Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-10-2021 11:06
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.exe
Resource
win7-en-20210920
General
-
Target
triage_dropped_file.exe
-
Size
941KB
-
MD5
538af9b3eb449aaf53eeaf6ecf3c4037
-
SHA1
edc27955b5d2388c7a2b792721941d2c270eac5a
-
SHA256
de43df6bd459b56aec0cd86e0873cc0c5b556e08547e2b9ea79082c44d9b7220
-
SHA512
a5eb2c410f8669bfb744158d459fe69221649d444394958774f2d91b7082c6537f798114ca51b395d7fe35db634cf41b86d6b7bb589ee17e0acd688bfea17ba3
Malware Config
Extracted
xloader
2.5
fpdi
http://www.walletwriter.space/fpdi/
jencio.com
b9jty7.com
banahinvestments.com
capitolfurniture.net
jlvip1086.com
pompeyocargo.com
designbyshubhi.info
elbauldepecas.com
bracelexx.online
advanceporbrx.xyz
ruihongco.com
wipemirecord.com
goodfoodsme.com
sommpick.com
rangilugujarat.com
realestate5g.com
spunkdlashes.com
palisadestahoehousing.com
brandingsocal.com
privatejetsboston.com
strataguide.com
pragmatismtoday.com
teslapro1.com
picturebookoriginals.com
nbrus.com
lafon-fr.com
studyallenergy.com
opensourcedao.com
cerulecode.com
c2spreader.info
hamiker.com
slimming-belt.store
myraandmarlow.com
sellanycar.online
mokkaoffice.com
strazde.com
haharate.quest
xgustify.xyz
sisoow.rest
awesomeclub98.club
ashleymariephotographyllc.com
mobilethaimassageatl.com
petswastepickup.com
eco1tnpasumo1.xyz
social-nudge.com
osmorobotics.com
99044222.com
xuebaousa.com
madisonbroadband.com
lisworldart.com
tzuzulcode.com
gonzagacargo.com
kanpekisien.com
currysrilanka.com
designedairservices.com
sato76.com
weinsteinanddouglas.com
gearella.com
tes5ci.com
obatkuatsemarang.xyz
tdaiarquitectura.com
reshawna.com
pfmtime.com
eastendfinancial.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3128-117-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3128-118-0x000000000041D460-mapping.dmp xloader behavioral2/memory/2628-126-0x0000000000770000-0x0000000000799000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
triage_dropped_file.exetriage_dropped_file.execscript.exedescription pid process target process PID 2700 set thread context of 3128 2700 triage_dropped_file.exe triage_dropped_file.exe PID 3128 set thread context of 3020 3128 triage_dropped_file.exe Explorer.EXE PID 2628 set thread context of 3020 2628 cscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
triage_dropped_file.execscript.exepid process 3128 triage_dropped_file.exe 3128 triage_dropped_file.exe 3128 triage_dropped_file.exe 3128 triage_dropped_file.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe 2628 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
triage_dropped_file.execscript.exepid process 3128 triage_dropped_file.exe 3128 triage_dropped_file.exe 3128 triage_dropped_file.exe 2628 cscript.exe 2628 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
triage_dropped_file.execscript.exedescription pid process Token: SeDebugPrivilege 3128 triage_dropped_file.exe Token: SeDebugPrivilege 2628 cscript.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
triage_dropped_file.exepid process 2700 triage_dropped_file.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
triage_dropped_file.exeExplorer.EXEcscript.exedescription pid process target process PID 2700 wrote to memory of 3128 2700 triage_dropped_file.exe triage_dropped_file.exe PID 2700 wrote to memory of 3128 2700 triage_dropped_file.exe triage_dropped_file.exe PID 2700 wrote to memory of 3128 2700 triage_dropped_file.exe triage_dropped_file.exe PID 2700 wrote to memory of 3128 2700 triage_dropped_file.exe triage_dropped_file.exe PID 2700 wrote to memory of 3128 2700 triage_dropped_file.exe triage_dropped_file.exe PID 2700 wrote to memory of 3128 2700 triage_dropped_file.exe triage_dropped_file.exe PID 3020 wrote to memory of 2628 3020 Explorer.EXE cscript.exe PID 3020 wrote to memory of 2628 3020 Explorer.EXE cscript.exe PID 3020 wrote to memory of 2628 3020 Explorer.EXE cscript.exe PID 2628 wrote to memory of 1788 2628 cscript.exe cmd.exe PID 2628 wrote to memory of 1788 2628 cscript.exe cmd.exe PID 2628 wrote to memory of 1788 2628 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3128 -
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.exe"3⤵PID:1788
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1788-124-0x0000000000000000-mapping.dmp
-
memory/2628-128-0x0000000004AD0000-0x0000000004B60000-memory.dmpFilesize
576KB
-
memory/2628-127-0x0000000004C80000-0x0000000004FA0000-memory.dmpFilesize
3.1MB
-
memory/2628-126-0x0000000000770000-0x0000000000799000-memory.dmpFilesize
164KB
-
memory/2628-125-0x0000000001380000-0x00000000013A7000-memory.dmpFilesize
156KB
-
memory/2628-123-0x0000000000000000-mapping.dmp
-
memory/2700-116-0x00000000001D0000-0x00000000001DA000-memory.dmpFilesize
40KB
-
memory/2700-115-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/3020-122-0x0000000005E40000-0x0000000005F6B000-memory.dmpFilesize
1.2MB
-
memory/3020-129-0x00000000024C0000-0x0000000002586000-memory.dmpFilesize
792KB
-
memory/3128-121-0x0000000000E30000-0x0000000000E41000-memory.dmpFilesize
68KB
-
memory/3128-120-0x00000000009E0000-0x0000000000D00000-memory.dmpFilesize
3.1MB
-
memory/3128-118-0x000000000041D460-mapping.dmp
-
memory/3128-117-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB