Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
06-12-2021 07:24
Static task
static1
Behavioral task
behavioral1
Sample
KBH-209294916.js
Resource
win7-en-20211014
General
-
Target
KBH-209294916.js
-
Size
317KB
-
MD5
7af00552a9b9ae64342d289f60c43627
-
SHA1
dae12e7429417f66e4419bfc6cb1b0f1e820c7c9
-
SHA256
4dd51675717f0f703ecbfa8e39c69a3038d2a3a42927a1cb5ab0271d3bfebbb4
-
SHA512
dbde91eaf3dff80b491e96336d90992f8ce3251e4ce3dd4f510135fedd7ef3b8810daaa4171eb64805780500e2ff5a44b1501ae0467eeba2b5d29254059e3f07
Malware Config
Extracted
xloader
2.5
pzi0
http://www.buffstaff.com/pzi0/
laylmodest.com
woruke.club
metaverseslots.net
syscogent.net
aluxxenterprise.com
lm-solar.com
lightempirestore.com
witcheboutique.com
hometech-bosch.xyz
expert-netcad.com
poteconomist.com
mycousinsfriend.biz
shineveranda.com
collegedictionary.cloud
zqlidexx.com
businessesopportunity.com
2utalahs4.com
participatetn.info
dare2ownit.com
varser.com
gxo.digital
networkroftrl.xyz
renturways.com
theprooff.com
ncgf06.xyz
lighterior2.com
one-seo.xyz
benzprod.xyz
k6tkuwrnjake.biz
robinlynnolson.com
ioptest.com
modern-elementz.com
baetsupreme.net
lapetiteagencequimonte.com
xn--bellemre-60a.com
bringthegalaxy.com
shopnobra.com
maroondragon.com
pandemictickets.com
intelligentrereturns.net
quietshop.art
anarkalidress.com
wasserstoff-station.net
filmweltruhr.com
buck100.com
maxicashprommu.xyz
studiosilhouettes.com
lightningridgetradingpost.com
zhuanzhuan9987.top
mlelement.com
krystalsescapetravels.com
simplyabcbooks.com
greenhouse1995systems.com
altogetheradhd.com
servicedogumentary.com
cdcawpx.com
motometics.com
palisadesattahoe.com
paradgmpharma.com
microexpertise.com
venkycouture.online
maculardegenerationtsusanet.com
atlasbrandwear.com
karegcc.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1064-75-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1064-76-0x000000000041D480-mapping.dmp xloader behavioral1/memory/1308-84-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 5 1348 wscript.exe 7 1348 wscript.exe 9 1348 wscript.exe 13 1348 wscript.exe 14 1348 wscript.exe 15 1348 wscript.exe 17 1348 wscript.exe 18 1348 wscript.exe 19 1348 wscript.exe 21 1348 wscript.exe 24 1348 wscript.exe 29 1348 wscript.exe 33 1348 wscript.exe 37 1348 wscript.exe 40 1348 wscript.exe 44 1348 wscript.exe 47 1348 wscript.exe 50 1348 wscript.exe -
Executes dropped EXE 2 IoCs
Processes:
business1.exebusiness1.exepid process 1144 business1.exe 1064 business1.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pYpNUJIEMR.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pYpNUJIEMR.js wscript.exe -
Loads dropped DLL 1 IoCs
Processes:
business1.exepid process 1144 business1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\pYpNUJIEMR.js\"" wscript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
business1.exebusiness1.exewlanext.exedescription pid process target process PID 1144 set thread context of 1064 1144 business1.exe business1.exe PID 1064 set thread context of 1384 1064 business1.exe Explorer.EXE PID 1308 set thread context of 1384 1308 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exebusiness1.exebusiness1.exewlanext.exepid process 1036 powershell.exe 984 powershell.exe 1144 business1.exe 1144 business1.exe 1064 business1.exe 1064 business1.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe 1308 wlanext.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
business1.exewlanext.exepid process 1064 business1.exe 1064 business1.exe 1064 business1.exe 1308 wlanext.exe 1308 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
