Analysis
-
max time kernel
154s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
SKM-973116391_PDF.pif.exe
Resource
win7-en-20211208
General
-
Target
SKM-973116391_PDF.pif.exe
-
Size
297KB
-
MD5
aefc9702ff5d6d9064ec8e5ea82e4870
-
SHA1
716ad70dc07a6b7d3c46209de8627bf3f3535361
-
SHA256
ef986fa9ac50432d1fc1be8e0ace872cbf28cf51d967d6d35647aa3f77acf94e
-
SHA512
e5180f0d131111627300dd3b61abae59cf77e0d2a4aa50d9b22dec1c270a865caed5fa4130174930ae2810584c4169e9bf56a0b597401014737d60b250580b55
Malware Config
Extracted
xloader
2.5
uar3
sgadvocats.com
mjscannabus.com
hilldaley.com
ksdollhouse.com
hotgiftboutique.com
purebloodsmeet.com
relaunched.info
cap-glove.com
productcollection.store
fulikyy.xyz
remoteaviationjobs.com
bestcleancrystal.com
virtualorganizationpartner.com
bookgocar.com
hattuafhv.quest
makonigroup.com
officecom-myaccount.com
malgorzata-lac.com
e-learningeducators.com
hygilaur.com
kgv-lachswehr.com
salazarcomunicacion.com
robopython.com
corporateequity.online
complianceservicegroup.com
aperza-ex.com
webflowusa.com
asesoriasfinancieras.xyz
missolivesbranches.com
numiquest.com
criskconsultancy.com
gotemup.com
themaptalk.com
lakebalboahalf.com
cateringfrenchcroissant.com
paddocklakerealestate.com
lojaquerosurprezza.store
courtneywhitearmusic.com
geovannimaquinadevendas.online
pricklypairjazz.com
engagedigi.com
conduitforthespirit.com
anaheimaletrail.com
wholesalemall.store
alertsbecu.com
gestion-kayfra.com
youcanstores.com
qsuo.net
formadv.info
dihesia.xyz
carrreir.com
twenteeminuteswithtee.com
realliferenewal.com
officialprokodsukses.icu
stanfordgrouploscabos.com
maxicashpromir.xyz
zysqshjs.com
trc-clicks.com
chsclbd.com
amdproduce.net
republicoflies.com
beaux-parents.com
lucrativeapp.com
milbombas.com
alexanderplaywear.com
Signatures
-
Xloader Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/544-56-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1548-62-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1616 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
SKM-973116391_PDF.pif.exepid process 1592 SKM-973116391_PDF.pif.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SKM-973116391_PDF.pif.exeSKM-973116391_PDF.pif.execmmon32.exedescription pid process target process PID 1592 set thread context of 544 1592 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 544 set thread context of 1208 544 SKM-973116391_PDF.pif.exe Explorer.EXE PID 1548 set thread context of 1208 1548 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
SKM-973116391_PDF.pif.execmmon32.exepid process 544 SKM-973116391_PDF.pif.exe 544 SKM-973116391_PDF.pif.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe 1548 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
SKM-973116391_PDF.pif.execmmon32.exepid process 544 SKM-973116391_PDF.pif.exe 544 SKM-973116391_PDF.pif.exe 544 SKM-973116391_PDF.pif.exe 1548 cmmon32.exe 1548 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SKM-973116391_PDF.pif.execmmon32.exedescription pid process Token: SeDebugPrivilege 544 SKM-973116391_PDF.pif.exe Token: SeDebugPrivilege 1548 cmmon32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1208 Explorer.EXE 1208 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SKM-973116391_PDF.pif.exeExplorer.EXEcmmon32.exedescription pid process target process PID 1592 wrote to memory of 544 1592 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1592 wrote to memory of 544 1592 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1592 wrote to memory of 544 1592 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1592 wrote to memory of 544 1592 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1592 wrote to memory of 544 1592 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1592 wrote to memory of 544 1592 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1592 wrote to memory of 544 1592 SKM-973116391_PDF.pif.exe SKM-973116391_PDF.pif.exe PID 1208 wrote to memory of 1548 1208 Explorer.EXE cmmon32.exe PID 1208 wrote to memory of 1548 1208 Explorer.EXE cmmon32.exe PID 1208 wrote to memory of 1548 1208 Explorer.EXE cmmon32.exe PID 1208 wrote to memory of 1548 1208 Explorer.EXE cmmon32.exe PID 1548 wrote to memory of 1616 1548 cmmon32.exe cmd.exe PID 1548 wrote to memory of 1616 1548 cmmon32.exe cmd.exe PID 1548 wrote to memory of 1616 1548 cmmon32.exe cmd.exe PID 1548 wrote to memory of 1616 1548 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe"C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe"C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SKM-973116391_PDF.pif.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nso2204.tmp\qhkurpf.dllMD5
4b585786f7c4954b6ec5fa47486c3e01
SHA1def671ab058b9db6bb436c57be2ed88b8f80580c
SHA256c553442735f0cf507ae1db7e5beb9dfd91e6e26759ba4b064cb284a684ed8aa9
SHA51238585b0152d9a2d74ce47caaf1d2eb83e314e2930268ca607ad40352b10b5669fbb2fc4700d653e19273f01e66f54a71b0e543f5e707d94913ec92a69633c29a
-
memory/544-56-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/544-58-0x0000000000730000-0x0000000000A33000-memory.dmpFilesize
3.0MB
-
memory/544-59-0x0000000000480000-0x0000000000491000-memory.dmpFilesize
68KB
-
memory/1208-60-0x0000000006290000-0x00000000063E6000-memory.dmpFilesize
1.3MB
-
memory/1208-65-0x0000000005E20000-0x0000000005EBD000-memory.dmpFilesize
628KB
-
memory/1548-61-0x00000000002C0000-0x00000000002CD000-memory.dmpFilesize
52KB
-
memory/1548-62-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1548-63-0x0000000002030000-0x0000000002333000-memory.dmpFilesize
3.0MB
-
memory/1548-64-0x0000000001D60000-0x0000000001DF0000-memory.dmpFilesize
576KB
-
memory/1592-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB