TT COPY_02101011.exe
TT COPY_02101011.exe
302KB
25-11-2021 16:49
ebabc0d66a9e01cc0926f3b311feff5f
83a44664135a7255045becde754dae29be496c8f
ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
Extracted
Family | xloader |
Version | 2.5 |
Campaign | e8ia |
C2 |
http://www.helpfromjames.com/e8ia/ |
Decoy |
le-hameau-enchanteur.com quantumsystem-au.club engravedeeply.com yesrecompensas.lat cavallitowerofficials.com 800seaspray.com skifun-jetski.com thouartafoot.com nft2dollar.com petrestore.online cjcutthecord2.com tippimccullough.com gadget198.xyz djmiriam.com bitbasepay.com cukierniawz.com mcclureic.xyz inthekitchenshakinandbakin.com busy-clicks.com melaniemorris.online elysiangp.com 7bkj.com wakeanddraw.com ascalar.com iteraxon.com henleygirlscricket.com torresflooringdecorllc.com helgquieta.quest xesteem.com graffity-aws.com bolerparts.com andriylysenko.com bestinvest-4-you.com frelsicycling.com airductcleaningindianapolis.net nlproperties.net alkoora.xyz sakiyaman.com wwwsmyrnaschooldistrict.com unitedsafetyassociation.com fiveallianceapparel.com edgelordkids.com herhauling.com intelldat.com weprepareamerica-planet.com webartsolution.net yiquge.com marraasociados.com dentalimplantnearyou-ca.space linemanbible.com |
Filter: none
-
Xloader
Description
Xloader is a rebranded version of Formbook malware.
Tags
-
Xloader Payload
Tags
Reported IOCs
resource yara_rule behavioral2/memory/3740-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3740-117-0x000000000041D4D0-mapping.dmp xloader behavioral2/memory/3012-124-0x0000000002340000-0x0000000002369000-memory.dmp xloader behavioral2/memory/3456-137-0x000000000041D4D0-mapping.dmp xloader -
Executes dropped EXEqxlh8tbpylmdi6ex.exeqxlh8tbpylmdi6ex.exe
Reported IOCs
pid process 1880 qxlh8tbpylmdi6ex.exe 3456 qxlh8tbpylmdi6ex.exe -
Loads dropped DLLTT COPY_02101011.exeqxlh8tbpylmdi6ex.exe
Reported IOCs
pid process 2636 TT COPY_02101011.exe 1880 qxlh8tbpylmdi6ex.exe -
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Adds Run key to start applicationcmd.exe
Tags
TTPs
Reported IOCs
description ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5J3DUFWXGH = "C:\\Program Files (x86)\\Isxxxv4vp\\qxlh8tbpylmdi6ex.exe" cmd.exe -
Suspicious use of SetThreadContextTT COPY_02101011.exeTT COPY_02101011.execmd.exeqxlh8tbpylmdi6ex.exe
Reported IOCs
description pid process target process PID 2636 set thread context of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 3740 set thread context of 3020 3740 TT COPY_02101011.exe Explorer.EXE PID 3012 set thread context of 3020 3012 cmd.exe Explorer.EXE PID 1880 set thread context of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe -
Drops file in Program Files directoryExplorer.EXEcmd.exe
Reported IOCs
description ioc process File created C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe cmd.exe File opened for modification C:\Program Files (x86)\Isxxxv4vp Explorer.EXE -
Enumerates physical storage devices
Description
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
TTPs
-
NSIS installer
Tags
Reported IOCs
resource yara_rule behavioral2/files/0x0003000000000689-132.dat nsis_installer_1 behavioral2/files/0x0003000000000689-132.dat nsis_installer_2 behavioral2/files/0x0003000000000689-133.dat nsis_installer_1 behavioral2/files/0x0003000000000689-133.dat nsis_installer_2 behavioral2/files/0x0003000000000689-138.dat nsis_installer_1 behavioral2/files/0x0003000000000689-138.dat nsis_installer_2 -
Modifies Internet Explorer settingscmd.exe
Tags
TTPs
Reported IOCs
description ioc process Key created \Registry\User\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Suspicious behavior: EnumeratesProcessesTT COPY_02101011.execmd.exeqxlh8tbpylmdi6ex.exe
Reported IOCs
pid process 3740 TT COPY_02101011.exe 3740 TT COPY_02101011.exe 3740 TT COPY_02101011.exe 3740 TT COPY_02101011.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3456 qxlh8tbpylmdi6ex.exe 3456 qxlh8tbpylmdi6ex.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe -
Suspicious behavior: GetForegroundWindowSpamExplorer.EXE
Reported IOCs
pid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSectionTT COPY_02101011.execmd.exe
Reported IOCs
pid process 3740 TT COPY_02101011.exe 3740 TT COPY_02101011.exe 3740 TT COPY_02101011.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe 3012 cmd.exe -
Suspicious use of AdjustPrivilegeTokenTT COPY_02101011.execmd.exeExplorer.EXEqxlh8tbpylmdi6ex.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 3740 TT COPY_02101011.exe Token: SeDebugPrivilege 3012 cmd.exe Token: SeShutdownPrivilege 3020 Explorer.EXE Token: SeCreatePagefilePrivilege 3020 Explorer.EXE Token: SeDebugPrivilege 3456 qxlh8tbpylmdi6ex.exe -
Suspicious use of WriteProcessMemoryTT COPY_02101011.exeExplorer.EXEcmd.exeqxlh8tbpylmdi6ex.exe
Reported IOCs
description pid process target process PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 2636 wrote to memory of 3740 2636 TT COPY_02101011.exe TT COPY_02101011.exe PID 3020 wrote to memory of 3012 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 3012 3020 Explorer.EXE cmd.exe PID 3020 wrote to memory of 3012 3020 Explorer.EXE cmd.exe PID 3012 wrote to memory of 4072 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 4072 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 4072 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 2596 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 2596 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 2596 3012 cmd.exe cmd.exe PID 3012 wrote to memory of 1688 3012 cmd.exe Firefox.exe PID 3012 wrote to memory of 1688 3012 cmd.exe Firefox.exe PID 3012 wrote to memory of 1688 3012 cmd.exe Firefox.exe PID 3020 wrote to memory of 1880 3020 Explorer.EXE qxlh8tbpylmdi6ex.exe PID 3020 wrote to memory of 1880 3020 Explorer.EXE qxlh8tbpylmdi6ex.exe PID 3020 wrote to memory of 1880 3020 Explorer.EXE qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe PID 1880 wrote to memory of 3456 1880 qxlh8tbpylmdi6ex.exe qxlh8tbpylmdi6ex.exe
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXEDrops file in Program Files directorySuspicious behavior: GetForegroundWindowSpamSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"Loads dropped DLLSuspicious use of SetThreadContextSuspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"Suspicious use of SetThreadContextSuspicious behavior: EnumeratesProcessesSuspicious behavior: MapViewOfSectionSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"Adds Run key to start applicationSuspicious use of SetThreadContextDrops file in Program Files directoryModifies Internet Explorer settingsSuspicious behavior: EnumeratesProcessesSuspicious behavior: MapViewOfSectionSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\TT COPY_02101011.exe"
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"
-
C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"Executes dropped EXELoads dropped DLLSuspicious use of SetThreadContextSuspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe"Executes dropped EXESuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe
MD5ebabc0d66a9e01cc0926f3b311feff5f
SHA183a44664135a7255045becde754dae29be496c8f
SHA256ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
SHA512b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb
-
C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe
MD5ebabc0d66a9e01cc0926f3b311feff5f
SHA183a44664135a7255045becde754dae29be496c8f
SHA256ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
SHA512b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb
-
C:\Program Files (x86)\Isxxxv4vp\qxlh8tbpylmdi6ex.exe
MD5ebabc0d66a9e01cc0926f3b311feff5f
SHA183a44664135a7255045becde754dae29be496c8f
SHA256ea8733d0ea6248e2f522487d09e7854230a648e67f1a5e90fea31f6305a1ff7b
SHA512b9f9c3ec7080bf31e0ab43b68f8183d75a59ae262e7320e846883f7ec91695e5e01d70432a163252712fc7bdb6e27b6e5fb6b5589e31eb8779f3b2b5586eeeeb
-
C:\Users\Admin\AppData\Local\Temp\5itxry81kuzl8up3
MD57cfbccd72474438d7fc638703213241c
SHA145da096b227587739be2cfd1fd216a7a0fc40a9a
SHA25602e9f10a4673cf06dc6ded72098e6d37e6162b5c88937eb67ebbfc0c0ee39d58
SHA51266b38fd3c6a4a9c85338e13776204a65a4be9323357c7758472946f2cc21ece513d4df4790cf232d109083365360046be38732725f09b56d5fc0bf4b0cc0629b
-
C:\Users\Admin\AppData\Local\Temp\DB1
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
\Users\Admin\AppData\Local\Temp\nssCA47.tmp\wdtzbwxasut.dll
MD554c860c5cd0476d353802753c7bbfb06
SHA1f3fac4c8e96cbb528944fe76c7f74fda8171a597
SHA25619fbfdb247a76a54351902926c309fd6d3e7be25c6dca0062fc781215680913e
SHA51283dd85d9a54a1fa688c7776a15e48d70b8ec12ed789f4ac2054fa3affaed3fdaa375a5bd3d542c7b1831810a4825ee518a14f2390c50bfb65d9b774bceb6b183
-
\Users\Admin\AppData\Local\Temp\nswC461.tmp\wdtzbwxasut.dll
MD554c860c5cd0476d353802753c7bbfb06
SHA1f3fac4c8e96cbb528944fe76c7f74fda8171a597
SHA25619fbfdb247a76a54351902926c309fd6d3e7be25c6dca0062fc781215680913e
SHA51283dd85d9a54a1fa688c7776a15e48d70b8ec12ed789f4ac2054fa3affaed3fdaa375a5bd3d542c7b1831810a4825ee518a14f2390c50bfb65d9b774bceb6b183
-
memory/1880-131-0x0000000000000000-mapping.dmp
-
memory/2596-129-0x0000000000000000-mapping.dmp
-
memory/3012-124-0x0000000002340000-0x0000000002369000-memory.dmp
-
memory/3012-126-0x0000000002D70000-0x0000000003090000-memory.dmp
-
memory/3012-123-0x00000000001E0000-0x0000000000239000-memory.dmp
-
memory/3012-122-0x0000000000000000-mapping.dmp
-
memory/3012-127-0x0000000003090000-0x0000000003120000-memory.dmp
-
memory/3020-128-0x00000000064E0000-0x0000000006666000-memory.dmp
-
memory/3020-121-0x00000000061D0000-0x0000000006375000-memory.dmp
-
memory/3456-137-0x000000000041D4D0-mapping.dmp
-
memory/3456-139-0x0000000000A30000-0x0000000000D50000-memory.dmp
-
memory/3740-116-0x0000000000400000-0x0000000000429000-memory.dmp
-
memory/3740-120-0x00000000005E0000-0x00000000005F1000-memory.dmp
-
memory/3740-119-0x0000000000A50000-0x0000000000D70000-memory.dmp
-
memory/3740-117-0x000000000041D4D0-mapping.dmp
-
memory/4072-125-0x0000000000000000-mapping.dmp