Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-01-2022 07:00
Static task
static1
Behavioral task
behavioral1
Sample
DEC SOA_09012022.exe
Resource
win7-en-20211208
General
-
Target
DEC SOA_09012022.exe
-
Size
373KB
-
MD5
6046b2f34b67e06c817f4375c6d26a54
-
SHA1
2230944a4216a07fde067866af7e81e1a52e8535
-
SHA256
56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
-
SHA512
542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/592-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/592-57-0x000000000041D440-mapping.dmp xloader behavioral1/memory/744-64-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 924 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
DEC SOA_09012022.exepid process 1520 DEC SOA_09012022.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DEC SOA_09012022.exeDEC SOA_09012022.exesystray.exedescription pid process target process PID 1520 set thread context of 592 1520 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 592 set thread context of 1276 592 DEC SOA_09012022.exe Explorer.EXE PID 744 set thread context of 1276 744 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
DEC SOA_09012022.exesystray.exepid process 592 DEC SOA_09012022.exe 592 DEC SOA_09012022.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe 744 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DEC SOA_09012022.exesystray.exepid process 592 DEC SOA_09012022.exe 592 DEC SOA_09012022.exe 592 DEC SOA_09012022.exe 744 systray.exe 744 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DEC SOA_09012022.exesystray.exedescription pid process Token: SeDebugPrivilege 592 DEC SOA_09012022.exe Token: SeDebugPrivilege 744 systray.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DEC SOA_09012022.exeExplorer.EXEsystray.exedescription pid process target process PID 1520 wrote to memory of 592 1520 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 1520 wrote to memory of 592 1520 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 1520 wrote to memory of 592 1520 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 1520 wrote to memory of 592 1520 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 1520 wrote to memory of 592 1520 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 1520 wrote to memory of 592 1520 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 1520 wrote to memory of 592 1520 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 1276 wrote to memory of 744 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 744 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 744 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 744 1276 Explorer.EXE systray.exe PID 744 wrote to memory of 924 744 systray.exe cmd.exe PID 744 wrote to memory of 924 744 systray.exe cmd.exe PID 744 wrote to memory of 924 744 systray.exe cmd.exe PID 744 wrote to memory of 924 744 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"3⤵
- Deletes itself
PID:924
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsiD2F9.tmp\rwxef.dllMD5
52944a6532acdb2543a8f6076c5b1eeb
SHA1f01e61cd9d9b724e1d77851440493858c008100b
SHA2565432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e
SHA512b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a
-
memory/592-60-0x0000000000350000-0x0000000000361000-memory.dmpFilesize
68KB
-
memory/592-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/592-57-0x000000000041D440-mapping.dmp
-
memory/592-59-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/744-64-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/744-62-0x0000000000000000-mapping.dmp
-
memory/744-63-0x00000000006D0000-0x00000000006D5000-memory.dmpFilesize
20KB
-
memory/744-66-0x0000000001F60000-0x0000000002263000-memory.dmpFilesize
3.0MB
-
memory/744-67-0x0000000000310000-0x00000000003A0000-memory.dmpFilesize
576KB
-
memory/924-65-0x0000000000000000-mapping.dmp
-
memory/1276-61-0x0000000006AF0000-0x0000000006C98000-memory.dmpFilesize
1.7MB
-
memory/1276-68-0x0000000006510000-0x00000000065D1000-memory.dmpFilesize
772KB
-
memory/1520-54-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB