Resubmissions
17-01-2022 13:23
220117-qm875sach5 1017-01-2022 13:18
220117-qj6mvaacf5 1017-01-2022 13:06
220117-qb2zpaacc9 10Analysis
-
max time kernel
437s -
max time network
437s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
17-01-2022 13:23
Static task
static1
General
-
Target
BANK INFORMATION-M017012022-017016.gz.exe
-
Size
268KB
-
MD5
70efe8387b56122c7dd699f2721e29a9
-
SHA1
4e4d75d7bcd6507b8739a9e5b5c835d317396aab
-
SHA256
b24fe0dd0ec4d61ac6903f6579d59dcffd17d0e002c96803a551aa3ab17367ef
-
SHA512
f4fa953a6571b7c42e5a99df2a0365407011e93d60442924c6798b6ed064ab01b31e2751cd4f30909aff3b7b782abe79dfbd2c12e9ff7665244c343bca246f1e
Malware Config
Extracted
xloader
2.5
be4o
neonewway.club
kuanghong.club
7bkj.com
ooo-club.com
kamchatka-agency.com
sjsndtvitzru.mobi
noireimpactcollective.net
justbe-event.com
easypeasy.community
southcoast.glass
janhenningsen.com
jmxyjj.com
tarihibilet.com
nagradi7.com
percentrostered.net
certvaxid.com
kingseafoodsydney.com
blacksheepwalk.com
waktuk.com
inteligenciaenrefrigeracion.com
marvinhull.com
fikretbayrakdar.com
rsxrsh.com
vastukalabid.com
belindahulett.com
aibet888.club
icarus-groupe.com
vendasdigitaisonline.com
fairytalepageants.com
imaginativeprint.com
quanqiu55555.com
owensigns.com
kaikkistore.com
dreamintelligent.com
piqqekqqbpjpajbzvvfqapwr.store
mariachinuevozacatecas24-7.com
glenndcp.com
vaughnediting.com
10dian-3.com
buresdx.com
itservon.com
buyingusedfurniture.com
elektropanjur.com
logotzo.com
eaglesaviationexperience.com
antoniopasciuti.com
personas1web.com
hvbatterystore.com
ksustudyabroad.com
4huav946.com
gojajix.xyz
kennycheng.tech
traditionnevertrend.com
mytrainermatrix.online
basculasperu.com
eljkj.com
teleconstructiongroup.com
28682df.com
altimiravet.com
worldplantaward.com
mydxza.com
josiemaran-supernatural.com
brainymortgage.info
diffamr.net
istemnetwork.com
Signatures
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/4492-120-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/4492-121-0x000000000041D490-mapping.dmp xloader behavioral1/memory/4608-128-0x0000000002840000-0x0000000002869000-memory.dmp xloader -
Executes dropped EXE 1 IoCs
Processes:
nrox8t5pmrt.exepid process 2184 nrox8t5pmrt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
raserver.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run raserver.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3FWTOJSXLX = "C:\\Program Files (x86)\\Irt6hzl\\nrox8t5pmrt.exe" raserver.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
BANK INFORMATION-M017012022-017016.gz.exeaspnet_compiler.exeraserver.exedescription pid process target process PID 3944 set thread context of 4492 3944 BANK INFORMATION-M017012022-017016.gz.exe aspnet_compiler.exe PID 4492 set thread context of 3052 4492 aspnet_compiler.exe Explorer.EXE PID 4608 set thread context of 3052 4608 raserver.exe Explorer.EXE -
Drops file in Program Files directory 4 IoCs
Processes:
raserver.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Irt6hzl\nrox8t5pmrt.exe raserver.exe File opened for modification C:\Program Files (x86)\Irt6hzl Explorer.EXE File created C:\Program Files (x86)\Irt6hzl\nrox8t5pmrt.exe Explorer.EXE File opened for modification C:\Program Files (x86)\Irt6hzl\nrox8t5pmrt.exe Explorer.EXE -
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\97717462.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Processes:
raserver.exedescription ioc process Key created \Registry\User\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 raserver.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exeaspnet_compiler.exeraserver.exepid process 3584 taskmgr.exe 3584 taskmgr.exe 4492 aspnet_compiler.exe 4492 aspnet_compiler.exe 4492 aspnet_compiler.exe 4492 aspnet_compiler.exe 4608 raserver.exe 4608 raserver.exe 3584 taskmgr.exe 4608 raserver.exe 4608 raserver.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 4608 raserver.exe 4608 raserver.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 4608 raserver.exe 4608 raserver.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 4608 raserver.exe 4608 raserver.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 4608 raserver.exe 4608 raserver.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 4608 raserver.exe 4608 raserver.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 4608 raserver.exe 4608 raserver.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exeExplorer.EXEpid process 3584 taskmgr.exe 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
aspnet_compiler.exeraserver.exepid process 4492 aspnet_compiler.exe 4492 aspnet_compiler.exe 4492 aspnet_compiler.exe 4608 raserver.exe 4608 raserver.exe 4608 raserver.exe 4608 raserver.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
