Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 01:37
Static task
static1
Behavioral task
behavioral1
Sample
Enquiry docs.exe
Resource
win7-en-20210920
General
-
Target
Enquiry docs.exe
-
Size
259KB
-
MD5
57e634d27ebeb3eb96a21efb56654952
-
SHA1
3a73a99013039be2615cbefd0cba1e4f5d10ea45
-
SHA256
d0df1d753742cd9d3144c77f0b343aac22fdab2a2d32bd41872dd838e2eb8a34
-
SHA512
20626c979cee7d4780d95c020e7ee92719595d56f6e5bcdd40a7f746c89f8961c1441c2e8867110478a093bfde4c2085f27b42baf0296274d8f049c2e28de844
Malware Config
Extracted
xloader
2.5
ga6b
http://www.egyptian-museum.com/ga6b/
diasporacospices.com
sd-shenghe.com
onlinewritingjobs.net
greenstreamgroup.store
garageair.agency
idh-bf.com
middenhavendambreskens.com
szkoleniawcag.online
wiremefeelings.com
ottosperformance.com
brothermush.com
weiserpath.com
baohiemtv24h.com
glassgalaxynft.com
spiritualmind.space
18130072012.com
3v0.space
smartgadgetscompare.com
corvusexpeditii.xyz
egcontabilidade.website
find0utnowfy.info
soulwinningministry.com
digitaldreamcloud.net
service-portal-kundendaten.com
theselectdifference.com
burodev.com
mustafacesuryildiz.com
grupodeinvestigacion.com
toyotadisurabaya.com
partnerbenifits.com
belledescontos.com
nobodybutgod.com
bumiths.com
acacave.com
septoctets.xyz
www73w.xyz
afghantattoos.com
interiorsbe.com
ara7z.com
qqcx666888.top
onra.top
sunfucker.net
suhuabo.com
tangerineinit.com
era636.com
lovenft.xyz
maviesurdvd.com
gullatz-consulting.com
duopasteleras.com
mystudentregistration.com
5559913.win
gritzcharlestonluxuryinn.store
themexicanbg.com
senshop.store
woodentoysforkids.store
globalgamelan.com
anjumanmuhibaneabbas.com
seattleinsurancebrokers.com
naiduteja049.info
traction.legal
twisteid.com
necesryaou.com
apan-group.com
infinityrope.store
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1636-57-0x000000000041D4E0-mapping.dmp xloader behavioral1/memory/1636-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/616-66-0x0000000000130000-0x0000000000159000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 376 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Enquiry docs.exepid process 524 Enquiry docs.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Enquiry docs.exeEnquiry docs.execmstp.exedescription pid process target process PID 524 set thread context of 1636 524 Enquiry docs.exe Enquiry docs.exe PID 1636 set thread context of 1408 1636 Enquiry docs.exe Explorer.EXE PID 616 set thread context of 1408 616 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Enquiry docs.execmstp.exepid process 1636 Enquiry docs.exe 1636 Enquiry docs.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe 616 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1408 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Enquiry docs.execmstp.exepid process 1636 Enquiry docs.exe 1636 Enquiry docs.exe 1636 Enquiry docs.exe 616 cmstp.exe 616 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Enquiry docs.execmstp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1636 Enquiry docs.exe Token: SeDebugPrivilege 616 cmstp.exe Token: SeShutdownPrivilege 1408 Explorer.EXE Token: SeShutdownPrivilege 1408 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1408 Explorer.EXE 1408 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1408 Explorer.EXE 1408 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Enquiry docs.exeExplorer.EXEcmstp.exedescription pid process target process PID 524 wrote to memory of 1636 524 Enquiry docs.exe Enquiry docs.exe PID 524 wrote to memory of 1636 524 Enquiry docs.exe Enquiry docs.exe PID 524 wrote to memory of 1636 524 Enquiry docs.exe Enquiry docs.exe PID 524 wrote to memory of 1636 524 Enquiry docs.exe Enquiry docs.exe PID 524 wrote to memory of 1636 524 Enquiry docs.exe Enquiry docs.exe PID 524 wrote to memory of 1636 524 Enquiry docs.exe Enquiry docs.exe PID 524 wrote to memory of 1636 524 Enquiry docs.exe Enquiry docs.exe PID 1408 wrote to memory of 616 1408 Explorer.EXE cmstp.exe PID 1408 wrote to memory of 616 1408 Explorer.EXE cmstp.exe PID 1408 wrote to memory of 616 1408 Explorer.EXE cmstp.exe PID 1408 wrote to memory of 616 1408 Explorer.EXE cmstp.exe PID 1408 wrote to memory of 616 1408 Explorer.EXE cmstp.exe PID 1408 wrote to memory of 616 1408 Explorer.EXE cmstp.exe PID 1408 wrote to memory of 616 1408 Explorer.EXE cmstp.exe PID 616 wrote to memory of 376 616 cmstp.exe cmd.exe PID 616 wrote to memory of 376 616 cmstp.exe cmd.exe PID 616 wrote to memory of 376 616 cmstp.exe cmd.exe PID 616 wrote to memory of 376 616 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Enquiry docs.exe"C:\Users\Admin\AppData\Local\Temp\Enquiry docs.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Enquiry docs.exe"C:\Users\Admin\AppData\Local\Temp\Enquiry docs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Enquiry docs.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsyB839.tmp\qwihhhjukkm.dllMD5
59e03c649261671aae61c01474532bdf
SHA1dad1989e45cc1bd59a94d56b4a61bad832a8590e
SHA256fef91b5459767be1bf625022564b3613f9448cdf783e2e7138a48073cfea95a4
SHA5123d28bce453a7adb02e1a5710ae14f9cd4ba1fac479684ea262cc0c648a99a64488c42a14b6e82811a2c2b9eac044ca57d5d4077914651da24cabda8327dcd9b8
-
memory/376-64-0x0000000000000000-mapping.dmp
-
memory/524-54-0x00000000765A1000-0x00000000765A3000-memory.dmpFilesize
8KB
-
memory/616-68-0x0000000001C80000-0x0000000001D10000-memory.dmpFilesize
576KB
-
memory/616-67-0x0000000001E10000-0x0000000002113000-memory.dmpFilesize
3.0MB
-
memory/616-66-0x0000000000130000-0x0000000000159000-memory.dmpFilesize
164KB
-
memory/616-65-0x0000000000110000-0x0000000000128000-memory.dmpFilesize
96KB
-
memory/616-62-0x0000000000000000-mapping.dmp
-
memory/1408-61-0x0000000007BA0000-0x0000000007D12000-memory.dmpFilesize
1.4MB
-
memory/1408-69-0x0000000009880000-0x0000000009A09000-memory.dmpFilesize
1.5MB
-
memory/1636-60-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/1636-58-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/1636-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1636-57-0x000000000041D4E0-mapping.dmp