Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-01-2022 12:17
Static task
static1
Behavioral task
behavioral1
Sample
DEC SOA_09012022.exe
Resource
win7-en-20211208
General
-
Target
DEC SOA_09012022.exe
-
Size
373KB
-
MD5
6046b2f34b67e06c817f4375c6d26a54
-
SHA1
2230944a4216a07fde067866af7e81e1a52e8535
-
SHA256
56d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
-
SHA512
542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac
Malware Config
Extracted
xloader
2.5
igwa
listingswithalex.com
funtabse.com
aydenwalling.com
prochal.net
superfoodsnederland.com
moldluck.com
dianekgordon.store
regionalhomescommercial.com
mysecuritymadesimple.com
malwaremastery.com
kodaikeiko.com
jrzg996.com
agricurve.net
songlingjiu.com
virginianundahfishingclub.com
friendschance.com
pastelpresents.com
answertitles.com
survival-hunter.com
nxfddl.com
traditionnevertrend.com
agrovessel.com
unicorm.digital
cucumboy.com
alemdogarimpo.com
laraful.com
hexwaa.com
hanu21st.com
knoycia.com
qishengxing.com
gopipurespices.com
fdkkrfidkdslsieofkld.info
elephantspublications.online
valeriebeijing.com
xn--42cg2czax6ptae6a.com
2shengman.com
sfcshavedice.com
ragworkhouse.com
stardomfrokch.xyz
exoticcenterfold.com
eventosartifice.com
test-order-noren.com
110bao.com
face-pro.online
freedomoff.com
futuresep.com
tremblock.com
chocolat-gillotte.com
speclove.com
ddflsl.com
goodnewsmbc.net
cloudtotaal.com
goapps-auth.com
ouch247max.com
sabra-sd.com
luxuryneverhurt.art
rxvendorpills.online
ludowinners.online
placemyorder.online
skyrim.company
monsterlecturer.com
controle-fiscal.com
phoenixinjurylawyer.online
nanoheadgames.com
toposales.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1028-116-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/1028-117-0x000000000041D440-mapping.dmp xloader behavioral2/memory/3924-124-0x0000000000A70000-0x0000000000A99000-memory.dmp xloader behavioral2/memory/688-138-0x000000000041D440-mapping.dmp xloader -
Executes dropped EXE 2 IoCs
Processes:
helpxzbxnrbp.exehelpxzbxnrbp.exepid process 2648 helpxzbxnrbp.exe 688 helpxzbxnrbp.exe -
Loads dropped DLL 2 IoCs
Processes:
DEC SOA_09012022.exehelpxzbxnrbp.exepid process 912 DEC SOA_09012022.exe 2648 helpxzbxnrbp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdt.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run msdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9R8XRRHX6RG = "C:\\Program Files (x86)\\Qblq\\helpxzbxnrbp.exe" msdt.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
DEC SOA_09012022.exeDEC SOA_09012022.exemsdt.exehelpxzbxnrbp.exedescription pid process target process PID 912 set thread context of 1028 912 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 1028 set thread context of 3056 1028 DEC SOA_09012022.exe Explorer.EXE PID 3924 set thread context of 3056 3924 msdt.exe Explorer.EXE PID 2648 set thread context of 688 2648 helpxzbxnrbp.exe helpxzbxnrbp.exe -
Drops file in Program Files directory 4 IoCs
Processes:
msdt.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe msdt.exe File opened for modification C:\Program Files (x86)\Qblq Explorer.EXE File created C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe nsis_installer_1 C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe nsis_installer_2 C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe nsis_installer_1 C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe nsis_installer_2 C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe nsis_installer_1 C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe nsis_installer_2 -
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
DEC SOA_09012022.exemsdt.exehelpxzbxnrbp.exepid process 1028 DEC SOA_09012022.exe 1028 DEC SOA_09012022.exe 1028 DEC SOA_09012022.exe 1028 DEC SOA_09012022.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 688 helpxzbxnrbp.exe 688 helpxzbxnrbp.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
DEC SOA_09012022.exemsdt.exepid process 1028 DEC SOA_09012022.exe 1028 DEC SOA_09012022.exe 1028 DEC SOA_09012022.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe 3924 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DEC SOA_09012022.exemsdt.exehelpxzbxnrbp.exedescription pid process Token: SeDebugPrivilege 1028 DEC SOA_09012022.exe Token: SeDebugPrivilege 3924 msdt.exe Token: SeDebugPrivilege 688 helpxzbxnrbp.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
