vdcasinolinkegit.club
sednayachts.com
alinatargetpro.com
pawcomart.com
aisle5.store
dayinburgas.com
c2batxpvme9ey3poams7369.com
everythingby-b.com
laliinparfumeri.com
ntwapedi.com
mrbubblesftlauderdale.com
averiansmom.com
ipelle.com
waiting-game.com
online-security.support
hartfortlife.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1980-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1980-64-0x000000000041D450-mapping.dmp xloader behavioral1/memory/1980-69-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/956-74-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1476 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
HSBC_2021-25-10-017822019.exeHSBC_2021-25-10-017822019.exesvchost.exedescription pid process target process PID 1376 set thread context of 1980 1376 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 1980 set thread context of 1384 1980 HSBC_2021-25-10-017822019.exe Explorer.EXE PID 1980 set thread context of 1384 1980 HSBC_2021-25-10-017822019.exe Explorer.EXE PID 956 set thread context of 1384 956 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
HSBC_2021-25-10-017822019.exeHSBC_2021-25-10-017822019.exesvchost.exepid process 1376 HSBC_2021-25-10-017822019.exe 1376 HSBC_2021-25-10-017822019.exe 1376 HSBC_2021-25-10-017822019.exe 1376 HSBC_2021-25-10-017822019.exe 1376 HSBC_2021-25-10-017822019.exe 1376 HSBC_2021-25-10-017822019.exe 1376 HSBC_2021-25-10-017822019.exe 1376 HSBC_2021-25-10-017822019.exe 1376 HSBC_2021-25-10-017822019.exe 1376 HSBC_2021-25-10-017822019.exe 1376 HSBC_2021-25-10-017822019.exe 1980 HSBC_2021-25-10-017822019.exe 1980 HSBC_2021-25-10-017822019.exe 1980 HSBC_2021-25-10-017822019.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe 956 svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
HSBC_2021-25-10-017822019.exesvchost.exepid process 1980 HSBC_2021-25-10-017822019.exe 1980 HSBC_2021-25-10-017822019.exe 1980 HSBC_2021-25-10-017822019.exe 1980 HSBC_2021-25-10-017822019.exe 956 svchost.exe 956 svchost.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
HSBC_2021-25-10-017822019.exeHSBC_2021-25-10-017822019.exeExplorer.EXEsvchost.exedescription pid process Token: SeDebugPrivilege 1376 HSBC_2021-25-10-017822019.exe Token: SeDebugPrivilege 1980 HSBC_2021-25-10-017822019.exe Token: SeShutdownPrivilege 1384 Explorer.EXE Token: SeDebugPrivilege 956 svchost.exe Token: SeShutdownPrivilege 1384 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE 1384 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE 1384 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
HSBC_2021-25-10-017822019.exeExplorer.EXEsvchost.exedescription pid process target process PID 1376 wrote to memory of 624 1376 HSBC_2021-25-10-017822019.exe schtasks.exe PID 1376 wrote to memory of 624 1376 HSBC_2021-25-10-017822019.exe schtasks.exe PID 1376 wrote to memory of 624 1376 HSBC_2021-25-10-017822019.exe schtasks.exe PID 1376 wrote to memory of 624 1376 HSBC_2021-25-10-017822019.exe schtasks.exe PID 1376 wrote to memory of 1980 1376 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 1376 wrote to memory of 1980 1376 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 1376 wrote to memory of 1980 1376 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 1376 wrote to memory of 1980 1376 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 1376 wrote to memory of 1980 1376 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 1376 wrote to memory of 1980 1376 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 1376 wrote to memory of 1980 1376 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 1384 wrote to memory of 956 1384 Explorer.EXE svchost.exe PID 1384 wrote to memory of 956 1384 Explorer.EXE svchost.exe PID 1384 wrote to memory of 956 1384 Explorer.EXE svchost.exe PID 1384 wrote to memory of 956 1384 Explorer.EXE svchost.exe PID 956 wrote to memory of 1476 956 svchost.exe cmd.exe PID 956 wrote to memory of 1476 956 svchost.exe cmd.exe PID 956 wrote to memory of 1476 956 svchost.exe cmd.exe PID 956 wrote to memory of 1476 956 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\HSBC_2021-25-10-017822019.exe"C:\Users\Admin\AppData\Local\Temp\HSBC_2021-25-10-017822019.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tOafpOTcPGDRrp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBD18.tmp"3⤵
- Creates scheduled task(s)
PID:624 -
C:\Users\Admin\AppData\Local\Temp\HSBC_2021-25-10-017822019.exe"C:\Users\Admin\AppData\Local\Temp\HSBC_2021-25-10-017822019.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1980 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\HSBC_2021-25-10-017822019.exe"3⤵
- Deletes itself
PID:1476
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/624-60-0x0000000000000000-mapping.dmp
-
memory/956-77-0x0000000000590000-0x0000000000620000-memory.dmpFilesize
576KB
-
memory/956-76-0x0000000000A60000-0x0000000000D63000-memory.dmpFilesize
3.0MB
-
memory/956-74-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/956-73-0x0000000000A50000-0x0000000000A58000-memory.dmpFilesize
32KB
-
memory/956-72-0x0000000000000000-mapping.dmp
-
memory/1376-55-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/1376-57-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/1376-58-0x0000000000420000-0x0000000000427000-memory.dmpFilesize
28KB
-
memory/1376-59-0x0000000000B00000-0x0000000000B4B000-memory.dmpFilesize
300KB
-
memory/1384-68-0x0000000006790000-0x00000000068A2000-memory.dmpFilesize
1.1MB
-
memory/1384-71-0x0000000006AC0000-0x0000000006B81000-memory.dmpFilesize
772KB
-
memory/1384-78-0x0000000008800000-0x0000000008978000-memory.dmpFilesize
1.5MB
-
memory/1476-75-0x0000000000000000-mapping.dmp
-
memory/1980-67-0x00000000002A0000-0x00000000002B1000-memory.dmpFilesize
68KB
-
memory/1980-69-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1980-70-0x00000000003E0000-0x00000000003F1000-memory.dmpFilesize
68KB
-
memory/1980-65-0x0000000000770000-0x0000000000A73000-memory.dmpFilesize
3.0MB
-
memory/1980-64-0x000000000041D450-mapping.dmp
-
memory/1980-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1980-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1980-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB