Analysis
-
max time kernel
155s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
10-11-2021 11:15
Static task
static1
Behavioral task
behavioral1
Sample
SOA_OCT 2021.exe
Resource
win7-en-20211014
General
-
Target
SOA_OCT 2021.exe
-
Size
269KB
-
MD5
75f24a7fd78d30dc1287852829e55fe1
-
SHA1
b5a09b34b18f14d44c311f84a5e705bdc6684e0c
-
SHA256
fcf7e7eea1f4983f876bb52b0e40e09fedf69a92dcec11be50ff87e169824601
-
SHA512
58e19c58f39ca00ff9d5be73271471eff557b7d5041d6f3d99dbb0f6417212e351f45199548e7884c5f54e52c56d8dab4d52c0f500627ca7c4647407f9c91b6d
Malware Config
Extracted
xloader
2.5
e8ia
http://www.helpfromjames.com/e8ia/
le-hameau-enchanteur.com
quantumsystem-au.club
engravedeeply.com
yesrecompensas.lat
cavallitowerofficials.com
800seaspray.com
skifun-jetski.com
thouartafoot.com
nft2dollar.com
petrestore.online
cjcutthecord2.com
tippimccullough.com
gadget198.xyz
djmiriam.com
bitbasepay.com
cukierniawz.com
mcclureic.xyz
inthekitchenshakinandbakin.com
busy-clicks.com
melaniemorris.online
elysiangp.com
7bkj.com
wakeanddraw.com
ascalar.com
iteraxon.com
henleygirlscricket.com
torresflooringdecorllc.com
helgquieta.quest
xesteem.com
graffity-aws.com
bolerparts.com
andriylysenko.com
bestinvest-4-you.com
frelsicycling.com
airductcleaningindianapolis.net
nlproperties.net
alkoora.xyz
sakiyaman.com
wwwsmyrnaschooldistrict.com
unitedsafetyassociation.com
fiveallianceapparel.com
edgelordkids.com
herhauling.com
intelldat.com
weprepareamerica-planet.com
webartsolution.net
yiquge.com
marraasociados.com
dentalimplantnearyou-ca.space
linemanbible.com
dunamisdispatchservicellc.com
latamoperationalinstitute.com
stpaulsschoolbagidora.com
groupninemed.com
solar-tribe.com
footairdz.com
blttsperma.quest
xfeuio.xyz
sahodyafbdchapter.com
0934800.com
dandftrading.com
gladway.net
mineriasinmercurio.com
inaampm.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/468-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/468-58-0x000000000041D4D0-mapping.dmp xloader behavioral1/memory/1488-67-0x00000000000E0000-0x0000000000109000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1792 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
SOA_OCT 2021.exepid process 2008 SOA_OCT 2021.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SOA_OCT 2021.exeSOA_OCT 2021.execontrol.exedescription pid process target process PID 2008 set thread context of 468 2008 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 468 set thread context of 1200 468 SOA_OCT 2021.exe Explorer.EXE PID 1488 set thread context of 1200 1488 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
SOA_OCT 2021.execontrol.exepid process 468 SOA_OCT 2021.exe 468 SOA_OCT 2021.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe 1488 control.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
SOA_OCT 2021.execontrol.exepid process 468 SOA_OCT 2021.exe 468 SOA_OCT 2021.exe 468 SOA_OCT 2021.exe 1488 control.exe 1488 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SOA_OCT 2021.execontrol.exedescription pid process Token: SeDebugPrivilege 468 SOA_OCT 2021.exe Token: SeDebugPrivilege 1488 control.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SOA_OCT 2021.exeExplorer.EXEcontrol.exedescription pid process target process PID 2008 wrote to memory of 468 2008 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 2008 wrote to memory of 468 2008 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 2008 wrote to memory of 468 2008 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 2008 wrote to memory of 468 2008 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 2008 wrote to memory of 468 2008 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 2008 wrote to memory of 468 2008 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 2008 wrote to memory of 468 2008 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 1200 wrote to memory of 1488 1200 Explorer.EXE control.exe PID 1200 wrote to memory of 1488 1200 Explorer.EXE control.exe PID 1200 wrote to memory of 1488 1200 Explorer.EXE control.exe PID 1200 wrote to memory of 1488 1200 Explorer.EXE control.exe PID 1488 wrote to memory of 1792 1488 control.exe cmd.exe PID 1488 wrote to memory of 1792 1488 control.exe cmd.exe PID 1488 wrote to memory of 1792 1488 control.exe cmd.exe PID 1488 wrote to memory of 1792 1488 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SOA_OCT 2021.exe"C:\Users\Admin\AppData\Local\Temp\SOA_OCT 2021.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SOA_OCT 2021.exe"C:\Users\Admin\AppData\Local\Temp\SOA_OCT 2021.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SOA_OCT 2021.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nst5CC.tmp\zqrogrizrdl.dllMD5
111cf887cc57c1bfae19720dc6620c00
SHA15e2a2a3bb73df5351b019a757f3e4880ce4006be
SHA2564461591c65cd4e32c75ece28af45fa02370d8b31404d4a8b73303208b7fa6dea
SHA5120222ec6802c09238278604fe66a5eeac69b0dcff145104cbb11acac99998b6d35e3f5dd02c44c3674d7685574d7cf8c244ff3b4363a7c87c7392010612d5ad75
-
memory/468-61-0x0000000000350000-0x0000000000361000-memory.dmpFilesize
68KB
-
memory/468-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/468-58-0x000000000041D4D0-mapping.dmp
-
memory/468-59-0x00000000008A0000-0x0000000000BA3000-memory.dmpFilesize
3.0MB
-
memory/1200-62-0x0000000003D50000-0x0000000003E2F000-memory.dmpFilesize
892KB
-
memory/1200-70-0x0000000006120000-0x00000000061CE000-memory.dmpFilesize
696KB
-
memory/1488-63-0x0000000000000000-mapping.dmp
-
memory/1488-66-0x00000000000C0000-0x00000000000DF000-memory.dmpFilesize
124KB
-
memory/1488-67-0x00000000000E0000-0x0000000000109000-memory.dmpFilesize
164KB
-
memory/1488-68-0x0000000001EB0000-0x00000000021B3000-memory.dmpFilesize
3.0MB
-
memory/1488-69-0x0000000001D20000-0x0000000001DB0000-memory.dmpFilesize
576KB
-
memory/1792-65-0x0000000000000000-mapping.dmp
-
memory/2008-55-0x0000000075191000-0x0000000075193000-memory.dmpFilesize
8KB