Analysis
-
max time kernel
153s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
10-11-2021 13:18
Static task
static1
Behavioral task
behavioral1
Sample
SOA_OCT 2021.exe
Resource
win7-en-20211104
General
-
Target
SOA_OCT 2021.exe
-
Size
269KB
-
MD5
75f24a7fd78d30dc1287852829e55fe1
-
SHA1
b5a09b34b18f14d44c311f84a5e705bdc6684e0c
-
SHA256
fcf7e7eea1f4983f876bb52b0e40e09fedf69a92dcec11be50ff87e169824601
-
SHA512
58e19c58f39ca00ff9d5be73271471eff557b7d5041d6f3d99dbb0f6417212e351f45199548e7884c5f54e52c56d8dab4d52c0f500627ca7c4647407f9c91b6d
Malware Config
Extracted
xloader
2.5
e8ia
http://www.helpfromjames.com/e8ia/
le-hameau-enchanteur.com
quantumsystem-au.club
engravedeeply.com
yesrecompensas.lat
cavallitowerofficials.com
800seaspray.com
skifun-jetski.com
thouartafoot.com
nft2dollar.com
petrestore.online
cjcutthecord2.com
tippimccullough.com
gadget198.xyz
djmiriam.com
bitbasepay.com
cukierniawz.com
mcclureic.xyz
inthekitchenshakinandbakin.com
busy-clicks.com
melaniemorris.online
elysiangp.com
7bkj.com
wakeanddraw.com
ascalar.com
iteraxon.com
henleygirlscricket.com
torresflooringdecorllc.com
helgquieta.quest
xesteem.com
graffity-aws.com
bolerparts.com
andriylysenko.com
bestinvest-4-you.com
frelsicycling.com
airductcleaningindianapolis.net
nlproperties.net
alkoora.xyz
sakiyaman.com
wwwsmyrnaschooldistrict.com
unitedsafetyassociation.com
fiveallianceapparel.com
edgelordkids.com
herhauling.com
intelldat.com
weprepareamerica-planet.com
webartsolution.net
yiquge.com
marraasociados.com
dentalimplantnearyou-ca.space
linemanbible.com
dunamisdispatchservicellc.com
latamoperationalinstitute.com
stpaulsschoolbagidora.com
groupninemed.com
solar-tribe.com
footairdz.com
blttsperma.quest
xfeuio.xyz
sahodyafbdchapter.com
0934800.com
dandftrading.com
gladway.net
mineriasinmercurio.com
inaampm.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1228-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1228-58-0x000000000041D4D0-mapping.dmp xloader behavioral1/memory/1228-63-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1700-68-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
wininit.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wininit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LPXPD = "C:\\Program Files (x86)\\Cdl5xf\\chkdskpbchjl5.exe" wininit.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1200 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
SOA_OCT 2021.exepid process 1296 SOA_OCT 2021.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
SOA_OCT 2021.exeSOA_OCT 2021.exewininit.exedescription pid process target process PID 1296 set thread context of 1228 1296 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 1228 set thread context of 1384 1228 SOA_OCT 2021.exe Explorer.EXE PID 1228 set thread context of 1384 1228 SOA_OCT 2021.exe Explorer.EXE PID 1700 set thread context of 1384 1700 wininit.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wininit.exedescription ioc process File opened for modification C:\Program Files (x86)\Cdl5xf\chkdskpbchjl5.exe wininit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
wininit.exedescription ioc process Key created \Registry\User\S-1-5-21-103686315-404690609-2047157615-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wininit.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
SOA_OCT 2021.exewininit.exepid process 1228 SOA_OCT 2021.exe 1228 SOA_OCT 2021.exe 1228 SOA_OCT 2021.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
