Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-10-2021 09:02
Static task
static1
Behavioral task
behavioral1
Sample
HSBC_2021-25-10-017822019.exe
Resource
win7-en-20211014
General
-
Target
HSBC_2021-25-10-017822019.exe
-
Size
331KB
-
MD5
21dc547b12a42d23141c3a6321518e83
-
SHA1
3f42a80a0ae6b917c0bc8486ea9b0b488e1619d2
-
SHA256
754ba27dca23858f64933493e0162b9745b93a6c87cd0868bfec0019c88ed4e0
-
SHA512
414ca9a23af8acf0e6158f596ead3af66bb8d7ce59f60820fa2f3a54a8df5f4977b8f3a5dfd48ec75eca195a7d2324394674bcbf221685ea01e89d942ffe2b1c
Malware Config
Extracted
xloader
2.5
ntfs
http://www.164661.com/ntfs/
cast-host.com
sheenwoman.com
cateringpairs.com
butikgamis.com
esd66.com
beautystaze.com
findavetnearme.com
lyketigers.com
nesboutiqe.com
jadeutil.com
survivalfresh.com
realestatebramlett.com
glorynap.com
awards.institute
huangtapps.com
beyondwithyou.com
cryptocustomerhelp.com
plataformasoma.net
lstpark.com
noalareelecionindefinida.com
supersconti.xyz
emotors-invoice.com
adamelsouk.com
pellondo.com
itstimewashington.com
ss9n.xyz
wecuxs.com
wonderfulwithyou.com
livetvnews24.com
humanblessings.com
soins-sophro.website
pailuanshizhi.com
balanzasdeplataformaperu.com
wingboxonline.com
importexportjessi.com
revenberggmemergencyupgrade.com
comicvan.com
docomoaj.xyz
accelerate6.com
englishforbreakfast.com
braapboxclub.com
damana-vetements.com
corinnewehby.com
tonesify.com
growversa.com
cemetrasbeautyboutique.com
newbalancecore.xyz
cqguipu.com
vdcasinolinkegit.club
sednayachts.com
alinatargetpro.com
pawcomart.com
aisle5.store
dayinburgas.com
c2batxpvme9ey3poams7369.com
everythingby-b.com
laliinparfumeri.com
ntwapedi.com
mrbubblesftlauderdale.com
averiansmom.com
ipelle.com
waiting-game.com
online-security.support
hartfortlife.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3476-125-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3476-126-0x000000000041D450-mapping.dmp xloader behavioral2/memory/524-134-0x0000000003280000-0x00000000032A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
HSBC_2021-25-10-017822019.exeHSBC_2021-25-10-017822019.exemsdt.exedescription pid process target process PID 4264 set thread context of 3476 4264 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 3476 set thread context of 2712 3476 HSBC_2021-25-10-017822019.exe Explorer.EXE PID 524 set thread context of 2712 524 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
HSBC_2021-25-10-017822019.exeHSBC_2021-25-10-017822019.exemsdt.exepid process 4264 HSBC_2021-25-10-017822019.exe 4264 HSBC_2021-25-10-017822019.exe 4264 HSBC_2021-25-10-017822019.exe 4264 HSBC_2021-25-10-017822019.exe 4264 HSBC_2021-25-10-017822019.exe 4264 HSBC_2021-25-10-017822019.exe 4264 HSBC_2021-25-10-017822019.exe 4264 HSBC_2021-25-10-017822019.exe 4264 HSBC_2021-25-10-017822019.exe 4264 HSBC_2021-25-10-017822019.exe 4264 HSBC_2021-25-10-017822019.exe 3476 HSBC_2021-25-10-017822019.exe 3476 HSBC_2021-25-10-017822019.exe 3476 HSBC_2021-25-10-017822019.exe 3476 HSBC_2021-25-10-017822019.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe 524 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2712 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
HSBC_2021-25-10-017822019.exemsdt.exepid process 3476 HSBC_2021-25-10-017822019.exe 3476 HSBC_2021-25-10-017822019.exe 3476 HSBC_2021-25-10-017822019.exe 524 msdt.exe 524 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
