Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
29-10-2021 11:36
Static task
static1
Behavioral task
behavioral1
Sample
DH146890Y.exe
Resource
win7-en-20210920
General
-
Target
DH146890Y.exe
-
Size
256KB
-
MD5
acaef58b0bb5cb7965052d41570b5686
-
SHA1
1668c7470fe1c5d9330f66267d987b0e08b0f8ad
-
SHA256
4c382fc031bb1ca0e9e075fe60ec6ce335050799c3ebff9fea3bd1531f2aceae
-
SHA512
cf843e25a0c707bc0070913b2b240fb5818de2daefd1c76798b3538fbefb9da0b08bdbf58764c463385eb4876556b85c83b73643098bbffd32ac6b95bd8f4da6
Malware Config
Extracted
xloader
2.5
u5eh
http://www.retonamoss.com/u5eh/
tryafaq.com
bobcathntshop.com
oglead.com
026skz.xyz
brasbux.com
adna17.com
noveltyrofjiy.xyz
realestatecompanys.com
leman-web.com
df5686.com
jonathonhawkins.com
juliedominyfloralartistry.com
classyeventsco.com
aquaticatt.com
iotworld.xyz
hoc8.com
disposablediapers.store
peregovorim.online
advancebits.club
getaburialplan.com
tiger-trails.com
dnbaba.com
492981.com
eclipse-electrical-euless.com
cassandracchase.com
healthrightmeds.club
permkray.club
tawazoun-dz.com
extrabladet.com
offmanage.com
peoplexplants.com
mumkungiyim.com
personal-email-office-mgt.com
bjmysa.com
hopshomes.com
cnj-power.com
trendproduct.tech
chauffeuredaustralia.online
176ssjp0033.xyz
52juns.com
rewriringcanada.com
seabourneboats.com
sevensummittrek.com
retalent.agency
lz4ios.cloud
mindandbodyalignment.com
bedrijfmail-trk.com
bashmoney.net
xc3654.com
infiteltech.com
sh-hywz.com
huataiqche.com
grannyh.com
devinwithani.com
kingstons.info
fakedocshyundaigiveaway.com
bigsyncmusic.info
predstavnuk.com
frontiervalley8.com
timdpr.com
smartgymadmin.com
brsgeniusschool.com
tuckertractorworks.com
espchange.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/644-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/644-57-0x000000000041D3E0-mapping.dmp xloader behavioral1/memory/644-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/620-67-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 340 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
DH146890Y.exepid process 1880 DH146890Y.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
DH146890Y.exeDH146890Y.exenetsh.exedescription pid process target process PID 1880 set thread context of 644 1880 DH146890Y.exe DH146890Y.exe PID 644 set thread context of 1356 644 DH146890Y.exe Explorer.EXE PID 644 set thread context of 1356 644 DH146890Y.exe Explorer.EXE PID 620 set thread context of 1356 620 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
DH146890Y.exenetsh.exepid process 644 DH146890Y.exe 644 DH146890Y.exe 644 DH146890Y.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe 620 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
DH146890Y.exenetsh.exepid process 644 DH146890Y.exe 644 DH146890Y.exe 644 DH146890Y.exe 644 DH146890Y.exe 620 netsh.exe 620 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DH146890Y.exenetsh.exedescription pid process Token: SeDebugPrivilege 644 DH146890Y.exe Token: SeDebugPrivilege 620 netsh.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1356 Explorer.EXE 1356 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DH146890Y.exeExplorer.EXEnetsh.exedescription pid process target process PID 1880 wrote to memory of 644 1880 DH146890Y.exe DH146890Y.exe PID 1880 wrote to memory of 644 1880 DH146890Y.exe DH146890Y.exe PID 1880 wrote to memory of 644 1880 DH146890Y.exe DH146890Y.exe PID 1880 wrote to memory of 644 1880 DH146890Y.exe DH146890Y.exe PID 1880 wrote to memory of 644 1880 DH146890Y.exe DH146890Y.exe PID 1880 wrote to memory of 644 1880 DH146890Y.exe DH146890Y.exe PID 1880 wrote to memory of 644 1880 DH146890Y.exe DH146890Y.exe PID 1356 wrote to memory of 620 1356 Explorer.EXE netsh.exe PID 1356 wrote to memory of 620 1356 Explorer.EXE netsh.exe PID 1356 wrote to memory of 620 1356 Explorer.EXE netsh.exe PID 1356 wrote to memory of 620 1356 Explorer.EXE netsh.exe PID 620 wrote to memory of 340 620 netsh.exe cmd.exe PID 620 wrote to memory of 340 620 netsh.exe cmd.exe PID 620 wrote to memory of 340 620 netsh.exe cmd.exe PID 620 wrote to memory of 340 620 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DH146890Y.exe"C:\Users\Admin\AppData\Local\Temp\DH146890Y.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DH146890Y.exe"C:\Users\Admin\AppData\Local\Temp\DH146890Y.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DH146890Y.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsnAC66.tmp\xemqunqqv.dllMD5
e53cae86a6072f87b9b9c0aa93ba0957
SHA1ff14dbb706f476863d9f15b9dfb79328c7ea688a
SHA256c1331b89e53012ba8c4631c7a9bfe207dd65aa4fcefd063da72b86236e86e372
SHA5128a171df40498daa5aa742812ca8a56d943e52877d9b2020dce53ef208da59a18adc1b9a8c576901c0b77064d236ae6783fccb1b22bf773ee9e03e19f361da9e4
-
memory/340-68-0x0000000000000000-mapping.dmp
-
memory/620-65-0x0000000000000000-mapping.dmp
-
memory/620-70-0x0000000000450000-0x00000000004E0000-memory.dmpFilesize
576KB
-
memory/620-69-0x0000000000CE0000-0x0000000000FE3000-memory.dmpFilesize
3.0MB
-
memory/620-67-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/620-66-0x0000000001310000-0x000000000132B000-memory.dmpFilesize
108KB
-
memory/644-60-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/644-63-0x0000000000310000-0x0000000000321000-memory.dmpFilesize
68KB
-
memory/644-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/644-59-0x0000000000830000-0x0000000000B33000-memory.dmpFilesize
3.0MB
-
memory/644-57-0x000000000041D3E0-mapping.dmp
-
memory/644-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1356-64-0x00000000071C0000-0x00000000072FF000-memory.dmpFilesize
1.2MB
-
memory/1356-61-0x00000000064C0000-0x00000000065DA000-memory.dmpFilesize
1.1MB
-
memory/1356-71-0x0000000008E60000-0x0000000008F65000-memory.dmpFilesize
1.0MB
-
memory/1880-54-0x00000000759B1000-0x00000000759B3000-memory.dmpFilesize
8KB