SOA_OCT 2021.exewininit.exepid process 1228 SOA_OCT 2021.exe 1228 SOA_OCT 2021.exe 1228 SOA_OCT 2021.exe 1228 SOA_OCT 2021.exe 1700 wininit.exe 1700 wininit.exe 1700 wininit.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SOA_OCT 2021.exewininit.exedescription pid process Token: SeDebugPrivilege 1228 SOA_OCT 2021.exe Token: SeDebugPrivilege 1700 wininit.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE 1384 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1384 Explorer.EXE 1384 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
SOA_OCT 2021.exeExplorer.EXEwininit.exedescription pid process target process PID 1296 wrote to memory of 1228 1296 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 1296 wrote to memory of 1228 1296 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 1296 wrote to memory of 1228 1296 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 1296 wrote to memory of 1228 1296 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 1296 wrote to memory of 1228 1296 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 1296 wrote to memory of 1228 1296 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 1296 wrote to memory of 1228 1296 SOA_OCT 2021.exe SOA_OCT 2021.exe PID 1384 wrote to memory of 1700 1384 Explorer.EXE wininit.exe PID 1384 wrote to memory of 1700 1384 Explorer.EXE wininit.exe PID 1384 wrote to memory of 1700 1384 Explorer.EXE wininit.exe PID 1384 wrote to memory of 1700 1384 Explorer.EXE wininit.exe PID 1700 wrote to memory of 1200 1700 wininit.exe cmd.exe PID 1700 wrote to memory of 1200 1700 wininit.exe cmd.exe PID 1700 wrote to memory of 1200 1700 wininit.exe cmd.exe PID 1700 wrote to memory of 1200 1700 wininit.exe cmd.exe PID 1700 wrote to memory of 288 1700 wininit.exe Firefox.exe PID 1700 wrote to memory of 288 1700 wininit.exe Firefox.exe PID 1700 wrote to memory of 288 1700 wininit.exe Firefox.exe PID 1700 wrote to memory of 288 1700 wininit.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SOA_OCT 2021.exe"C:\Users\Admin\AppData\Local\Temp\SOA_OCT 2021.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SOA_OCT 2021.exe"C:\Users\Admin\AppData\Local\Temp\SOA_OCT 2021.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SOA_OCT 2021.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdC7E2.tmp\zqrogrizrdl.dllMD5
111cf887cc57c1bfae19720dc6620c00
SHA15e2a2a3bb73df5351b019a757f3e4880ce4006be
SHA2564461591c65cd4e32c75ece28af45fa02370d8b31404d4a8b73303208b7fa6dea
SHA5120222ec6802c09238278604fe66a5eeac69b0dcff145104cbb11acac99998b6d35e3f5dd02c44c3674d7685574d7cf8c244ff3b4363a7c87c7392010612d5ad75
-
memory/1200-69-0x0000000000000000-mapping.dmp
-
memory/1228-64-0x00000000005D0000-0x00000000005E1000-memory.dmpFilesize
68KB
-
memory/1228-58-0x000000000041D4D0-mapping.dmp
-
memory/1228-61-0x0000000000570000-0x0000000000581000-memory.dmpFilesize
68KB
-
memory/1228-60-0x00000000006F0000-0x00000000009F3000-memory.dmpFilesize
3.0MB
-
memory/1228-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1228-63-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1296-55-0x00000000765D1000-0x00000000765D3000-memory.dmpFilesize
8KB
-
memory/1384-65-0x0000000006C60000-0x0000000006DE7000-memory.dmpFilesize
1.5MB
-
memory/1384-62-0x0000000006460000-0x0000000006548000-memory.dmpFilesize
928KB
-
memory/1384-72-0x0000000006E80000-0x0000000006F9B000-memory.dmpFilesize
1.1MB
-
memory/1700-66-0x0000000000000000-mapping.dmp
-
memory/1700-67-0x0000000000720000-0x000000000073A000-memory.dmpFilesize
104KB
-
memory/1700-68-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1700-70-0x0000000001FF0000-0x00000000022F3000-memory.dmpFilesize
3.0MB
-
memory/1700-71-0x0000000000620000-0x00000000006B0000-memory.dmpFilesize
576KB