Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-12-2021 12:11
Static task
static1
Behavioral task
behavioral1
Sample
tmp/femvv.exe
Resource
win7-en-20211208
General
-
Target
tmp/femvv.exe
-
Size
412KB
-
MD5
0843bc912b1a4b9a4f41be4fb5f5b3ed
-
SHA1
68c8657051a0bb979d0c1db69be0488b844f391f
-
SHA256
777c86a17146921e06f4ac7ab01da50e0e3fa657160bcd49e8c99c63f3bf4de4
-
SHA512
aaf2031984e113c4c179b7de211dec159c89b0b758f1869f5d19576188989c1b5fc26c96ffcb2cecbcc6be32c9b2f6f916ca55a05bfc9fecd99bb4a5094d203f
Malware Config
Extracted
xloader
2.5
ef6c
http://www.fis.photos/ef6c/
gicaredocs.com
govusergroup.com
conversationspit.com
brondairy.com
rjtherealest.com
xn--9m1bq8wgkag3rjvb.com
mylori.net
softandcute.store
ahljsm.com
shacksolid.com
weekendmusecollection.com
gaminghallarna.net
pgonline111.online
44mpt.xyz
ambrandt.com
eddytattoo.com
blendeqes.com
upinmyfeels.com
lacucinadesign.com
docomoau.xyz
xn--90armbk7e.online
xzq585858.net
kidzgovroom.com
lhznqyl.press
publicationsplace.com
jakante.com
csspadding.com
test-testjisdnsec.store
lafabriqueabeilleassurances.com
clf010.com
buybabysnuggle.com
uzmdrmustafaalperaykanat.com
levanttradegroup.com
arcflorals.com
kinglot2499.com
freekagyans.com
region10group.gmbh
yeyelm744.com
thehomedesigncentre.com
vngc.xyz
szesdkj.com
charlottewright.online
planetgreennetwork.com
pacifica7.com
analogueadapt.com
sensorypantry.com
narbaal.com
restaurant-utopia.xyz
golnay.com
szyyglass.com
redelirevearyseuiop.xyz
goldsteelconstruction.com
discovercotswoldcottages.com
geniuseven.net
apricitee.com
stopmoshenik.online
ya2gh.com
instatechnovelz.com
dbe648.com
seifjuban.com
conquershirts.store
totalcovidtravel.com
pamperotrabajo.com
satellitphonestore.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1992-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1992-63-0x000000000041D3D0-mapping.dmp xloader behavioral1/memory/1392-72-0x0000000000110000-0x0000000000139000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1124 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
femvv.exefemvv.exemstsc.exedescription pid process target process PID 1320 set thread context of 1992 1320 femvv.exe femvv.exe PID 1992 set thread context of 1380 1992 femvv.exe Explorer.EXE PID 1392 set thread context of 1380 1392 mstsc.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
femvv.exefemvv.exemstsc.exepid process 1320 femvv.exe 1320 femvv.exe 1992 femvv.exe 1992 femvv.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe 1392 mstsc.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
femvv.exemstsc.exepid process 1992 femvv.exe 1992 femvv.exe 1992 femvv.exe 1392 mstsc.exe 1392 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
femvv.exefemvv.exemstsc.exedescription pid process Token: SeDebugPrivilege 1320 femvv.exe Token: SeDebugPrivilege 1992 femvv.exe Token: SeDebugPrivilege 1392 mstsc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1380 Explorer.EXE 1380 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
femvv.exeExplorer.EXEmstsc.exedescription pid process target process PID 1320 wrote to memory of 776 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 776 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 776 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 776 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 812 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 812 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 812 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 812 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 1992 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 1992 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 1992 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 1992 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 1992 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 1992 1320 femvv.exe femvv.exe PID 1320 wrote to memory of 1992 1320 femvv.exe femvv.exe PID 1380 wrote to memory of 1392 1380 Explorer.EXE mstsc.exe PID 1380 wrote to memory of 1392 1380 Explorer.EXE mstsc.exe PID 1380 wrote to memory of 1392 1380 Explorer.EXE mstsc.exe PID 1380 wrote to memory of 1392 1380 Explorer.EXE mstsc.exe PID 1392 wrote to memory of 1124 1392 mstsc.exe cmd.exe PID 1392 wrote to memory of 1124 1392 mstsc.exe cmd.exe PID 1392 wrote to memory of 1124 1392 mstsc.exe cmd.exe PID 1392 wrote to memory of 1124 1392 mstsc.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp\femvv.exe"C:\Users\Admin\AppData\Local\Temp\tmp\femvv.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp\femvv.exe"C:\Users\Admin\AppData\Local\Temp\tmp\femvv.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp\femvv.exe"C:\Users\Admin\AppData\Local\Temp\tmp\femvv.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp\femvv.exe"C:\Users\Admin\AppData\Local\Temp\tmp\femvv.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\tmp\femvv.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1124-70-0x0000000000000000-mapping.dmp
-
memory/1320-57-0x0000000000520000-0x0000000000525000-memory.dmpFilesize
20KB
-
memory/1320-58-0x0000000007240000-0x0000000007241000-memory.dmpFilesize
4KB
-
memory/1320-59-0x0000000004690000-0x00000000046DA000-memory.dmpFilesize
296KB
-
memory/1320-55-0x00000000001C0000-0x00000000001C1000-memory.dmpFilesize
4KB
-
memory/1380-67-0x0000000006410000-0x0000000006525000-memory.dmpFilesize
1.1MB
-
memory/1380-75-0x0000000008D60000-0x0000000008EAA000-memory.dmpFilesize
1.3MB
-
memory/1392-74-0x0000000001FB0000-0x0000000002040000-memory.dmpFilesize
576KB
-
memory/1392-73-0x0000000002140000-0x0000000002443000-memory.dmpFilesize
3.0MB
-
memory/1392-72-0x0000000000110000-0x0000000000139000-memory.dmpFilesize
164KB
-
memory/1392-71-0x0000000000780000-0x0000000000884000-memory.dmpFilesize
1.0MB
-
memory/1392-68-0x0000000000000000-mapping.dmp
-
memory/1392-69-0x0000000074B21000-0x0000000074B23000-memory.dmpFilesize
8KB
-
memory/1992-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1992-66-0x0000000000190000-0x00000000001A1000-memory.dmpFilesize
68KB
-
memory/1992-64-0x0000000000950000-0x0000000000C53000-memory.dmpFilesize
3.0MB
-
memory/1992-63-0x000000000041D3D0-mapping.dmp
-
memory/1992-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1992-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB