Analysis
-
max time kernel
156s -
max time network
156s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20-01-2022 11:07
Static task
static1
Behavioral task
behavioral1
Sample
scan doc_o1022111234.exe
Resource
win7-en-20211208
General
-
Target
scan doc_o1022111234.exe
-
Size
285KB
-
MD5
69ee93123716e7d21e0e527be980c22b
-
SHA1
bb4b074dda0d143d36a6c4c572bd669be67fe0e5
-
SHA256
3866d4f2f3fa6a3cdedd0b3e4704b438881b0a147e75eeddacaeea85e52c669a
-
SHA512
36925cddedff3acb9a217ce35e8d676a46d76f5873471daf9e9cf512f2df5934fe263532b0ba789573fdc887eb211eee6cbe0988b8e22306d16ff211509c1edc
Malware Config
Extracted
xloader
2.5
cxep
estateglobal.info
loransstore.com
loginofy.com
fjallravenz.online
cefseguranca-app.com
safontadiestramiento.com
bubbleteapro.com
morethanmummies.com
serviciopersonalizadoweb.com
headerbidder.info
skworkforce.com
heightsorthodontics.com
chulavistapd.com
southjerseyautobody.net
chargedbygratitude.com
meltingpotspot.com
gdjiachen.com
luckdrawprogram.com
vintagepaseo.com
bequestslojyh.xyz
layeredrofbes.xyz
com-weekly.email
suddisaddu.com
jnlord.com
outerverse.ventures
terraroyale.com
hairclub.info
rent2owninusa.com
pmaonline.xyz
wearecampo.com
multiplezonesplit.com
angry-mandala.com
ikigaiofficial.store
princewoodwork.store
moviesaver24.com
btec-solutions.com
valurgrayenterprises.com
homesofsilverspur.com
leysy-y-nazareno.com
grade8.tech
ammarus.com
researchjournal.net
nicolaslacasse.com
khukhuantainha.com
resultlv.com
toraportal.com
wickedhunterworld.com
clickspromolp.com
b148tlrnd09ustnnaku2721.com
high-low-ga.info
norcalfirewoodllc.com
fatima2021.com
aaronsmathquest.com
decal-mania.com
spitfiredefenceindustries.com
mireyita.com
simonhaidomous.com
roofingcontractorhickory.com
mgav69.xyz
spacebymeghan.com
hot144.com
mmfirewood.net
akshayaasri.com
bilgisayarimnekadar.com
littlesportsacademy.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/268-57-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/268-62-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral1/memory/1020-66-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1392 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
scan doc_o1022111234.exepid process 1520 scan doc_o1022111234.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
scan doc_o1022111234.exescan doc_o1022111234.exehelp.exedescription pid process target process PID 1520 set thread context of 268 1520 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 268 set thread context of 1372 268 scan doc_o1022111234.exe Explorer.EXE PID 268 set thread context of 1372 268 scan doc_o1022111234.exe Explorer.EXE PID 1020 set thread context of 1372 1020 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
scan doc_o1022111234.exehelp.exepid process 268 scan doc_o1022111234.exe 268 scan doc_o1022111234.exe 268 scan doc_o1022111234.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe 1020 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
scan doc_o1022111234.exehelp.exepid process 268 scan doc_o1022111234.exe 268 scan doc_o1022111234.exe 268 scan doc_o1022111234.exe 268 scan doc_o1022111234.exe 1020 help.exe 1020 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
scan doc_o1022111234.exehelp.exedescription pid process Token: SeDebugPrivilege 268 scan doc_o1022111234.exe Token: SeDebugPrivilege 1020 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1372 Explorer.EXE 1372 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
scan doc_o1022111234.exescan doc_o1022111234.exehelp.exedescription pid process target process PID 1520 wrote to memory of 268 1520 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 1520 wrote to memory of 268 1520 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 1520 wrote to memory of 268 1520 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 1520 wrote to memory of 268 1520 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 1520 wrote to memory of 268 1520 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 1520 wrote to memory of 268 1520 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 1520 wrote to memory of 268 1520 scan doc_o1022111234.exe scan doc_o1022111234.exe PID 268 wrote to memory of 1020 268 scan doc_o1022111234.exe help.exe PID 268 wrote to memory of 1020 268 scan doc_o1022111234.exe help.exe PID 268 wrote to memory of 1020 268 scan doc_o1022111234.exe help.exe PID 268 wrote to memory of 1020 268 scan doc_o1022111234.exe help.exe PID 1020 wrote to memory of 1392 1020 help.exe cmd.exe PID 1020 wrote to memory of 1392 1020 help.exe cmd.exe PID 1020 wrote to memory of 1392 1020 help.exe cmd.exe PID 1020 wrote to memory of 1392 1020 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\scan doc_o1022111234.exe"5⤵
- Deletes itself
PID:1392
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsd3017.tmp\uyhlelrjb.dllMD5
3b2bf8df341ac6f0edfe50a1ae7ff555
SHA1e9bdd7cbf9426b710c9ea60c36ee0b2183ebb602
SHA256eace00923a15331adc6214d609b21328047a13ffdd4e14cc5e2e142241c156ad
SHA512a127e8a748d8fa78b54e3cfbae47d147d93586f566b3d1a8a6cbc6e06df5f6ffdcc6abd61c4bf96d69b332f0646b90935fa2231d7be3cbfdd68975d387c9a6f1
-
memory/268-62-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/268-57-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/268-58-0x0000000000800000-0x0000000000B03000-memory.dmpFilesize
3.0MB
-
memory/268-60-0x00000000002C0000-0x00000000002D1000-memory.dmpFilesize
68KB
-
memory/268-63-0x00000000003A0000-0x00000000003B1000-memory.dmpFilesize
68KB
-
memory/1020-65-0x0000000000B10000-0x0000000000B16000-memory.dmpFilesize
24KB
-
memory/1020-66-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1020-67-0x00000000006D0000-0x0000000000AD3000-memory.dmpFilesize
4.0MB
-
memory/1020-68-0x00000000003D0000-0x0000000000460000-memory.dmpFilesize
576KB
-
memory/1372-61-0x0000000003A00000-0x0000000003ABF000-memory.dmpFilesize
764KB
-
memory/1372-64-0x0000000006A20000-0x0000000006B7A000-memory.dmpFilesize
1.4MB
-
memory/1372-69-0x0000000003E40000-0x0000000003F16000-memory.dmpFilesize
856KB
-
memory/1520-55-0x0000000076371000-0x0000000076373000-memory.dmpFilesize
8KB