Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-12-2021 09:37
Static task
static1
Behavioral task
behavioral1
Sample
PO26910193.js
Resource
win7-en-20211208
General
-
Target
PO26910193.js
-
Size
715KB
-
MD5
471845f89fdc0d48bbbc4eef5513d5e2
-
SHA1
e25a0ca1425e8bfcc8516e0e85ecaf8b5d99ecf2
-
SHA256
1103cc349deb9d738448ee8ba8f4189af39984f3e92a9adf1bafcda1d45bd652
-
SHA512
2605e7db46bd4e3435c3710ad2ab443525d9b94ead16a6fdb73756d8a9afba2c5a4792e2d625503b2ae19c944cb7c1e441f2b5dc9328573ea0a47ddfe0698ec6
Malware Config
Extracted
xloader
2.5
pzi0
http://www.buffstaff.com/pzi0/
laylmodest.com
woruke.club
metaverseslots.net
syscogent.net
aluxxenterprise.com
lm-solar.com
lightempirestore.com
witcheboutique.com
hometech-bosch.xyz
expert-netcad.com
poteconomist.com
mycousinsfriend.biz
shineveranda.com
collegedictionary.cloud
zqlidexx.com
businessesopportunity.com
2utalahs4.com
participatetn.info
dare2ownit.com
varser.com
gxo.digital
networkroftrl.xyz
renturways.com
theprooff.com
ncgf06.xyz
lighterior2.com
one-seo.xyz
benzprod.xyz
k6tkuwrnjake.biz
robinlynnolson.com
ioptest.com
modern-elementz.com
baetsupreme.net
lapetiteagencequimonte.com
xn--bellemre-60a.com
bringthegalaxy.com
shopnobra.com
maroondragon.com
pandemictickets.com
intelligentrereturns.net
quietshop.art
anarkalidress.com
wasserstoff-station.net
filmweltruhr.com
buck100.com
maxicashprommu.xyz
studiosilhouettes.com
lightningridgetradingpost.com
zhuanzhuan9987.top
mlelement.com
krystalsescapetravels.com
simplyabcbooks.com
greenhouse1995systems.com
altogetheradhd.com
servicedogumentary.com
cdcawpx.com
motometics.com
palisadesattahoe.com
paradgmpharma.com
microexpertise.com
venkycouture.online
maculardegenerationtsusanet.com
atlasbrandwear.com
karegcc.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\wealth.exe xloader C:\Users\Admin\AppData\Local\Temp\wealth.exe xloader behavioral2/memory/3824-126-0x0000000000B40000-0x0000000000B69000-memory.dmp xloader -
Blocklisted process makes network request 18 IoCs
Processes:
wscript.exeflow pid process 9 852 wscript.exe 12 852 wscript.exe 17 852 wscript.exe 24 852 wscript.exe 31 852 wscript.exe 40 852 wscript.exe 49 852 wscript.exe 51 852 wscript.exe 57 852 wscript.exe 59 852 wscript.exe 61 852 wscript.exe 64 852 wscript.exe 68 852 wscript.exe 70 852 wscript.exe 75 852 wscript.exe 77 852 wscript.exe 81 852 wscript.exe 84 852 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
wealth.exepid process 1136 wealth.exe -
Drops startup file 2 IoCs
Processes:
wscript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lPObwAVZjm.js wscript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lPObwAVZjm.js wscript.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\lPObwAVZjm.js\"" wscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
wealth.exewlanext.exedescription pid process target process PID 1136 set thread context of 2712 1136 wealth.exe Explorer.EXE PID 3824 set thread context of 2712 3824 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
wealth.exewlanext.exepid process 1136 wealth.exe 1136 wealth.exe 1136 wealth.exe 1136 wealth.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe 3824 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2712 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
