Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-10-2021 11:02
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.exe
Resource
win7-en-20210920
General
-
Target
triage_dropped_file.exe
-
Size
941KB
-
MD5
538af9b3eb449aaf53eeaf6ecf3c4037
-
SHA1
edc27955b5d2388c7a2b792721941d2c270eac5a
-
SHA256
de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220
-
SHA512
a5eb2c410f8669bfb744158d459fe69221649d444394958774f2d91b7082c6537f798114ca51b395d7fe35db634cf41b86d6b7bb589ee17e0acd688bfea17ba3
Malware Config
Extracted
xloader
2.5
fpdi
http://www.walletwriter.space/fpdi/
jencio.com
b9jty7.com
banahinvestments.com
capitolfurniture.net
jlvip1086.com
pompeyocargo.com
designbyshubhi.info
elbauldepecas.com
bracelexx.online
advanceporbrx.xyz
ruihongco.com
wipemirecord.com
goodfoodsme.com
sommpick.com
rangilugujarat.com
realestate5g.com
spunkdlashes.com
palisadestahoehousing.com
brandingsocal.com
privatejetsboston.com
strataguide.com
pragmatismtoday.com
teslapro1.com
picturebookoriginals.com
nbrus.com
lafon-fr.com
studyallenergy.com
opensourcedao.com
cerulecode.com
c2spreader.info
hamiker.com
slimming-belt.store
myraandmarlow.com
sellanycar.online
mokkaoffice.com
strazde.com
haharate.quest
xgustify.xyz
sisoow.rest
awesomeclub98.club
ashleymariephotographyllc.com
mobilethaimassageatl.com
petswastepickup.com
eco1tnpasumo1.xyz
social-nudge.com
osmorobotics.com
99044222.com
xuebaousa.com
madisonbroadband.com
lisworldart.com
tzuzulcode.com
gonzagacargo.com
kanpekisien.com
currysrilanka.com
designedairservices.com
sato76.com
weinsteinanddouglas.com
gearella.com
tes5ci.com
obatkuatsemarang.xyz
tdaiarquitectura.com
reshawna.com
pfmtime.com
eastendfinancial.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4080-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/4080-118-0x000000000041D460-mapping.dmp xloader behavioral2/memory/584-125-0x0000000000DA0000-0x0000000000DC9000-memory.dmp xloader behavioral2/memory/3956-138-0x000000000041D460-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WZVHGTBPP8 = "C:\\Program Files (x86)\\Cdzmtq4lp\\zbelg08pafc4nrw.exe" cscript.exe -
Executes dropped EXE 2 IoCs
Processes:
zbelg08pafc4nrw.exezbelg08pafc4nrw.exepid process 936 zbelg08pafc4nrw.exe 3956 zbelg08pafc4nrw.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
triage_dropped_file.exetriage_dropped_file.execscript.exezbelg08pafc4nrw.exedescription pid process target process PID 3492 set thread context of 4080 3492 triage_dropped_file.exe triage_dropped_file.exe PID 4080 set thread context of 3064 4080 triage_dropped_file.exe Explorer.EXE PID 584 set thread context of 3064 584 cscript.exe Explorer.EXE PID 936 set thread context of 3956 936 zbelg08pafc4nrw.exe zbelg08pafc4nrw.exe -
Drops file in Program Files directory 5 IoCs
Processes:
Explorer.EXEzbelg08pafc4nrw.execscript.exedescription ioc process File created C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe zbelg08pafc4nrw.exe File opened for modification C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe cscript.exe File opened for modification C:\Program Files (x86)\Cdzmtq4lp Explorer.EXE -
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
triage_dropped_file.execscript.exezbelg08pafc4nrw.exepid process 4080 triage_dropped_file.exe 4080 triage_dropped_file.exe 4080 triage_dropped_file.exe 4080 triage_dropped_file.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 3956 zbelg08pafc4nrw.exe 3956 zbelg08pafc4nrw.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3064 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
triage_dropped_file.execscript.exepid process 4080 triage_dropped_file.exe 4080 triage_dropped_file.exe 4080 triage_dropped_file.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe 584 cscript.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
triage_dropped_file.execscript.exeExplorer.EXEzbelg08pafc4nrw.exedescription pid process Token: SeDebugPrivilege 4080 triage_dropped_file.exe Token: SeDebugPrivilege 584 cscript.exe Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeShutdownPrivilege 3064 Explorer.EXE Token: SeCreatePagefilePrivilege 3064 Explorer.EXE Token: SeDebugPrivilege 3956 zbelg08pafc4nrw.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
triage_dropped_file.exezbelg08pafc4nrw.exepid process 3492 triage_dropped_file.exe 936 zbelg08pafc4nrw.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