business1.exepowershell.exepowershell.exebusiness1.exewlanext.exedescription pid process Token: SeDebugPrivilege 1144 business1.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeIncreaseQuotaPrivilege 1036 powershell.exe Token: SeSecurityPrivilege 1036 powershell.exe Token: SeTakeOwnershipPrivilege 1036 powershell.exe Token: SeLoadDriverPrivilege 1036 powershell.exe Token: SeSystemProfilePrivilege 1036 powershell.exe Token: SeSystemtimePrivilege 1036 powershell.exe Token: SeProfSingleProcessPrivilege 1036 powershell.exe Token: SeIncBasePriorityPrivilege 1036 powershell.exe Token: SeCreatePagefilePrivilege 1036 powershell.exe Token: SeBackupPrivilege 1036 powershell.exe Token: SeRestorePrivilege 1036 powershell.exe Token: SeShutdownPrivilege 1036 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeSystemEnvironmentPrivilege 1036 powershell.exe Token: SeRemoteShutdownPrivilege 1036 powershell.exe Token: SeUndockPrivilege 1036 powershell.exe Token: SeManageVolumePrivilege 1036 powershell.exe Token: 33 1036 powershell.exe Token: 34 1036 powershell.exe Token: 35 1036 powershell.exe Token: SeDebugPrivilege 984 powershell.exe Token: SeIncreaseQuotaPrivilege 984 powershell.exe Token: SeSecurityPrivilege 984 powershell.exe Token: SeTakeOwnershipPrivilege 984 powershell.exe Token: SeLoadDriverPrivilege 984 powershell.exe Token: SeSystemProfilePrivilege 984 powershell.exe Token: SeSystemtimePrivilege 984 powershell.exe Token: SeProfSingleProcessPrivilege 984 powershell.exe Token: SeIncBasePriorityPrivilege 984 powershell.exe Token: SeCreatePagefilePrivilege 984 powershell.exe Token: SeBackupPrivilege 984 powershell.exe Token: SeRestorePrivilege 984 powershell.exe Token: SeShutdownPrivilege 984 powershell.exe Token: SeDebugPrivilege 984 powershell.exe Token: SeSystemEnvironmentPrivilege 984 powershell.exe Token: SeRemoteShutdownPrivilege 984 powershell.exe Token: SeUndockPrivilege 984 powershell.exe Token: SeManageVolumePrivilege 984 powershell.exe Token: 33 984 powershell.exe Token: 34 984 powershell.exe Token: 35 984 powershell.exe Token: SeDebugPrivilege 1064 business1.exe Token: SeDebugPrivilege 1308 wlanext.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
wscript.exebusiness1.exeExplorer.EXEwlanext.exedescription pid process target process PID 1424 wrote to memory of 1348 1424 wscript.exe wscript.exe PID 1424 wrote to memory of 1348 1424 wscript.exe wscript.exe PID 1424 wrote to memory of 1348 1424 wscript.exe wscript.exe PID 1424 wrote to memory of 1144 1424 wscript.exe business1.exe PID 1424 wrote to memory of 1144 1424 wscript.exe business1.exe PID 1424 wrote to memory of 1144 1424 wscript.exe business1.exe PID 1424 wrote to memory of 1144 1424 wscript.exe business1.exe PID 1144 wrote to memory of 1036 1144 business1.exe powershell.exe PID 1144 wrote to memory of 1036 1144 business1.exe powershell.exe PID 1144 wrote to memory of 1036 1144 business1.exe powershell.exe PID 1144 wrote to memory of 1036 1144 business1.exe powershell.exe PID 1144 wrote to memory of 984 1144 business1.exe powershell.exe PID 1144 wrote to memory of 984 1144 business1.exe powershell.exe PID 1144 wrote to memory of 984 1144 business1.exe powershell.exe PID 1144 wrote to memory of 984 1144 business1.exe powershell.exe PID 1144 wrote to memory of 1064 1144 business1.exe business1.exe PID 1144 wrote to memory of 1064 1144 business1.exe business1.exe PID 1144 wrote to memory of 1064 1144 business1.exe business1.exe PID 1144 wrote to memory of 1064 1144 business1.exe business1.exe PID 1144 wrote to memory of 1064 1144 business1.exe business1.exe PID 1144 wrote to memory of 1064 1144 business1.exe business1.exe PID 1144 wrote to memory of 1064 1144 business1.exe business1.exe PID 1384 wrote to memory of 1308 1384 Explorer.EXE wlanext.exe PID 1384 wrote to memory of 1308 1384 Explorer.EXE wlanext.exe PID 1384 wrote to memory of 1308 1384 Explorer.EXE wlanext.exe PID 1384 wrote to memory of 1308 1384 Explorer.EXE wlanext.exe PID 1308 wrote to memory of 928 1308 wlanext.exe cmd.exe PID 1308 wrote to memory of 928 1308 wlanext.exe cmd.exe PID 1308 wrote to memory of 928 1308 wlanext.exe cmd.exe PID 1308 wrote to memory of 928 1308 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\KBH-209294916.js2⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\pYpNUJIEMR.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\business1.exe"C:\Users\Admin\AppData\Local\Temp\business1.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.yahoo.com4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.bing.com4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984 -
C:\Users\Admin\AppData\Local\Temp\business1.exeC:\Users\Admin\AppData\Local\Temp\business1.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1064 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\business1.exe"3⤵PID:928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\business1.exeMD5
02210ee8684c318e39358bdb0e4f4956
SHA16e8f72016e4977b587ddb5369bfbb9b79dc09104
SHA256ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7
SHA51231de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96
-
C:\Users\Admin\AppData\Local\Temp\business1.exeMD5
02210ee8684c318e39358bdb0e4f4956
SHA16e8f72016e4977b587ddb5369bfbb9b79dc09104
SHA256ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7
SHA51231de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96
-
C:\Users\Admin\AppData\Local\Temp\business1.exeMD5
02210ee8684c318e39358bdb0e4f4956
SHA16e8f72016e4977b587ddb5369bfbb9b79dc09104
SHA256ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7
SHA51231de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
2dc98df615c30ec0db90d58767d1eba3
SHA1ac3d7ba1be985b4de8622fd85bf72becc458d06a
SHA2565fa1a80b1d40a88f67d31be0defaea9e02fd3a09422ef640328a1f7138283984
SHA51295fc164acfdd441ea4ffbe37a7feb77e589d2c3929c2ba88098ea3c010d5a21f9027b70da6cb6d55e2e96c5494f58dbf9b1ea9103162b642419afb5946a29424
-
C:\Users\Admin\AppData\Roaming\pYpNUJIEMR.jsMD5
56394f31c4ebe4c2569a078dc11f8b59
SHA172746e1bf2ab9def45d0bb3ecb09fbe42a132271
SHA2561e5307933ab0b9a516b099fd4ffbcd0a80cb057076fd932fe3d70b257191226a
SHA512b06d914c1c658d67414be6332c8855e462c3b4e59dfeb3b8cac6dca882795448f6ea664cfa9e83c30b0a7354a959c521c892dd4e4aad390b001f304abb716ca1
-
\Users\Admin\AppData\Local\Temp\business1.exeMD5
02210ee8684c318e39358bdb0e4f4956
SHA16e8f72016e4977b587ddb5369bfbb9b79dc09104
SHA256ff6941f913740a953c2878ab6bf852e5dfe92f5464f3ca41e86fbe6b6b3a1ef7
SHA51231de499132a35378320037c0c1a7598b3379919ce5cc42a73fe3e8afe84265f7733c94f5342d35041558092983840670c1a637ce0daceca5bedf91de0514bf96
-
memory/928-85-0x0000000000000000-mapping.dmp
-
memory/984-67-0x0000000000000000-mapping.dmp
-
memory/1036-66-0x0000000002420000-0x000000000306A000-memory.dmpFilesize
12.3MB
-
memory/1036-65-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/1036-64-0x0000000000000000-mapping.dmp
-
memory/1064-80-0x0000000000180000-0x0000000000191000-memory.dmpFilesize
68KB
-
memory/1064-74-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1064-76-0x000000000041D480-mapping.dmp
-
memory/1064-75-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1064-79-0x0000000000980000-0x0000000000C83000-memory.dmpFilesize
3.0MB
-
memory/1064-73-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1144-63-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/1144-58-0x0000000000000000-mapping.dmp
-
memory/1144-70-0x0000000008560000-0x00000000085E1000-memory.dmpFilesize
516KB
-
memory/1144-71-0x0000000000E00000-0x0000000000E2C000-memory.dmpFilesize
176KB
-
memory/1144-61-0x0000000001350000-0x0000000001351000-memory.dmpFilesize
4KB
-
memory/1308-82-0x0000000000000000-mapping.dmp
-
memory/1308-83-0x0000000000B00000-0x0000000000B16000-memory.dmpFilesize
88KB
-
memory/1308-84-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/1308-86-0x0000000001F20000-0x0000000002223000-memory.dmpFilesize
3.0MB
-
memory/1308-87-0x00000000008F0000-0x0000000000980000-memory.dmpFilesize
576KB
-
memory/1348-56-0x0000000000000000-mapping.dmp
-
memory/1384-81-0x00000000070A0000-0x0000000007179000-memory.dmpFilesize
868KB
-
memory/1384-88-0x0000000006AC0000-0x0000000006C03000-memory.dmpFilesize
1.3MB
-
memory/1424-55-0x000007FEFBC51000-0x000007FEFBC53000-memory.dmpFilesize
8KB