Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
29-10-2021 11:20
Static task
static1
General
-
Target
60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe
-
Size
1005KB
-
MD5
ab88797a02acd0499d33fcaa807f46cd
-
SHA1
04ca9bc69e500239d677d46d2e53a9ef5fc69f41
-
SHA256
60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68
-
SHA512
61c5c1d00bcc9f9986f7da0873fc4d74d55f5abf07d6eeddfe4f787ce1b40f98bfeb86d95da968858a79d2f03340ebf538c5711b1485800fa2958a0e4221e365
Malware Config
Extracted
xloader
2.5
rqan
http://www.cardboutiqueapp.com/rqan/
panda.wiki
gailkannamassage.com
ungravitystudio.com
coraggiomusicschool.com
51walkerstreetrippleside.com
infemax.store
mapara-foundation.net
elitespeedwaxs.com
manateeprint.com
thelocksmithtradeshow.com
phoenix-out-of-ashes.com
marionkgregory.store
abasketofwords.com
century21nokta.com
anthonyaarnold.com
forevermyanmar.com
ramashi.com
uniquecarbonbrush.com
packecco.com
appelnacrtl.quest
mayo-group.com
healthychefla.com
chuhaitalk.com
promoapp12.com
sergomosta.com
missuniversepr.com
onfinan.com
moyue27.com
miaocharge.com
hubmedia.digital
sarasota-pressurewashing.com
deliciousrecipe.xyz
rosalia-pilates-angers.com
qqsmt09.com
comercialjyv.com
ismarthings.com
b8ceex.com
reviewbyornex.online
familylovmix.com
wurzelwerk-sk.com
buratacoin.com
delocdinh.com
paraspikakasino.com
buyinsurance24.com
d1storesa.com
apollonfitnessvrn.club
tokofebri.store
cambabez.xyz
pointcon.net
digitalcoursepreneur.com
15dgj.xyz
mg-garage.com
claggs.com
yuezhong66.com
uvowtae.xyz
puutuisossa.quest
glitchpunks.art
haferssippe.quest
ucwykl.biz
finlandtwo.xyz
efterpisart.com
usbankofamerican.com
bamubusinesssolutions.com
lakshhomesbalram.info
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/3944-117-0x0000000000000000-mapping.dmp xloader behavioral1/memory/3944-119-0x0000000073F00000-0x0000000073F29000-memory.dmp xloader behavioral1/memory/3264-126-0x0000000003390000-0x00000000033B9000-memory.dmp xloader -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Evjvfh = "C:\\Users\\Public\\Libraries\\\\hfvjvE.url" 60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
logagent.execscript.exedescription pid process target process PID 3944 set thread context of 3008 3944 logagent.exe Explorer.EXE PID 3264 set thread context of 3008 3264 cscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
logagent.execscript.exepid process 3944 logagent.exe 3944 logagent.exe 3944 logagent.exe 3944 logagent.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe 3264 cscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
logagent.execscript.exepid process 3944 logagent.exe 3944 logagent.exe 3944 logagent.exe 3264 cscript.exe 3264 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
logagent.execscript.exedescription pid process Token: SeDebugPrivilege 3944 logagent.exe Token: SeDebugPrivilege 3264 cscript.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exeExplorer.EXEdescription pid process target process PID 2096 wrote to memory of 3944 2096 60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe logagent.exe PID 2096 wrote to memory of 3944 2096 60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe logagent.exe PID 2096 wrote to memory of 3944 2096 60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe logagent.exe PID 2096 wrote to memory of 3944 2096 60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe logagent.exe PID 2096 wrote to memory of 3944 2096 60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe logagent.exe PID 2096 wrote to memory of 3944 2096 60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe logagent.exe PID 3008 wrote to memory of 3264 3008 Explorer.EXE cscript.exe PID 3008 wrote to memory of 3264 3008 Explorer.EXE cscript.exe PID 3008 wrote to memory of 3264 3008 Explorer.EXE cscript.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe"C:\Users\Admin\AppData\Local\Temp\60b7ee7c678553708c9ef357f9922acea8736a66ba9109eed68a7b2680bc8c68.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\logagent.exeC:\Windows\System32\logagent.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2096-116-0x0000000002A11000-0x0000000002A25000-memory.dmpFilesize
80KB
-
memory/2096-115-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/3008-129-0x00000000053E0000-0x000000000556C000-memory.dmpFilesize
1.5MB
-
memory/3008-123-0x0000000002C70000-0x0000000002D3B000-memory.dmpFilesize
812KB
-
memory/3264-126-0x0000000003390000-0x00000000033B9000-memory.dmpFilesize
164KB
-
memory/3264-128-0x0000000004DF0000-0x0000000004E80000-memory.dmpFilesize
576KB
-
memory/3264-125-0x00000000009F0000-0x0000000000A17000-memory.dmpFilesize
156KB
-
memory/3264-127-0x0000000004A40000-0x0000000004D60000-memory.dmpFilesize
3.1MB
-
memory/3264-124-0x0000000000000000-mapping.dmp
-
memory/3944-119-0x0000000073F00000-0x0000000073F29000-memory.dmpFilesize
164KB
-
memory/3944-121-0x0000000004E20000-0x0000000005140000-memory.dmpFilesize
3.1MB
-
memory/3944-122-0x0000000004BD0000-0x0000000004BE1000-memory.dmpFilesize
68KB
-
memory/3944-118-0x0000000002E40000-0x0000000002E41000-memory.dmpFilesize
4KB
-
memory/3944-117-0x0000000000000000-mapping.dmp