HSBC_2021-25-10-017822019.exeHSBC_2021-25-10-017822019.exemsdt.exedescription pid process Token: SeDebugPrivilege 4264 HSBC_2021-25-10-017822019.exe Token: SeDebugPrivilege 3476 HSBC_2021-25-10-017822019.exe Token: SeDebugPrivilege 524 msdt.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
HSBC_2021-25-10-017822019.exeExplorer.EXEmsdt.exedescription pid process target process PID 4264 wrote to memory of 2936 4264 HSBC_2021-25-10-017822019.exe schtasks.exe PID 4264 wrote to memory of 2936 4264 HSBC_2021-25-10-017822019.exe schtasks.exe PID 4264 wrote to memory of 2936 4264 HSBC_2021-25-10-017822019.exe schtasks.exe PID 4264 wrote to memory of 3476 4264 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 4264 wrote to memory of 3476 4264 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 4264 wrote to memory of 3476 4264 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 4264 wrote to memory of 3476 4264 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 4264 wrote to memory of 3476 4264 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 4264 wrote to memory of 3476 4264 HSBC_2021-25-10-017822019.exe HSBC_2021-25-10-017822019.exe PID 2712 wrote to memory of 524 2712 Explorer.EXE msdt.exe PID 2712 wrote to memory of 524 2712 Explorer.EXE msdt.exe PID 2712 wrote to memory of 524 2712 Explorer.EXE msdt.exe PID 524 wrote to memory of 1088 524 msdt.exe cmd.exe PID 524 wrote to memory of 1088 524 msdt.exe cmd.exe PID 524 wrote to memory of 1088 524 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\HSBC_2021-25-10-017822019.exe"C:\Users\Admin\AppData\Local\Temp\HSBC_2021-25-10-017822019.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tOafpOTcPGDRrp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD165.tmp"3⤵
- Creates scheduled task(s)
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\HSBC_2021-25-10-017822019.exe"C:\Users\Admin\AppData\Local\Temp\HSBC_2021-25-10-017822019.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3476 -
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\HSBC_2021-25-10-017822019.exe"3⤵PID:1088
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/524-136-0x0000000004B60000-0x0000000004BF0000-memory.dmpFilesize
576KB
-
memory/524-135-0x00000000047B0000-0x0000000004AD0000-memory.dmpFilesize
3.1MB
-
memory/524-134-0x0000000003280000-0x00000000032A9000-memory.dmpFilesize
164KB
-
memory/524-133-0x0000000000B30000-0x0000000000CA3000-memory.dmpFilesize
1.4MB
-
memory/524-131-0x0000000000000000-mapping.dmp
-
memory/1088-132-0x0000000000000000-mapping.dmp
-
memory/2712-130-0x0000000005500000-0x0000000005646000-memory.dmpFilesize
1.3MB
-
memory/2712-137-0x00000000026C0000-0x00000000027A7000-memory.dmpFilesize
924KB
-
memory/2936-124-0x0000000000000000-mapping.dmp
-
memory/3476-126-0x000000000041D450-mapping.dmp
-
memory/3476-129-0x0000000001570000-0x0000000001581000-memory.dmpFilesize
68KB
-
memory/3476-128-0x00000000015B0000-0x00000000018D0000-memory.dmpFilesize
3.1MB
-
memory/3476-125-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4264-115-0x0000000000AC0000-0x0000000000AC1000-memory.dmpFilesize
4KB
-
memory/4264-123-0x00000000060D0000-0x000000000611B000-memory.dmpFilesize
300KB
-
memory/4264-122-0x0000000006120000-0x0000000006121000-memory.dmpFilesize
4KB
-
memory/4264-121-0x00000000052C0000-0x0000000005352000-memory.dmpFilesize
584KB
-
memory/4264-120-0x0000000005720000-0x0000000005727000-memory.dmpFilesize
28KB
-
memory/4264-119-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/4264-118-0x0000000005380000-0x0000000005381000-memory.dmpFilesize
4KB
-
memory/4264-117-0x0000000005880000-0x0000000005881000-memory.dmpFilesize
4KB