Analysis
-
max time kernel
300s -
max time network
300s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
25-10-2021 14:59
Static task
static1
Behavioral task
behavioral1
Sample
PO-TFL39043.exe
Resource
win7-en-20211014
General
-
Target
PO-TFL39043.exe
-
Size
344KB
-
MD5
f9ca5c26a7b036d6ed12428e9415e57a
-
SHA1
9f2a5bb76a351b8bedbd29125283631346117115
-
SHA256
301c57782851a93d5b229fc921d1953a9c650131f6a3dfad1176705e5a99fb38
-
SHA512
0691723bd263abcd628ee579ee96f7238e823a46f8c08004e0670f3179480cfd16bd508da72b0d37889f54b5deea2b54ec86e53627b06355e08b043173b24821
Malware Config
Extracted
xloader
2.5
p208
http://www.thaoduochuyetap.online/p208/
thegaleriaon17.com
daughtersweekend.com
decisionmatrixtool.com
hollandmedia.services
yishengkeji.xyz
tiffanyszerszen.com
facetofacemodels.xyz
interiorsfurnituredubai.com
8p9s8yiotjqkw4wd.com
immobillienpate.com
annmariegrindart.com
hesenna.com
codechunx.com
vollabi.com
leishasart.com
marschaleine.com
rootpresidential.xyz
sharingtechnology.net
smartlifetokens.net
mylocalshit.com
miho-trial.com
cashndashfinancial.com
wifiradar52.online
rentalmanagmentpros.com
nehircell.com
stloeh.com
maverick-mentoring.com
terravillaliberia.com
suddennnnnnnnnnnn12.xyz
locate-fmi-id.online
recupcolis.com
greaterways.net
josephgoddard.com
ibasho.group
shopnaturesthrone.com
lingmao08.com
villagecrossingapartments.com
prestigemarbleimports.com
reflectsocial.com
bra866.com
nazrnd.com
videomaingoc.xyz
kidzgovroom.com
hybridinverter.com
crypinvesto.space
uptownholding.com
billyflow.com
nutricionlimpia.online
lo-nen.com
referralinstituteatlanta.com
wargasarawak.com
rachelsalonist.com
vindyxx.club
akinngroup.com
ttportalbham3.com
mktthucchien.com
tcta.top
tradeaialgo.online
cekenlerticaret.com
29w522cerny.info
txbianmin.com
tamaplaza-whitening.com
kczu.net
doyyindh.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/328-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/328-63-0x000000000041D4F0-mapping.dmp xloader behavioral1/memory/1088-71-0x00000000000A0000-0x00000000000C9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1044 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO-TFL39043.exePO-TFL39043.execscript.exedescription pid process target process PID 1748 set thread context of 328 1748 PO-TFL39043.exe PO-TFL39043.exe PID 328 set thread context of 1304 328 PO-TFL39043.exe Explorer.EXE PID 1088 set thread context of 1304 1088 cscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
PO-TFL39043.execscript.exepid process 328 PO-TFL39043.exe 328 PO-TFL39043.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe 1088 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PO-TFL39043.execscript.exepid process 328 PO-TFL39043.exe 328 PO-TFL39043.exe 328 PO-TFL39043.exe 1088 cscript.exe 1088 cscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO-TFL39043.execscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 328 PO-TFL39043.exe Token: SeDebugPrivilege 1088 cscript.exe Token: SeShutdownPrivilege 1304 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
PO-TFL39043.exeExplorer.EXEcscript.exedescription pid process target process PID 1748 wrote to memory of 328 1748 PO-TFL39043.exe PO-TFL39043.exe PID 1748 wrote to memory of 328 1748 PO-TFL39043.exe PO-TFL39043.exe PID 1748 wrote to memory of 328 1748 PO-TFL39043.exe PO-TFL39043.exe PID 1748 wrote to memory of 328 1748 PO-TFL39043.exe PO-TFL39043.exe PID 1748 wrote to memory of 328 1748 PO-TFL39043.exe PO-TFL39043.exe PID 1748 wrote to memory of 328 1748 PO-TFL39043.exe PO-TFL39043.exe PID 1748 wrote to memory of 328 1748 PO-TFL39043.exe PO-TFL39043.exe PID 1304 wrote to memory of 1088 1304 Explorer.EXE cscript.exe PID 1304 wrote to memory of 1088 1304 Explorer.EXE cscript.exe PID 1304 wrote to memory of 1088 1304 Explorer.EXE cscript.exe PID 1304 wrote to memory of 1088 1304 Explorer.EXE cscript.exe PID 1088 wrote to memory of 1044 1088 cscript.exe cmd.exe PID 1088 wrote to memory of 1044 1088 cscript.exe cmd.exe PID 1088 wrote to memory of 1044 1088 cscript.exe cmd.exe PID 1088 wrote to memory of 1044 1088 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO-TFL39043.exe"C:\Users\Admin\AppData\Local\Temp\PO-TFL39043.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO-TFL39043.exe"C:\Users\Admin\AppData\Local\Temp\PO-TFL39043.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO-TFL39043.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/328-66-0x0000000000200000-0x0000000000211000-memory.dmpFilesize
68KB
-
memory/328-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/328-65-0x0000000000820000-0x0000000000B23000-memory.dmpFilesize
3.0MB
-
memory/328-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/328-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/328-63-0x000000000041D4F0-mapping.dmp
-
memory/1044-69-0x0000000000000000-mapping.dmp
-
memory/1088-70-0x0000000000040000-0x0000000000062000-memory.dmpFilesize
136KB
-
memory/1088-68-0x0000000000000000-mapping.dmp
-
memory/1088-71-0x00000000000A0000-0x00000000000C9000-memory.dmpFilesize
164KB
-
memory/1088-72-0x0000000002000000-0x0000000002303000-memory.dmpFilesize
3.0MB
-
memory/1088-73-0x0000000001E20000-0x0000000001EB0000-memory.dmpFilesize
576KB
-
memory/1304-74-0x00000000090D0000-0x0000000009251000-memory.dmpFilesize
1.5MB
-
memory/1304-67-0x00000000060E0000-0x00000000061AD000-memory.dmpFilesize
820KB
-
memory/1748-58-0x00000000003E0000-0x00000000003E7000-memory.dmpFilesize
28KB
-
memory/1748-59-0x0000000004B30000-0x0000000004B7B000-memory.dmpFilesize
300KB
-
memory/1748-57-0x0000000004AF0000-0x0000000004AF1000-memory.dmpFilesize
4KB
-
memory/1748-55-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB