Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-01-2022 07:00
Static task
static1
Behavioral task
behavioral1
Sample
DEC SOA_09012022.exe
Resource
win7-en-20211208
General
-
Target
DEC SOA_09012022.exe
-
Size
373KB
-
MD5
6046b2f34b67e06c817f4375c6d26a54
-
SHA1
2230944a4216a07fde067866af7e81e1a52e8535
-
SHA256
56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
-
SHA512
542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3584-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/3584-117-0x000000000041D440-mapping.dmp xloader behavioral2/memory/3668-124-0x0000000000760000-0x0000000000789000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
DEC SOA_09012022.exepid process 3292 DEC SOA_09012022.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DEC SOA_09012022.exeDEC SOA_09012022.exechkdsk.exedescription pid process target process PID 3292 set thread context of 3584 3292 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 3584 set thread context of 3052 3584 DEC SOA_09012022.exe Explorer.EXE PID 3668 set thread context of 3052 3668 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
DEC SOA_09012022.exechkdsk.exepid process 3584 DEC SOA_09012022.exe 3584 DEC SOA_09012022.exe 3584 DEC SOA_09012022.exe 3584 DEC SOA_09012022.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe 3668 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DEC SOA_09012022.exechkdsk.exepid process 3584 DEC SOA_09012022.exe 3584 DEC SOA_09012022.exe 3584 DEC SOA_09012022.exe 3668 chkdsk.exe 3668 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DEC SOA_09012022.exechkdsk.exedescription pid process Token: SeDebugPrivilege 3584 DEC SOA_09012022.exe Token: SeDebugPrivilege 3668 chkdsk.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DEC SOA_09012022.exeExplorer.EXEchkdsk.exedescription pid process target process PID 3292 wrote to memory of 3584 3292 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 3292 wrote to memory of 3584 3292 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 3292 wrote to memory of 3584 3292 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 3292 wrote to memory of 3584 3292 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 3292 wrote to memory of 3584 3292 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 3292 wrote to memory of 3584 3292 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 3052 wrote to memory of 3668 3052 Explorer.EXE chkdsk.exe PID 3052 wrote to memory of 3668 3052 Explorer.EXE chkdsk.exe PID 3052 wrote to memory of 3668 3052 Explorer.EXE chkdsk.exe PID 3668 wrote to memory of 3888 3668 chkdsk.exe cmd.exe PID 3668 wrote to memory of 3888 3668 chkdsk.exe cmd.exe PID 3668 wrote to memory of 3888 3668 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3584 -
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"3⤵PID:3888
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nskF687.tmp\rwxef.dllMD5
52944a6532acdb2543a8f6076c5b1eeb
SHA1f01e61cd9d9b724e1d77851440493858c008100b
SHA2565432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e
SHA512b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a
-
memory/3052-128-0x0000000002910000-0x0000000002A00000-memory.dmpFilesize
960KB
-
memory/3052-121-0x0000000004E10000-0x0000000004F97000-memory.dmpFilesize
1.5MB
-
memory/3584-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/3584-117-0x000000000041D440-mapping.dmp
-
memory/3584-120-0x00000000008E0000-0x00000000008F1000-memory.dmpFilesize
68KB
-
memory/3584-119-0x0000000000950000-0x0000000000C70000-memory.dmpFilesize
3.1MB
-
memory/3668-122-0x0000000000000000-mapping.dmp
-
memory/3668-124-0x0000000000760000-0x0000000000789000-memory.dmpFilesize
164KB
-
memory/3668-126-0x0000000005210000-0x0000000005530000-memory.dmpFilesize
3.1MB
-
memory/3668-127-0x0000000004F60000-0x0000000004FF0000-memory.dmpFilesize
576KB
-
memory/3668-123-0x0000000000A60000-0x0000000000A6A000-memory.dmpFilesize
40KB
-
memory/3888-125-0x0000000000000000-mapping.dmp