taskmgr.exeBANK INFORMATION-M017012022-017016.gz.exeaspnet_compiler.exeExplorer.EXEraserver.exedescription pid process Token: SeDebugPrivilege 3584 taskmgr.exe Token: SeSystemProfilePrivilege 3584 taskmgr.exe Token: SeCreateGlobalPrivilege 3584 taskmgr.exe Token: SeDebugPrivilege 3944 BANK INFORMATION-M017012022-017016.gz.exe Token: SeDebugPrivilege 4492 aspnet_compiler.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeDebugPrivilege 4608 raserver.exe Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE Token: SeShutdownPrivilege 3052 Explorer.EXE Token: SeCreatePagefilePrivilege 3052 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe 3584 taskmgr.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
BANK INFORMATION-M017012022-017016.gz.exeExplorer.EXEraserver.exedescription pid process target process PID 3944 wrote to memory of 4492 3944 BANK INFORMATION-M017012022-017016.gz.exe aspnet_compiler.exe PID 3944 wrote to memory of 4492 3944 BANK INFORMATION-M017012022-017016.gz.exe aspnet_compiler.exe PID 3944 wrote to memory of 4492 3944 BANK INFORMATION-M017012022-017016.gz.exe aspnet_compiler.exe PID 3944 wrote to memory of 4492 3944 BANK INFORMATION-M017012022-017016.gz.exe aspnet_compiler.exe PID 3944 wrote to memory of 4492 3944 BANK INFORMATION-M017012022-017016.gz.exe aspnet_compiler.exe PID 3944 wrote to memory of 4492 3944 BANK INFORMATION-M017012022-017016.gz.exe aspnet_compiler.exe PID 3052 wrote to memory of 4608 3052 Explorer.EXE raserver.exe PID 3052 wrote to memory of 4608 3052 Explorer.EXE raserver.exe PID 3052 wrote to memory of 4608 3052 Explorer.EXE raserver.exe PID 4608 wrote to memory of 4600 4608 raserver.exe cmd.exe PID 4608 wrote to memory of 4600 4608 raserver.exe cmd.exe PID 4608 wrote to memory of 4600 4608 raserver.exe cmd.exe PID 4608 wrote to memory of 1876 4608 raserver.exe cmd.exe PID 4608 wrote to memory of 1876 4608 raserver.exe cmd.exe PID 4608 wrote to memory of 1876 4608 raserver.exe cmd.exe PID 3052 wrote to memory of 2184 3052 Explorer.EXE nrox8t5pmrt.exe PID 3052 wrote to memory of 2184 3052 Explorer.EXE nrox8t5pmrt.exe PID 3052 wrote to memory of 2184 3052 Explorer.EXE nrox8t5pmrt.exe PID 4608 wrote to memory of 2832 4608 raserver.exe Firefox.exe PID 4608 wrote to memory of 2832 4608 raserver.exe Firefox.exe PID 4608 wrote to memory of 2832 4608 raserver.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\BANK INFORMATION-M017012022-017016.gz.exe"C:\Users\Admin\AppData\Local\Temp\BANK INFORMATION-M017012022-017016.gz.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Irt6hzl\nrox8t5pmrt.exe"C:\Program Files (x86)\Irt6hzl\nrox8t5pmrt.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Irt6hzl\nrox8t5pmrt.exeMD5
1e98e92a982af948ee18ee819a2d8ad1
SHA16cb0bd87815118351e5e32c50b434079dfba255c
SHA256235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778
SHA5126711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f
-
C:\Program Files (x86)\Irt6hzl\nrox8t5pmrt.exeMD5
1e98e92a982af948ee18ee819a2d8ad1
SHA16cb0bd87815118351e5e32c50b434079dfba255c
SHA256235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778
SHA5126711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
memory/1876-133-0x0000000000000000-mapping.dmp
-
memory/2184-134-0x0000000000000000-mapping.dmp
-
memory/2184-139-0x0000000005660000-0x0000000005B8C000-memory.dmpFilesize
5.2MB
-
memory/2184-138-0x00000000008C0000-0x00000000008D0000-memory.dmpFilesize
64KB
-
memory/3052-132-0x0000000002790000-0x0000000002840000-memory.dmpFilesize
704KB
-
memory/3052-125-0x0000000004E10000-0x0000000004F0A000-memory.dmpFilesize
1000KB
-
memory/3944-118-0x00000000014A0000-0x00000000014AE000-memory.dmpFilesize
56KB
-
memory/3944-115-0x0000000000D30000-0x0000000000D76000-memory.dmpFilesize
280KB
-
memory/3944-119-0x000000001BBF0000-0x000000001BBF2000-memory.dmpFilesize
8KB
-
memory/3944-117-0x0000000001460000-0x000000000149A000-memory.dmpFilesize
232KB
-
memory/3944-116-0x0000000000D30000-0x0000000000D76000-memory.dmpFilesize
280KB
-
memory/4492-121-0x000000000041D490-mapping.dmp
-
memory/4492-124-0x00000000011D0000-0x000000000131A000-memory.dmpFilesize
1.3MB
-
memory/4492-122-0x0000000001770000-0x0000000001A90000-memory.dmpFilesize
3.1MB
-
memory/4492-120-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/4600-129-0x0000000000000000-mapping.dmp
-
memory/4608-131-0x00000000041C0000-0x0000000004250000-memory.dmpFilesize
576KB
-
memory/4608-130-0x00000000043F0000-0x0000000004710000-memory.dmpFilesize
3.1MB
-
memory/4608-128-0x0000000002840000-0x0000000002869000-memory.dmpFilesize
164KB
-
memory/4608-127-0x0000000000290000-0x00000000002AF000-memory.dmpFilesize
124KB
-
memory/4608-126-0x0000000000000000-mapping.dmp