wealth.exewlanext.exepid process 1136 wealth.exe 1136 wealth.exe 1136 wealth.exe 3824 wlanext.exe 3824 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
wealth.exewlanext.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1136 wealth.exe Token: SeDebugPrivilege 3824 wlanext.exe Token: SeShutdownPrivilege 2712 Explorer.EXE Token: SeCreatePagefilePrivilege 2712 Explorer.EXE Token: SeShutdownPrivilege 2712 Explorer.EXE Token: SeCreatePagefilePrivilege 2712 Explorer.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.exeExplorer.EXEwlanext.exedescription pid process target process PID 2096 wrote to memory of 852 2096 wscript.exe wscript.exe PID 2096 wrote to memory of 852 2096 wscript.exe wscript.exe PID 2096 wrote to memory of 1136 2096 wscript.exe wealth.exe PID 2096 wrote to memory of 1136 2096 wscript.exe wealth.exe PID 2096 wrote to memory of 1136 2096 wscript.exe wealth.exe PID 2712 wrote to memory of 3824 2712 Explorer.EXE wlanext.exe PID 2712 wrote to memory of 3824 2712 Explorer.EXE wlanext.exe PID 2712 wrote to memory of 3824 2712 Explorer.EXE wlanext.exe PID 3824 wrote to memory of 2380 3824 wlanext.exe cmd.exe PID 3824 wrote to memory of 2380 3824 wlanext.exe cmd.exe PID 3824 wrote to memory of 2380 3824 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PO26910193.js2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\lPObwAVZjm.js"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\wealth.exe"C:\Users\Admin\AppData\Local\Temp\wealth.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\wealth.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\wealth.exeMD5
83481bf872730cd133669c5ea5b1be2b
SHA1fbd2369965b20f6bee09063aa454de13a18c71d3
SHA2565d174dd08492f307e4b367e262f3e96b9beefb99f5abb11043ddf7142a18e9e8
SHA5129080dc9bcdfba87ff3ecb3ba04af7a03dea2228f093fbb91149ff8825694601908ba85b2ce27a1de47ce1f6e263b03d96d80d43b7a4033051fbbac64fde7dc51
-
C:\Users\Admin\AppData\Local\Temp\wealth.exeMD5
83481bf872730cd133669c5ea5b1be2b
SHA1fbd2369965b20f6bee09063aa454de13a18c71d3
SHA2565d174dd08492f307e4b367e262f3e96b9beefb99f5abb11043ddf7142a18e9e8
SHA5129080dc9bcdfba87ff3ecb3ba04af7a03dea2228f093fbb91149ff8825694601908ba85b2ce27a1de47ce1f6e263b03d96d80d43b7a4033051fbbac64fde7dc51
-
C:\Users\Admin\AppData\Roaming\lPObwAVZjm.jsMD5
cc4c347aa8b598d1187c6ac8220b645d
SHA19075dc46990744f92756bcf86493a1a85b45db97
SHA256b27ceeed7816086caa5d310dbf342d345d2a9367ee1455d2ccf19196f4c2fe6b
SHA512e9ae8851374c67c725f8a16ad2461497da793f56c73fff1bf89e1d4f3e3d48a110e01018d963aba843fd256c9cc9ab2950323b3ea93df422dbd20d348603cd03
-
memory/852-115-0x0000000000000000-mapping.dmp
-
memory/1136-120-0x0000000001860000-0x0000000001B80000-memory.dmpFilesize
3.1MB
-
memory/1136-121-0x0000000001340000-0x000000000148A000-memory.dmpFilesize
1.3MB
-
memory/1136-117-0x0000000000000000-mapping.dmp
-
memory/2380-124-0x0000000000000000-mapping.dmp
-
memory/2712-122-0x00000000023C0000-0x00000000024A9000-memory.dmpFilesize
932KB
-
memory/2712-129-0x0000000002540000-0x000000000261D000-memory.dmpFilesize
884KB
-
memory/3824-123-0x0000000000000000-mapping.dmp
-
memory/3824-126-0x0000000000B40000-0x0000000000B69000-memory.dmpFilesize
164KB
-
memory/3824-125-0x0000000001200000-0x0000000001217000-memory.dmpFilesize
92KB
-
memory/3824-127-0x0000000003560000-0x0000000003880000-memory.dmpFilesize
3.1MB
-
memory/3824-128-0x00000000032B0000-0x0000000003340000-memory.dmpFilesize
576KB