Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
29-10-2021 11:56
Static task
static1
Behavioral task
behavioral1
Sample
T2812A.exe
Resource
win7-en-20210920
General
-
Target
T2812A.exe
-
Size
380KB
-
MD5
a18f3c54efed2e42168d6748a5c04c16
-
SHA1
4aa01a7a9557d15ef251e1bd107ec821872549b1
-
SHA256
724908fa2c546fad14d2a687c9f471f75548903b2d94fb903d617570cedaef7f
-
SHA512
dcb020ff28a6d694a9c4e2eaf097413f4085f8f51663958defdbe465c1592e95a518063d2d401bae392363eacf1e4ab5a2e7993ac3f541fb8c4e4eb322ad6733
Malware Config
Extracted
xloader
2.5
snec
http://www.go2payme.com/snec/
sacramentoscoop.com
auroraeqp.com
ontactfactory.com
abenakigroup.com
xander-tech.com
cocaineislegal.com
carbondouze.com
louisvilleestatelawyer.com
sundaytejero.quest
arti-faqs.com
thisandthat.store
biodyne-el-salvador.com
18504seheritageoakslane.com
mfialias.xyz
whitestoneclo.com
6288117.com
oficiosuy.com
autogift.xyz
wallbabyshell.com
chaletlabaie.com
yy88kk.com
thepositiveenergycompany.com
personalexpressofertachegou.com
theoldplayground.com
aireapartmentsmsp.com
layfflj.com
xn--hss-s83bwm.com
tutoeasy.com
maintrove.com
changereferral.com
peanutl.com
portolaenterprise.com
vanscn.net
2wawaw16.me
gosatya.com
velocityphase.com
aprenda-sg-sst.com
dickinsonoutfitters.com
toptelecast-toreadtoday.info
argana.store
tagachiweb.com
bokepindoviral.com
nu865ci.com
thestogiestore.com
managexxxxx.com
japanskirt.com
leilaniheritage.com
m7chi.net
afjewelryaz.com
aset.guide
hx-banjin.com
foqenoa.store
kolkataescort.xyz
worldcrgenius.biz
stockandberry.com
ash-tag.com
orchestrated.design
point4sales.com
sattaking-delhiborder06.xyz
clear-rails.com
dentalpnid.com
ezekielgroup.com
17804maritimepoint101.com
qldrfb.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/360-62-0x000000000041D460-mapping.dmp xloader behavioral1/memory/360-61-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1112-71-0x0000000000100000-0x0000000000129000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 928 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
T2812A.exeT2812A.exeraserver.exedescription pid process target process PID 1608 set thread context of 360 1608 T2812A.exe T2812A.exe PID 360 set thread context of 1288 360 T2812A.exe Explorer.EXE PID 1112 set thread context of 1288 1112 raserver.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
T2812A.exeT2812A.exeraserver.exepid process 1608 T2812A.exe 1608 T2812A.exe 360 T2812A.exe 360 T2812A.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe 1112 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
T2812A.exeraserver.exepid process 360 T2812A.exe 360 T2812A.exe 360 T2812A.exe 1112 raserver.exe 1112 raserver.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
T2812A.exeT2812A.exeraserver.exedescription pid process Token: SeDebugPrivilege 1608 T2812A.exe Token: SeDebugPrivilege 360 T2812A.exe Token: SeDebugPrivilege 1112 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1288 Explorer.EXE 1288 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
T2812A.exeExplorer.EXEraserver.exedescription pid process target process PID 1608 wrote to memory of 564 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 564 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 564 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 564 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 1652 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 1652 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 1652 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 1652 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 360 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 360 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 360 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 360 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 360 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 360 1608 T2812A.exe T2812A.exe PID 1608 wrote to memory of 360 1608 T2812A.exe T2812A.exe PID 1288 wrote to memory of 1112 1288 Explorer.EXE raserver.exe PID 1288 wrote to memory of 1112 1288 Explorer.EXE raserver.exe PID 1288 wrote to memory of 1112 1288 Explorer.EXE raserver.exe PID 1288 wrote to memory of 1112 1288 Explorer.EXE raserver.exe PID 1112 wrote to memory of 928 1112 raserver.exe cmd.exe PID 1112 wrote to memory of 928 1112 raserver.exe cmd.exe PID 1112 wrote to memory of 928 1112 raserver.exe cmd.exe PID 1112 wrote to memory of 928 1112 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\T2812A.exe"C:\Users\Admin\AppData\Local\Temp\T2812A.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\T2812A.exe"C:\Users\Admin\AppData\Local\Temp\T2812A.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\T2812A.exe"C:\Users\Admin\AppData\Local\Temp\T2812A.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\T2812A.exe"C:\Users\Admin\AppData\Local\Temp\T2812A.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\T2812A.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/360-64-0x0000000000970000-0x0000000000C73000-memory.dmpFilesize
3.0MB
-
memory/360-62-0x000000000041D460-mapping.dmp
-
memory/360-65-0x0000000000180000-0x0000000000191000-memory.dmpFilesize
68KB
-
memory/360-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/360-59-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/360-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/928-69-0x0000000000000000-mapping.dmp
-
memory/1112-67-0x0000000000000000-mapping.dmp
-
memory/1112-68-0x00000000767F1000-0x00000000767F3000-memory.dmpFilesize
8KB
-
memory/1112-70-0x0000000000520000-0x000000000053C000-memory.dmpFilesize
112KB
-
memory/1112-71-0x0000000000100000-0x0000000000129000-memory.dmpFilesize
164KB
-
memory/1112-72-0x0000000001EC0000-0x00000000021C3000-memory.dmpFilesize
3.0MB
-
memory/1112-73-0x0000000001D30000-0x0000000001DC0000-memory.dmpFilesize
576KB
-
memory/1288-74-0x0000000006A80000-0x0000000006B9F000-memory.dmpFilesize
1.1MB
-
memory/1288-66-0x00000000069A0000-0x0000000006A7C000-memory.dmpFilesize
880KB
-
memory/1608-58-0x00000000009E0000-0x0000000000A2B000-memory.dmpFilesize
300KB
-
memory/1608-57-0x0000000000380000-0x0000000000386000-memory.dmpFilesize
24KB
-
memory/1608-56-0x0000000000A30000-0x0000000000A31000-memory.dmpFilesize
4KB
-
memory/1608-54-0x0000000000900000-0x0000000000901000-memory.dmpFilesize
4KB