Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
14-01-2022 10:00
Static task
static1
Behavioral task
behavioral1
Sample
IMG-000284794.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
IMG-000284794.exe
Resource
win10-en-20211208
General
-
Target
IMG-000284794.exe
-
Size
1.2MB
-
MD5
abd28466f7cb80d6da36fed9f3e6bef4
-
SHA1
fb2911028f32b2b3c07004a21e84773e3efd1519
-
SHA256
5686f840b9b2834952367cd9c37ec4c8385bcc90348dd3a92e488c0faebed85a
-
SHA512
0c6aa40cc0797ae3e59bf863bce36c1bb4a96760aa2897b8b03706da83e24a9009fbda569a243c890c7013d4f6e1514e73349757b16c0b318407019ad1e51586
Malware Config
Extracted
xloader
2.5
c6si
tristateinc.construction
americanscaregroundstexas.com
kanimisoshiru.com
wihling.com
fishcheekstosa.com
parentsfuid.com
greenstandmarket.com
fc8fla8kzq.com
gametwist-83.club
jobsncvs.com
directrealtysells.com
avida2015.com
conceptasite.net
arkaneattire.com
indev-mobility.info
2160centurypark412.com
valefloor.com
septembership.com
stackflix.com
jimc0sales.net
socialviralup.com
lastra41.com
juliaepaulovaocasar.com
jurisagora.com
drawandgrow.online
rebekahlouise.com
herport-fr.com
iphone13.webcam
appz-one.net
inpost-pl.net
promocion360fitness.com
global-forbes.biz
diamondtrade.net
albertcantos.com
gtgits.com
travel-ai.online
busipe6.com
mualikesubvn.com
niftyhandy.com
docprops.com
lido88.bet
baywoodphotography.com
cargosouq.info
newsnowlive.online
floridafishingoverboard.com
missnikissalsa.net
walletvalidate.space
kissimmeeinternationalcup.com
charterhome.school
gurujupiter.com
entertainmentwitchy.com
jokeaou.com
sugarmountainfirearms.com
iss-sa.com
smittyssierra.com
freedomoff.com
giftoin.com
realitystararmwrestling.com
salsalunch-equallyage.com
ladouba.com
thepropertygoat.com
bestofmerrick.guide
4the.top
regioinversiones.com
129qihu.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/544-61-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/544-62-0x000000000041D4B0-mapping.dmp xloader behavioral1/memory/560-70-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Suspicious use of SetThreadContext 3 IoCs
Processes:
IMG-000284794.exeaspnet_regbrowsers.exechkdsk.exedescription pid process target process PID 1476 set thread context of 544 1476 IMG-000284794.exe aspnet_regbrowsers.exe PID 544 set thread context of 1240 544 aspnet_regbrowsers.exe Explorer.EXE PID 560 set thread context of 1240 560 chkdsk.exe Explorer.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
aspnet_regbrowsers.exechkdsk.exepid process 544 aspnet_regbrowsers.exe 544 aspnet_regbrowsers.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe 560 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
aspnet_regbrowsers.exechkdsk.exepid process 544 aspnet_regbrowsers.exe 544 aspnet_regbrowsers.exe 544 aspnet_regbrowsers.exe 560 chkdsk.exe 560 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
IMG-000284794.exeaspnet_regbrowsers.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1476 IMG-000284794.exe Token: SeDebugPrivilege 544 aspnet_regbrowsers.exe Token: SeDebugPrivilege 560 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE 1240 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1240 Explorer.EXE 1240 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
IMG-000284794.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1476 wrote to memory of 544 1476 IMG-000284794.exe aspnet_regbrowsers.exe PID 1476 wrote to memory of 544 1476 IMG-000284794.exe aspnet_regbrowsers.exe PID 1476 wrote to memory of 544 1476 IMG-000284794.exe aspnet_regbrowsers.exe PID 1476 wrote to memory of 544 1476 IMG-000284794.exe aspnet_regbrowsers.exe PID 1476 wrote to memory of 544 1476 IMG-000284794.exe aspnet_regbrowsers.exe PID 1476 wrote to memory of 544 1476 IMG-000284794.exe aspnet_regbrowsers.exe PID 1476 wrote to memory of 544 1476 IMG-000284794.exe aspnet_regbrowsers.exe PID 1240 wrote to memory of 560 1240 Explorer.EXE chkdsk.exe PID 1240 wrote to memory of 560 1240 Explorer.EXE chkdsk.exe PID 1240 wrote to memory of 560 1240 Explorer.EXE chkdsk.exe PID 1240 wrote to memory of 560 1240 Explorer.EXE chkdsk.exe PID 560 wrote to memory of 288 560 chkdsk.exe cmd.exe PID 560 wrote to memory of 288 560 chkdsk.exe cmd.exe PID 560 wrote to memory of 288 560 chkdsk.exe cmd.exe PID 560 wrote to memory of 288 560 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IMG-000284794.exe"C:\Users\Admin\AppData\Local\Temp\IMG-000284794.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/288-68-0x0000000000000000-mapping.dmp
-
memory/544-59-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/544-60-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/544-65-0x00000000002A0000-0x00000000002B1000-memory.dmpFilesize
68KB
-
memory/544-63-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/544-62-0x000000000041D4B0-mapping.dmp
-
memory/544-61-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/560-67-0x0000000000000000-mapping.dmp
-
memory/560-70-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/560-71-0x0000000002070000-0x0000000002373000-memory.dmpFilesize
3.0MB
-
memory/560-69-0x0000000000700000-0x0000000000707000-memory.dmpFilesize
28KB
-
memory/560-72-0x0000000001DA0000-0x0000000001E30000-memory.dmpFilesize
576KB
-
memory/1240-66-0x00000000041D0000-0x00000000042A3000-memory.dmpFilesize
844KB
-
memory/1240-73-0x0000000002B70000-0x0000000002C2A000-memory.dmpFilesize
744KB
-
memory/1476-58-0x00000000002F0000-0x0000000000304000-memory.dmpFilesize
80KB
-
memory/1476-57-0x0000000001F30000-0x0000000001F31000-memory.dmpFilesize
4KB
-
memory/1476-55-0x0000000000330000-0x000000000045E000-memory.dmpFilesize
1.2MB
-
memory/1476-56-0x0000000000330000-0x000000000045E000-memory.dmpFilesize
1.2MB