Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
10-01-2022 12:17
Static task
static1
Behavioral task
behavioral1
Sample
DEC SOA_09012022.exe
Resource
win7-en-20211208
General
-
Target
DEC SOA_09012022.exe
-
Size
373KB
-
MD5
6046b2f34b67e06c817f4375c6d26a54
-
SHA1
2230944a4216a07fde067866af7e81e1a52e8535
-
SHA256
56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
-
SHA512
542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1096-55-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1096-56-0x000000000041D440-mapping.dmp xloader behavioral1/memory/472-65-0x00000000000C0000-0x00000000000E9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1000 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
DEC SOA_09012022.exepid process 956 DEC SOA_09012022.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DEC SOA_09012022.exeDEC SOA_09012022.exeraserver.exedescription pid process target process PID 956 set thread context of 1096 956 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 1096 set thread context of 1300 1096 DEC SOA_09012022.exe Explorer.EXE PID 472 set thread context of 1300 472 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
DEC SOA_09012022.exeraserver.exepid process 1096 DEC SOA_09012022.exe 1096 DEC SOA_09012022.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe 472 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DEC SOA_09012022.exeraserver.exepid process 1096 DEC SOA_09012022.exe 1096 DEC SOA_09012022.exe 1096 DEC SOA_09012022.exe 472 raserver.exe 472 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DEC SOA_09012022.exeraserver.exedescription pid process Token: SeDebugPrivilege 1096 DEC SOA_09012022.exe Token: SeDebugPrivilege 472 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DEC SOA_09012022.exeExplorer.EXEraserver.exedescription pid process target process PID 956 wrote to memory of 1096 956 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 956 wrote to memory of 1096 956 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 956 wrote to memory of 1096 956 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 956 wrote to memory of 1096 956 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 956 wrote to memory of 1096 956 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 956 wrote to memory of 1096 956 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 956 wrote to memory of 1096 956 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 1300 wrote to memory of 472 1300 Explorer.EXE raserver.exe PID 1300 wrote to memory of 472 1300 Explorer.EXE raserver.exe PID 1300 wrote to memory of 472 1300 Explorer.EXE raserver.exe PID 1300 wrote to memory of 472 1300 Explorer.EXE raserver.exe PID 472 wrote to memory of 1000 472 raserver.exe cmd.exe PID 472 wrote to memory of 1000 472 raserver.exe cmd.exe PID 472 wrote to memory of 1000 472 raserver.exe cmd.exe PID 472 wrote to memory of 1000 472 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstA7A6.tmp\rwxef.dllMD5
52944a6532acdb2543a8f6076c5b1eeb
SHA1f01e61cd9d9b724e1d77851440493858c008100b
SHA2565432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e
SHA512b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a
-
memory/472-67-0x0000000001C90000-0x0000000001D20000-memory.dmpFilesize
576KB
-
memory/472-65-0x00000000000C0000-0x00000000000E9000-memory.dmpFilesize
164KB
-
memory/472-66-0x0000000001E20000-0x0000000002123000-memory.dmpFilesize
3.0MB
-
memory/472-64-0x00000000002D0000-0x00000000002EC000-memory.dmpFilesize
112KB
-
memory/472-61-0x0000000000000000-mapping.dmp
-
memory/956-53-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/1000-63-0x0000000000000000-mapping.dmp
-
memory/1096-56-0x000000000041D440-mapping.dmp
-
memory/1096-59-0x0000000000490000-0x00000000004A1000-memory.dmpFilesize
68KB
-
memory/1096-57-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1096-55-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1300-60-0x0000000006970000-0x0000000006B02000-memory.dmpFilesize
1.6MB
-
memory/1300-68-0x00000000073B0000-0x0000000007508000-memory.dmpFilesize
1.3MB