triage_dropped_file.exeExplorer.EXEcscript.exezbelg08pafc4nrw.exedescription pid process target process PID 3492 wrote to memory of 4080 3492 triage_dropped_file.exe triage_dropped_file.exe PID 3492 wrote to memory of 4080 3492 triage_dropped_file.exe triage_dropped_file.exe PID 3492 wrote to memory of 4080 3492 triage_dropped_file.exe triage_dropped_file.exe PID 3492 wrote to memory of 4080 3492 triage_dropped_file.exe triage_dropped_file.exe PID 3492 wrote to memory of 4080 3492 triage_dropped_file.exe triage_dropped_file.exe PID 3492 wrote to memory of 4080 3492 triage_dropped_file.exe triage_dropped_file.exe PID 3064 wrote to memory of 584 3064 Explorer.EXE cscript.exe PID 3064 wrote to memory of 584 3064 Explorer.EXE cscript.exe PID 3064 wrote to memory of 584 3064 Explorer.EXE cscript.exe PID 584 wrote to memory of 1120 584 cscript.exe cmd.exe PID 584 wrote to memory of 1120 584 cscript.exe cmd.exe PID 584 wrote to memory of 1120 584 cscript.exe cmd.exe PID 584 wrote to memory of 3328 584 cscript.exe cmd.exe PID 584 wrote to memory of 3328 584 cscript.exe cmd.exe PID 584 wrote to memory of 3328 584 cscript.exe cmd.exe PID 584 wrote to memory of 3296 584 cscript.exe Firefox.exe PID 584 wrote to memory of 3296 584 cscript.exe Firefox.exe PID 3064 wrote to memory of 936 3064 Explorer.EXE zbelg08pafc4nrw.exe PID 3064 wrote to memory of 936 3064 Explorer.EXE zbelg08pafc4nrw.exe PID 3064 wrote to memory of 936 3064 Explorer.EXE zbelg08pafc4nrw.exe PID 936 wrote to memory of 3956 936 zbelg08pafc4nrw.exe zbelg08pafc4nrw.exe PID 936 wrote to memory of 3956 936 zbelg08pafc4nrw.exe zbelg08pafc4nrw.exe PID 936 wrote to memory of 3956 936 zbelg08pafc4nrw.exe zbelg08pafc4nrw.exe PID 936 wrote to memory of 3956 936 zbelg08pafc4nrw.exe zbelg08pafc4nrw.exe PID 936 wrote to memory of 3956 936 zbelg08pafc4nrw.exe zbelg08pafc4nrw.exe PID 936 wrote to memory of 3956 936 zbelg08pafc4nrw.exe zbelg08pafc4nrw.exe PID 584 wrote to memory of 3296 584 cscript.exe Firefox.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cscript.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4080 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:584 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"3⤵PID:1120
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3328
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3296
-
C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe"C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe"C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exeMD5
538af9b3eb449aaf53eeaf6ecf3c4037
SHA1edc27955b5d2388c7a2b792721941d2c270eac5a
SHA256de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220
SHA512a5eb2c410f8669bfb744158d459fe69221649d444394958774f2d91b7082c6537f798114ca51b395d7fe35db634cf41b86d6b7bb589ee17e0acd688bfea17ba3
-
C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exeMD5
538af9b3eb449aaf53eeaf6ecf3c4037
SHA1edc27955b5d2388c7a2b792721941d2c270eac5a
SHA256de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220
SHA512a5eb2c410f8669bfb744158d459fe69221649d444394958774f2d91b7082c6537f798114ca51b395d7fe35db634cf41b86d6b7bb589ee17e0acd688bfea17ba3
-
C:\Program Files (x86)\Cdzmtq4lp\zbelg08pafc4nrw.exeMD5
538af9b3eb449aaf53eeaf6ecf3c4037
SHA1edc27955b5d2388c7a2b792721941d2c270eac5a
SHA256de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220
SHA512a5eb2c410f8669bfb744158d459fe69221649d444394958774f2d91b7082c6537f798114ca51b395d7fe35db634cf41b86d6b7bb589ee17e0acd688bfea17ba3
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/584-127-0x0000000005160000-0x0000000005480000-memory.dmpFilesize
3.1MB
-
memory/584-128-0x00000000050B0000-0x0000000005140000-memory.dmpFilesize
576KB
-
memory/584-123-0x0000000000000000-mapping.dmp
-
memory/584-124-0x0000000001090000-0x00000000010B7000-memory.dmpFilesize
156KB
-
memory/584-125-0x0000000000DA0000-0x0000000000DC9000-memory.dmpFilesize
164KB
-
memory/936-132-0x0000000000000000-mapping.dmp
-
memory/1120-126-0x0000000000000000-mapping.dmp
-
memory/3064-122-0x0000000000930000-0x00000000009DF000-memory.dmpFilesize
700KB
-
memory/3064-129-0x0000000005E20000-0x0000000005F2D000-memory.dmpFilesize
1.1MB
-
memory/3328-130-0x0000000000000000-mapping.dmp
-
memory/3492-115-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/3492-116-0x00000000001D0000-0x00000000001DA000-memory.dmpFilesize
40KB
-
memory/3956-138-0x000000000041D460-mapping.dmp
-
memory/3956-140-0x00000000009D0000-0x0000000000CF0000-memory.dmpFilesize
3.1MB
-
memory/4080-121-0x00000000009D0000-0x00000000009E1000-memory.dmpFilesize
68KB
-
memory/4080-120-0x0000000000A10000-0x0000000000D30000-memory.dmpFilesize
3.1MB
-
memory/4080-118-0x000000000041D460-mapping.dmp
-
memory/4080-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB