Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-10-2021 09:13
Behavioral task
behavioral1
Sample
dump_2.bin.exe
Resource
win7-en-20211014
General
-
Target
dump_2.bin.exe
-
Size
163KB
-
MD5
affd2e9e568d6d431cb872166ba00a97
-
SHA1
14d2752d408c3e825cdddeb9beb84de7c3434eed
-
SHA256
64a668add3d7f3bbcc0ef6acb25529c70df773d74e7e17a4a8fd8c95e81ee8bd
-
SHA512
e0c9fc9c14b83bbebe13441eb873b942f59c54b474c861980d37d45eb68b935b60fdc37952072fa2d927b11a0294f68050663e61656101843e6bb5eb1f479c5b
Malware Config
Extracted
xloader
2.5
c8te
http://www.art-space.xyz/c8te/
solendshop.com
petanimals2021.com
infullylucky.com
advisormarketing.online
hgfdsx.com
bjshsq.com
43454255.xyz
newsexpressed.com
tenacityshipping.com
y-promotion.com
saltypigeon.com
acemodule.com
satisfaction-spa.com
evertownnyc.com
orgoheart.com
bankerszonemock.com
conveniente-prestamo.com
suprememodelmanagement.com
ego-designteam.com
mecanicotijuana.com
audioservers.com
the-show-off.com
architectemaroc.com
desertvalleyoutdoors.com
skyejewelryshop.com
slingplugrentals.com
xn--laksevg-jxa.com
protection-onepa.com
smartchemlawn.com
newday.blue
thewriterscorp.com
godaddys.xyz
carolinasdazoom.com
byemantarie.quest
shhysh.com
paypal-caseid198.com
navasoft.net
secureremoteworkforce.science
brandimise.com
weihelper.net
bcmegroupbrd.xyz
thegrillgrinders.com
perfectpcshop.com
thr33zi3.com
vuabunbo.com
lehtx.net
besrbee.com
thebossfrequency.com
mydenspace.com
657haber.com
fasteang.com
bymedia.media
absolutetrainingcentre.com
hackensacksalon.com
yhqm678pafc.com
shtfinc.net
hanbatang.com
jum-bled.xyz
feifenke.com
babe058.com
entrefinaera.com
engroconnects.com
wangyihao.xyz
ctlcloudfr.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3712-120-0x0000000000670000-0x0000000000699000-memory.dmp xloader -
Suspicious use of SetThreadContext 2 IoCs
Processes:
dump_2.bin.execontrol.exedescription pid process target process PID 3812 set thread context of 1588 3812 dump_2.bin.exe Explorer.EXE PID 3712 set thread context of 1588 3712 control.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
dump_2.bin.execontrol.exepid process 3812 dump_2.bin.exe 3812 dump_2.bin.exe 3812 dump_2.bin.exe 3812 dump_2.bin.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe 3712 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1588 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
dump_2.bin.execontrol.exepid process 3812 dump_2.bin.exe 3812 dump_2.bin.exe 3812 dump_2.bin.exe 3712 control.exe 3712 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dump_2.bin.execontrol.exedescription pid process Token: SeDebugPrivilege 3812 dump_2.bin.exe Token: SeDebugPrivilege 3712 control.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Explorer.EXEdescription pid process target process PID 1588 wrote to memory of 3712 1588 Explorer.EXE control.exe PID 1588 wrote to memory of 3712 1588 Explorer.EXE control.exe PID 1588 wrote to memory of 3712 1588 Explorer.EXE control.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dump_2.bin.exe"C:\Users\Admin\AppData\Local\Temp\dump_2.bin.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1588-117-0x0000000000890000-0x0000000000970000-memory.dmpFilesize
896KB
-
memory/1588-123-0x0000000004FF0000-0x0000000005126000-memory.dmpFilesize
1.2MB
-
memory/3712-118-0x0000000000000000-mapping.dmp
-
memory/3712-120-0x0000000000670000-0x0000000000699000-memory.dmpFilesize
164KB
-
memory/3712-119-0x0000000000BD0000-0x0000000000BF0000-memory.dmpFilesize
128KB
-
memory/3712-121-0x00000000046D0000-0x00000000049F0000-memory.dmpFilesize
3.1MB
-
memory/3712-122-0x0000000004390000-0x0000000004420000-memory.dmpFilesize
576KB
-
memory/3812-115-0x0000000001800000-0x0000000001B20000-memory.dmpFilesize
3.1MB
-
memory/3812-116-0x00000000017C0000-0x00000000017D1000-memory.dmpFilesize
68KB