Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
08-11-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
Enquiry Reference Number 0025559278.exe
Resource
win7-en-20211104
General
-
Target
Enquiry Reference Number 0025559278.exe
-
Size
744KB
-
MD5
cd9435966d20de265bc5f6f40daff4a3
-
SHA1
76cb2ab21a6009275ba3dcbe256a15a211833f35
-
SHA256
45790f1cc3cb37ecfe541981ddf9d25684d92576cceb6bdb809f345014de84f0
-
SHA512
95b3749be5950d52c3124df37971a0d03f3c7dd10168df13d9d2a2e523f6c435e51866207d9263f12164d86ab9e310ad098175ef59b9f1d83c678197cb44d528
Malware Config
Extracted
xloader
2.5
u0n0
http://www.52xjg3.xyz/u0n0/
learnwithvr.net
minismi2.com
slimfitbottle.com
gzartisan.com
fullfamilyclub.com
adaptationstudios.com
domynt.com
aboydnfuid.com
dirtroaddesigns.net
timhortons-ca.xyz
gladiator-111.com
breakingza.com
njjbds.com
keithrgordon.com
litestore365.host
unichromegame.com
wundversorgung-tirol.com
wholistic-choice.com
shingletownrrn.com
kapikenya.com
kermmehienon.quest
harunowellness.com
avrknastyrke.quest
mpujadas.com
bonbyk.xyz
twozilla.com
abrahamguestacademy.com
canwasysce.com
cangshu76.xyz
clinicadeconsultanta.com
fazdesignmalta.com
localcommunityspace.com
subdlt.com
gothambody.net
tongtongticket.com
giadinhmarket.xyz
jessaniholdings.com
sebika.com
infinitygamesonline.net
denton4.com
ctenemuhos.quest
governerdsummerfun.com
69988.club
2pnlx3.biz
radhikamobilerajasen.online
myborntoshare.com
mdkfsdf.info
dj6688a.com
feelinthorny.com
minimart.digital
offprize.xyz
niallsinclair.com
iclouds.today
xn--80ajy8a.xn--80asehdb
marionutrishop.com
yanglaowenku.com
youngmotorist.com
unavidaparaserfeliz.com
linknhomkin.com
webwarez.net
sabrinaxmendes.com
nurix.agency
bancosabadellnow.com
totalpopsociety.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/552-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/552-64-0x000000000041D440-mapping.dmp xloader behavioral1/memory/1088-72-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 988 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Enquiry Reference Number 0025559278.exeEnquiry Reference Number 0025559278.exenetsh.exedescription pid process target process PID 1472 set thread context of 552 1472 Enquiry Reference Number 0025559278.exe Enquiry Reference Number 0025559278.exe PID 552 set thread context of 1412 552 Enquiry Reference Number 0025559278.exe Explorer.EXE PID 1088 set thread context of 1412 1088 netsh.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Enquiry Reference Number 0025559278.exenetsh.exepid process 552 Enquiry Reference Number 0025559278.exe 552 Enquiry Reference Number 0025559278.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe 1088 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Enquiry Reference Number 0025559278.exenetsh.exepid process 552 Enquiry Reference Number 0025559278.exe 552 Enquiry Reference Number 0025559278.exe 552 Enquiry Reference Number 0025559278.exe 1088 netsh.exe 1088 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Enquiry Reference Number 0025559278.exenetsh.exedescription pid process Token: SeDebugPrivilege 552 Enquiry Reference Number 0025559278.exe Token: SeDebugPrivilege 1088 netsh.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1412 Explorer.EXE 1412 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1412 Explorer.EXE 1412 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Enquiry Reference Number 0025559278.exeExplorer.EXEnetsh.exedescription pid process target process PID 1472 wrote to memory of 552 1472 Enquiry Reference Number 0025559278.exe Enquiry Reference Number 0025559278.exe PID 1472 wrote to memory of 552 1472 Enquiry Reference Number 0025559278.exe Enquiry Reference Number 0025559278.exe PID 1472 wrote to memory of 552 1472 Enquiry Reference Number 0025559278.exe Enquiry Reference Number 0025559278.exe PID 1472 wrote to memory of 552 1472 Enquiry Reference Number 0025559278.exe Enquiry Reference Number 0025559278.exe PID 1472 wrote to memory of 552 1472 Enquiry Reference Number 0025559278.exe Enquiry Reference Number 0025559278.exe PID 1472 wrote to memory of 552 1472 Enquiry Reference Number 0025559278.exe Enquiry Reference Number 0025559278.exe PID 1472 wrote to memory of 552 1472 Enquiry Reference Number 0025559278.exe Enquiry Reference Number 0025559278.exe PID 1412 wrote to memory of 1088 1412 Explorer.EXE netsh.exe PID 1412 wrote to memory of 1088 1412 Explorer.EXE netsh.exe PID 1412 wrote to memory of 1088 1412 Explorer.EXE netsh.exe PID 1412 wrote to memory of 1088 1412 Explorer.EXE netsh.exe PID 1088 wrote to memory of 988 1088 netsh.exe cmd.exe PID 1088 wrote to memory of 988 1088 netsh.exe cmd.exe PID 1088 wrote to memory of 988 1088 netsh.exe cmd.exe PID 1088 wrote to memory of 988 1088 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Enquiry Reference Number 0025559278.exe"C:\Users\Admin\AppData\Local\Temp\Enquiry Reference Number 0025559278.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Enquiry Reference Number 0025559278.exe"C:\Users\Admin\AppData\Local\Temp\Enquiry Reference Number 0025559278.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Enquiry Reference Number 0025559278.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/552-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/552-67-0x0000000000320000-0x0000000000331000-memory.dmpFilesize
68KB
-
memory/552-65-0x00000000008B0000-0x0000000000BB3000-memory.dmpFilesize
3.0MB
-
memory/552-64-0x000000000041D440-mapping.dmp
-
memory/552-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/552-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/988-70-0x0000000000000000-mapping.dmp
-
memory/1088-69-0x0000000000000000-mapping.dmp
-
memory/1088-71-0x00000000012D0000-0x00000000012EB000-memory.dmpFilesize
108KB
-
memory/1088-72-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1088-73-0x0000000000BD0000-0x0000000000ED3000-memory.dmpFilesize
3.0MB
-
memory/1088-74-0x0000000000990000-0x0000000000A20000-memory.dmpFilesize
576KB
-
memory/1412-68-0x0000000004EE0000-0x0000000004FDE000-memory.dmpFilesize
1016KB
-
memory/1412-75-0x0000000005160000-0x00000000052C5000-memory.dmpFilesize
1.4MB
-
memory/1472-60-0x00000000051D0000-0x0000000005216000-memory.dmpFilesize
280KB
-
memory/1472-59-0x0000000000440000-0x0000000000447000-memory.dmpFilesize
28KB
-
memory/1472-58-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/1472-55-0x0000000001290000-0x0000000001291000-memory.dmpFilesize
4KB
-
memory/1472-57-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB