Analysis
-
max time kernel
151s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
26-10-2021 01:37
Static task
static1
Behavioral task
behavioral1
Sample
Enquiry docs.exe
Resource
win7-en-20210920
General
-
Target
Enquiry docs.exe
-
Size
259KB
-
MD5
57e634d27ebeb3eb96a21efb56654952
-
SHA1
3a73a99013039be2615cbefd0cba1e4f5d10ea45
-
SHA256
d0df1d753742cd9d3144c77f0b343aac22fdab2a2d32bd41872dd838e2eb8a34
-
SHA512
20626c979cee7d4780d95c020e7ee92719595d56f6e5bcdd40a7f746c89f8961c1441c2e8867110478a093bfde4c2085f27b42baf0296274d8f049c2e28de844
Malware Config
Extracted
xloader
2.5
ga6b
http://www.egyptian-museum.com/ga6b/
diasporacospices.com
sd-shenghe.com
onlinewritingjobs.net
greenstreamgroup.store
garageair.agency
idh-bf.com
middenhavendambreskens.com
szkoleniawcag.online
wiremefeelings.com
ottosperformance.com
brothermush.com
weiserpath.com
baohiemtv24h.com
glassgalaxynft.com
spiritualmind.space
18130072012.com
3v0.space
smartgadgetscompare.com
corvusexpeditii.xyz
egcontabilidade.website
find0utnowfy.info
soulwinningministry.com
digitaldreamcloud.net
service-portal-kundendaten.com
theselectdifference.com
burodev.com
mustafacesuryildiz.com
grupodeinvestigacion.com
toyotadisurabaya.com
partnerbenifits.com
belledescontos.com
nobodybutgod.com
bumiths.com
acacave.com
septoctets.xyz
www73w.xyz
afghantattoos.com
interiorsbe.com
ara7z.com
qqcx666888.top
onra.top
sunfucker.net
suhuabo.com
tangerineinit.com
era636.com
lovenft.xyz
maviesurdvd.com
gullatz-consulting.com
duopasteleras.com
mystudentregistration.com
5559913.win
gritzcharlestonluxuryinn.store
themexicanbg.com
senshop.store
woodentoysforkids.store
globalgamelan.com
anjumanmuhibaneabbas.com
seattleinsurancebrokers.com
naiduteja049.info
traction.legal
twisteid.com
necesryaou.com
apan-group.com
infinityrope.store
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/2220-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2220-117-0x000000000041D4E0-mapping.dmp xloader behavioral2/memory/1316-125-0x0000000000A10000-0x0000000000A39000-memory.dmp xloader behavioral2/memory/1288-137-0x000000000041D4E0-mapping.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
NETSTAT.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run NETSTAT.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\FTQLOR5HIL9 = "C:\\Program Files (x86)\\Pbjnl\\e4ud_r5tlzbp.exe" NETSTAT.EXE -
Executes dropped EXE 2 IoCs
Processes:
e4ud_r5tlzbp.exee4ud_r5tlzbp.exepid process 896 e4ud_r5tlzbp.exe 1288 e4ud_r5tlzbp.exe -
Loads dropped DLL 2 IoCs
Processes:
Enquiry docs.exee4ud_r5tlzbp.exepid process 4088 Enquiry docs.exe 896 e4ud_r5tlzbp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
Enquiry docs.exeEnquiry docs.exeNETSTAT.EXEe4ud_r5tlzbp.exedescription pid process target process PID 4088 set thread context of 2220 4088 Enquiry docs.exe Enquiry docs.exe PID 2220 set thread context of 3028 2220 Enquiry docs.exe Explorer.EXE PID 1316 set thread context of 3028 1316 NETSTAT.EXE Explorer.EXE PID 896 set thread context of 1288 896 e4ud_r5tlzbp.exe e4ud_r5tlzbp.exe -
Drops file in Program Files directory 4 IoCs
Processes:
