Analysis
-
max time kernel
301s -
max time network
299s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-10-2021 14:59
Static task
static1
Behavioral task
behavioral1
Sample
PO-TFL39043.exe
Resource
win7-en-20211014
General
-
Target
PO-TFL39043.exe
-
Size
344KB
-
MD5
f9ca5c26a7b036d6ed12428e9415e57a
-
SHA1
9f2a5bb76a351b8bedbd29125283631346117115
-
SHA256
301c57782851a93d5b229fc921d1953a9c650131f6a3dfad1176705e5a99fb38
-
SHA512
0691723bd263abcd628ee579ee96f7238e823a46f8c08004e0670f3179480cfd16bd508da72b0d37889f54b5deea2b54ec86e53627b06355e08b043173b24821
Malware Config
Extracted
xloader
2.5
p208
http://www.thaoduochuyetap.online/p208/
thegaleriaon17.com
daughtersweekend.com
decisionmatrixtool.com
hollandmedia.services
yishengkeji.xyz
tiffanyszerszen.com
facetofacemodels.xyz
interiorsfurnituredubai.com
8p9s8yiotjqkw4wd.com
immobillienpate.com
annmariegrindart.com
hesenna.com
codechunx.com
vollabi.com
leishasart.com
marschaleine.com
rootpresidential.xyz
sharingtechnology.net
smartlifetokens.net
mylocalshit.com
miho-trial.com
cashndashfinancial.com
wifiradar52.online
rentalmanagmentpros.com
nehircell.com
stloeh.com
maverick-mentoring.com
terravillaliberia.com
suddennnnnnnnnnnn12.xyz
locate-fmi-id.online
recupcolis.com
greaterways.net
josephgoddard.com
ibasho.group
shopnaturesthrone.com
lingmao08.com
villagecrossingapartments.com
prestigemarbleimports.com
reflectsocial.com
bra866.com
nazrnd.com
videomaingoc.xyz
kidzgovroom.com
hybridinverter.com
crypinvesto.space
uptownholding.com
billyflow.com
nutricionlimpia.online
lo-nen.com
referralinstituteatlanta.com
wargasarawak.com
rachelsalonist.com
vindyxx.club
akinngroup.com
ttportalbham3.com
mktthucchien.com
tcta.top
tradeaialgo.online
cekenlerticaret.com
29w522cerny.info
txbianmin.com
tamaplaza-whitening.com
kczu.net
doyyindh.xyz
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/432-124-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/432-125-0x000000000041D4F0-mapping.dmp xloader behavioral2/memory/436-133-0x00000000004A0000-0x00000000004C9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO-TFL39043.exePO-TFL39043.exesvchost.exedescription pid process target process PID 3476 set thread context of 432 3476 PO-TFL39043.exe PO-TFL39043.exe PID 432 set thread context of 2872 432 PO-TFL39043.exe Explorer.EXE PID 436 set thread context of 2872 436 svchost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PO-TFL39043.exesvchost.exepid process 432 PO-TFL39043.exe 432 PO-TFL39043.exe 432 PO-TFL39043.exe 432 PO-TFL39043.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2872 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PO-TFL39043.exesvchost.exepid process 432 PO-TFL39043.exe 432 PO-TFL39043.exe 432 PO-TFL39043.exe 436 svchost.exe 436 svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
PO-TFL39043.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 432 PO-TFL39043.exe Token: SeDebugPrivilege 436 svchost.exe Token: SeShutdownPrivilege 2872 Explorer.EXE Token: SeCreatePagefilePrivilege 2872 Explorer.EXE Token: SeShutdownPrivilege 2872 Explorer.EXE Token: SeCreatePagefilePrivilege 2872 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PO-TFL39043.exeExplorer.EXEsvchost.exedescription pid process target process PID 3476 wrote to memory of 432 3476 PO-TFL39043.exe PO-TFL39043.exe PID 3476 wrote to memory of 432 3476 PO-TFL39043.exe PO-TFL39043.exe PID 3476 wrote to memory of 432 3476 PO-TFL39043.exe PO-TFL39043.exe PID 3476 wrote to memory of 432 3476 PO-TFL39043.exe PO-TFL39043.exe PID 3476 wrote to memory of 432 3476 PO-TFL39043.exe PO-TFL39043.exe PID 3476 wrote to memory of 432 3476 PO-TFL39043.exe PO-TFL39043.exe PID 2872 wrote to memory of 436 2872 Explorer.EXE svchost.exe PID 2872 wrote to memory of 436 2872 Explorer.EXE svchost.exe PID 2872 wrote to memory of 436 2872 Explorer.EXE svchost.exe PID 436 wrote to memory of 2868 436 svchost.exe cmd.exe PID 436 wrote to memory of 2868 436 svchost.exe cmd.exe PID 436 wrote to memory of 2868 436 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO-TFL39043.exe"C:\Users\Admin\AppData\Local\Temp\PO-TFL39043.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO-TFL39043.exe"C:\Users\Admin\AppData\Local\Temp\PO-TFL39043.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO-TFL39043.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/432-124-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/432-127-0x0000000001130000-0x0000000001450000-memory.dmpFilesize
3.1MB
-
memory/432-128-0x0000000001590000-0x00000000015A1000-memory.dmpFilesize
68KB
-
memory/432-125-0x000000000041D4F0-mapping.dmp
-
memory/436-132-0x0000000000F10000-0x0000000000F1C000-memory.dmpFilesize
48KB
-
memory/436-135-0x0000000000B00000-0x0000000000B90000-memory.dmpFilesize
576KB
-
memory/436-134-0x0000000002F20000-0x0000000003240000-memory.dmpFilesize
3.1MB
-
memory/436-133-0x00000000004A0000-0x00000000004C9000-memory.dmpFilesize
164KB
-
memory/436-130-0x0000000000000000-mapping.dmp
-
memory/2868-131-0x0000000000000000-mapping.dmp
-
memory/2872-129-0x0000000003010000-0x00000000030F4000-memory.dmpFilesize
912KB
-
memory/2872-136-0x0000000003190000-0x0000000003281000-memory.dmpFilesize
964KB
-
memory/3476-120-0x0000000005620000-0x0000000005627000-memory.dmpFilesize
28KB
-
memory/3476-117-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/3476-118-0x0000000005370000-0x0000000005371000-memory.dmpFilesize
4KB
-
memory/3476-115-0x0000000000A70000-0x0000000000A71000-memory.dmpFilesize
4KB
-
memory/3476-119-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/3476-121-0x0000000005290000-0x000000000578E000-memory.dmpFilesize
5.0MB
-
memory/3476-123-0x0000000006050000-0x000000000609B000-memory.dmpFilesize
300KB
-
memory/3476-122-0x00000000060F0000-0x00000000060F1000-memory.dmpFilesize
4KB