DEC SOA_09012022.exeExplorer.EXEmsdt.exehelpxzbxnrbp.exedescription pid process target process PID 912 wrote to memory of 1028 912 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 912 wrote to memory of 1028 912 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 912 wrote to memory of 1028 912 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 912 wrote to memory of 1028 912 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 912 wrote to memory of 1028 912 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 912 wrote to memory of 1028 912 DEC SOA_09012022.exe DEC SOA_09012022.exe PID 3056 wrote to memory of 3924 3056 Explorer.EXE msdt.exe PID 3056 wrote to memory of 3924 3056 Explorer.EXE msdt.exe PID 3056 wrote to memory of 3924 3056 Explorer.EXE msdt.exe PID 3924 wrote to memory of 1824 3924 msdt.exe cmd.exe PID 3924 wrote to memory of 1824 3924 msdt.exe cmd.exe PID 3924 wrote to memory of 1824 3924 msdt.exe cmd.exe PID 3924 wrote to memory of 3620 3924 msdt.exe cmd.exe PID 3924 wrote to memory of 3620 3924 msdt.exe cmd.exe PID 3924 wrote to memory of 3620 3924 msdt.exe cmd.exe PID 3056 wrote to memory of 2648 3056 Explorer.EXE helpxzbxnrbp.exe PID 3056 wrote to memory of 2648 3056 Explorer.EXE helpxzbxnrbp.exe PID 3056 wrote to memory of 2648 3056 Explorer.EXE helpxzbxnrbp.exe PID 3924 wrote to memory of 1184 3924 msdt.exe Firefox.exe PID 3924 wrote to memory of 1184 3924 msdt.exe Firefox.exe PID 2648 wrote to memory of 688 2648 helpxzbxnrbp.exe helpxzbxnrbp.exe PID 2648 wrote to memory of 688 2648 helpxzbxnrbp.exe helpxzbxnrbp.exe PID 2648 wrote to memory of 688 2648 helpxzbxnrbp.exe helpxzbxnrbp.exe PID 2648 wrote to memory of 688 2648 helpxzbxnrbp.exe helpxzbxnrbp.exe PID 2648 wrote to memory of 688 2648 helpxzbxnrbp.exe helpxzbxnrbp.exe PID 2648 wrote to memory of 688 2648 helpxzbxnrbp.exe helpxzbxnrbp.exe PID 3924 wrote to memory of 1184 3924 msdt.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DEC SOA_09012022.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe"C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe"C:\Program Files (x86)\Qblq\helpxzbxnrbp.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exeMD5
6046b2f34b67e06c817f4375c6d26a54
SHA12230944a4216a07fde067866af7e81e1a52e8535
SHA25656d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
SHA512542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac
-
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exeMD5
6046b2f34b67e06c817f4375c6d26a54
SHA12230944a4216a07fde067866af7e81e1a52e8535
SHA25656d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
SHA512542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac
-
C:\Program Files (x86)\Qblq\helpxzbxnrbp.exeMD5
6046b2f34b67e06c817f4375c6d26a54
SHA12230944a4216a07fde067866af7e81e1a52e8535
SHA25656d2b2837e2856b61ad276a3b52151851a79e366c22c03652caf2ad2b50623db
SHA512542a355b0b51c43d7462f255822401fcce56ba8a3c1f117a578f68c762cd329bf533667e8f6c1f56bad8ff71678954b59edec1da725b2a837bb401edcf94b2ac
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\dzj7wydhstvhlw1sy23MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\wklfmymlMD5
50c3351485ffad798f860720ca86c51d
SHA10bc92630e09367fc9d874c171c556198add38267
SHA25673075fdf0c62d3d9a9ea4b57f5dbd6349235be6ed8a848d95f0caf5de2f14448
SHA512d87494b1bde8c3f7002ff077d190a629d01acf5250ec36a0e00c4864681f83837b5b8599032f9c09c1c832a141ad281123d5d71579528e8dc7107913d2851018
-
\Users\Admin\AppData\Local\Temp\nsi20D9.tmp\rwxef.dllMD5
52944a6532acdb2543a8f6076c5b1eeb
SHA1f01e61cd9d9b724e1d77851440493858c008100b
SHA2565432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e
SHA512b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a
-
\Users\Admin\AppData\Local\Temp\nsiB57.tmp\rwxef.dllMD5
52944a6532acdb2543a8f6076c5b1eeb
SHA1f01e61cd9d9b724e1d77851440493858c008100b
SHA2565432fa320cbf8e925f37aae93da2602d41e912dd8141332e38fb49b5c955290e
SHA512b5510b843f40ef0e4d30ecac150409634cad612701575ca4f022bee266dba9b703cfdbd60c11018001d030ed45f9496815773d9dda3953bfe85af4d99260e22a
-
memory/688-138-0x000000000041D440-mapping.dmp
-
memory/688-140-0x00000000009D0000-0x0000000000CF0000-memory.dmpFilesize
3.1MB
-
memory/1028-120-0x00000000006D0000-0x00000000006E1000-memory.dmpFilesize
68KB
-
memory/1028-119-0x00000000009C0000-0x0000000000CE0000-memory.dmpFilesize
3.1MB
-
memory/1028-117-0x000000000041D440-mapping.dmp
-
memory/1028-116-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/1824-125-0x0000000000000000-mapping.dmp
-
memory/2648-131-0x0000000000000000-mapping.dmp
-
memory/3056-128-0x0000000005C90000-0x0000000005DE4000-memory.dmpFilesize
1.3MB
-
memory/3056-121-0x0000000005790000-0x00000000058C8000-memory.dmpFilesize
1.2MB
-
memory/3620-129-0x0000000000000000-mapping.dmp
-
memory/3924-127-0x00000000049F0000-0x0000000004A80000-memory.dmpFilesize
576KB
-
memory/3924-126-0x0000000004BA0000-0x0000000004EC0000-memory.dmpFilesize
3.1MB
-
memory/3924-124-0x0000000000A70000-0x0000000000A99000-memory.dmpFilesize
164KB
-
memory/3924-123-0x00000000010D0000-0x0000000001243000-memory.dmpFilesize
1.4MB
-
memory/3924-122-0x0000000000000000-mapping.dmp