NETSTAT.EXEExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe NETSTAT.EXE File opened for modification C:\Program Files (x86)\Pbjnl Explorer.EXE File created C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe nsis_installer_1 C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe nsis_installer_2 C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe nsis_installer_1 C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe nsis_installer_2 C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe nsis_installer_1 C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe nsis_installer_2 -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1316 NETSTAT.EXE -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Enquiry docs.exeNETSTAT.EXEe4ud_r5tlzbp.exepid process 2220 Enquiry docs.exe 2220 Enquiry docs.exe 2220 Enquiry docs.exe 2220 Enquiry docs.exe 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1288 e4ud_r5tlzbp.exe 1288 e4ud_r5tlzbp.exe 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3028 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Enquiry docs.exeNETSTAT.EXEpid process 2220 Enquiry docs.exe 2220 Enquiry docs.exe 2220 Enquiry docs.exe 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE 1316 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
Enquiry docs.exeNETSTAT.EXEExplorer.EXEe4ud_r5tlzbp.exedescription pid process Token: SeDebugPrivilege 2220 Enquiry docs.exe Token: SeDebugPrivilege 1316 NETSTAT.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeDebugPrivilege 1288 e4ud_r5tlzbp.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Enquiry docs.exeExplorer.EXENETSTAT.EXEe4ud_r5tlzbp.exedescription pid process target process PID 4088 wrote to memory of 2220 4088 Enquiry docs.exe Enquiry docs.exe PID 4088 wrote to memory of 2220 4088 Enquiry docs.exe Enquiry docs.exe PID 4088 wrote to memory of 2220 4088 Enquiry docs.exe Enquiry docs.exe PID 4088 wrote to memory of 2220 4088 Enquiry docs.exe Enquiry docs.exe PID 4088 wrote to memory of 2220 4088 Enquiry docs.exe Enquiry docs.exe PID 4088 wrote to memory of 2220 4088 Enquiry docs.exe Enquiry docs.exe PID 3028 wrote to memory of 1316 3028 Explorer.EXE NETSTAT.EXE PID 3028 wrote to memory of 1316 3028 Explorer.EXE NETSTAT.EXE PID 3028 wrote to memory of 1316 3028 Explorer.EXE NETSTAT.EXE PID 1316 wrote to memory of 908 1316 NETSTAT.EXE cmd.exe PID 1316 wrote to memory of 908 1316 NETSTAT.EXE cmd.exe PID 1316 wrote to memory of 908 1316 NETSTAT.EXE cmd.exe PID 1316 wrote to memory of 1712 1316 NETSTAT.EXE cmd.exe PID 1316 wrote to memory of 1712 1316 NETSTAT.EXE cmd.exe PID 1316 wrote to memory of 1712 1316 NETSTAT.EXE cmd.exe PID 1316 wrote to memory of 1376 1316 NETSTAT.EXE Firefox.exe PID 1316 wrote to memory of 1376 1316 NETSTAT.EXE Firefox.exe PID 1316 wrote to memory of 1376 1316 NETSTAT.EXE Firefox.exe PID 3028 wrote to memory of 896 3028 Explorer.EXE e4ud_r5tlzbp.exe PID 3028 wrote to memory of 896 3028 Explorer.EXE e4ud_r5tlzbp.exe PID 3028 wrote to memory of 896 3028 Explorer.EXE e4ud_r5tlzbp.exe PID 896 wrote to memory of 1288 896 e4ud_r5tlzbp.exe e4ud_r5tlzbp.exe PID 896 wrote to memory of 1288 896 e4ud_r5tlzbp.exe e4ud_r5tlzbp.exe PID 896 wrote to memory of 1288 896 e4ud_r5tlzbp.exe e4ud_r5tlzbp.exe PID 896 wrote to memory of 1288 896 e4ud_r5tlzbp.exe e4ud_r5tlzbp.exe PID 896 wrote to memory of 1288 896 e4ud_r5tlzbp.exe e4ud_r5tlzbp.exe PID 896 wrote to memory of 1288 896 e4ud_r5tlzbp.exe e4ud_r5tlzbp.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Enquiry docs.exe"C:\Users\Admin\AppData\Local\Temp\Enquiry docs.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Enquiry docs.exe"C:\Users\Admin\AppData\Local\Temp\Enquiry docs.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Enquiry docs.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe"C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe"C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exeMD5
57e634d27ebeb3eb96a21efb56654952
SHA13a73a99013039be2615cbefd0cba1e4f5d10ea45
SHA256d0df1d753742cd9d3144c77f0b343aac22fdab2a2d32bd41872dd838e2eb8a34
SHA51220626c979cee7d4780d95c020e7ee92719595d56f6e5bcdd40a7f746c89f8961c1441c2e8867110478a093bfde4c2085f27b42baf0296274d8f049c2e28de844
-
C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exeMD5
57e634d27ebeb3eb96a21efb56654952
SHA13a73a99013039be2615cbefd0cba1e4f5d10ea45
SHA256d0df1d753742cd9d3144c77f0b343aac22fdab2a2d32bd41872dd838e2eb8a34
SHA51220626c979cee7d4780d95c020e7ee92719595d56f6e5bcdd40a7f746c89f8961c1441c2e8867110478a093bfde4c2085f27b42baf0296274d8f049c2e28de844
-
C:\Program Files (x86)\Pbjnl\e4ud_r5tlzbp.exeMD5
57e634d27ebeb3eb96a21efb56654952
SHA13a73a99013039be2615cbefd0cba1e4f5d10ea45
SHA256d0df1d753742cd9d3144c77f0b343aac22fdab2a2d32bd41872dd838e2eb8a34
SHA51220626c979cee7d4780d95c020e7ee92719595d56f6e5bcdd40a7f746c89f8961c1441c2e8867110478a093bfde4c2085f27b42baf0296274d8f049c2e28de844
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\mp59m2ruobpqhxv42sgMD5
102b23bd64bca7637fdbef22ebe761d4
SHA1039c6684f5789337b4ad6c2abc8b0bceabfe7812
SHA2560ea5290692f36097842873d5f7024bf161c1aad2a2d41ee3b8b7b0718b5e14a3
SHA51203558ef924890fe44d12c8c82c397ed59cc10e5bfcec9c2f913640ec59e18f61d73c93c5e6f3d2a3ecb07748dd1bd179c87455c5aac0e88be158b2238888ce91
-
\Users\Admin\AppData\Local\Temp\nsfC3AF.tmp\qwihhhjukkm.dllMD5
59e03c649261671aae61c01474532bdf
SHA1dad1989e45cc1bd59a94d56b4a61bad832a8590e
SHA256fef91b5459767be1bf625022564b3613f9448cdf783e2e7138a48073cfea95a4
SHA5123d28bce453a7adb02e1a5710ae14f9cd4ba1fac479684ea262cc0c648a99a64488c42a14b6e82811a2c2b9eac044ca57d5d4077914651da24cabda8327dcd9b8
-
\Users\Admin\AppData\Local\Temp\nszE518.tmp\qwihhhjukkm.dllMD5
59e03c649261671aae61c01474532bdf
SHA1dad1989e45cc1bd59a94d56b4a61bad832a8590e
SHA256fef91b5459767be1bf625022564b3613f9448cdf783e2e7138a48073cfea95a4
SHA5123d28bce453a7adb02e1a5710ae14f9cd4ba1fac479684ea262cc0c648a99a64488c42a14b6e82811a2c2b9eac044ca57d5d4077914651da24cabda8327dcd9b8
-
memory/896-131-0x0000000000000000-mapping.dmp
-
memory/908-123-0x0000000000000000-mapping.dmp
-
memory/1288-139-0x0000000000BB0000-0x0000000000ED0000-memory.dmpFilesize
3.1MB
-
memory/1288-137-0x000000000041D4E0-mapping.dmp
-
memory/1316-126-0x0000000003440000-0x0000000003760000-memory.dmpFilesize
3.1MB
-
memory/1316-127-0x0000000003210000-0x00000000032A0000-memory.dmpFilesize
576KB
-
memory/1316-124-0x0000000000A70000-0x0000000000A7B000-memory.dmpFilesize
44KB
-
memory/1316-125-0x0000000000A10000-0x0000000000A39000-memory.dmpFilesize
164KB
-
memory/1316-122-0x0000000000000000-mapping.dmp
-
memory/1712-129-0x0000000000000000-mapping.dmp
-
memory/2220-120-0x0000000000570000-0x00000000006BA000-memory.dmpFilesize
1.3MB
-
memory/2220-118-0x0000000000A40000-0x0000000000D60000-memory.dmpFilesize
3.1MB
-
memory/2220-117-0x000000000041D4E0-mapping.dmp
-
memory/2220-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3028-128-0x00000000049E0000-0x0000000004AB2000-memory.dmpFilesize
840KB
-
memory/3028-121-0x0000000002690000-0x0000000002744000-memory.dmpFilesize
720KB