Analysis
-
max time kernel
156s -
max time network
165s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 14:26
Static task
static1
Behavioral task
behavioral1
Sample
DHL_AWB# 9678547836.exe
Resource
win7-en-20211208
General
-
Target
DHL_AWB# 9678547836.exe
-
Size
326KB
-
MD5
c8df5e6047cd338743e32c7e79067a45
-
SHA1
848cdb2e9b7415ca7689b74ffd076fb92a8637a4
-
SHA256
5111f4fa05b89a9d727c4686485acedc16553a7715fd36776c68972acf8e5382
-
SHA512
c18533cd152b2ea6c395d6224f0dcbc73f3583bb4b8b902cf967c906a5c5df634976741a9f90977fa05e487277d79c4ac7e85f5216921f4c78bde1abd7f36436
Malware Config
Extracted
xloader
2.5
dtt3
edilononlineshop.com
cursosd.com
viellacharteredland.com
increasey0urenergylevels.codes
yjy-hotel.com
claym.xyz
reelsguide.com
gives-cardano.com
ashrafannuar.com
mammalians.com
rocketleaguedads.com
yubierp.com
minimi36.com
chn-chn.com
jagojp888.com
parsian-shetab.com
273351.com
mdtouhid.com
babedads.com
vallinam2.com
buro-tic.com
az-rent.net
shifaebio.xyz
circuitoalberghiero.com
xn--b1afb9b.xn--p1acf
canlioyundasin.online
sachainchirajaomega.com
scandinest.com
pluky.net
tpxcy.com
nbg.global
automountproducts.com
hghbj.com
beachsidecoatings.com
householdertips.com
coworkingspace.online
doujyou.com
tenloe053.xyz
udpbkp.biz
kondanginyuk.online
zipiter.com
christiankrog.com
reliantrecruitinggroup.com
acrylicus.com
cruelgirls.biz
oeinsulation.com
mapnft.xyz
leadersfort.com
foodroutine.com
mayerohio.info
systemofsolutions.com
gideonajibike.com
bigboobz.net
townofis.com
mhkxlgs.com
sussaautocare.com
quicktle.com
boutiquedangel.com
garrisonroadhouse.com
stiff-pols.art
cabalaconsultores.com
theweddinggame.net
themoneymagicians.com
overtonesa.com
janasflannels.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2096-119-0x0000000000400000-0x0000000000429000-memory.dmp xloader behavioral2/memory/2096-122-0x00000000009B0000-0x0000000000ED0000-memory.dmp xloader behavioral2/memory/3320-125-0x00000000027B0000-0x00000000027D9000-memory.dmp xloader -
Loads dropped DLL 1 IoCs
Processes:
DHL_AWB# 9678547836.exepid process 2684 DHL_AWB# 9678547836.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
DHL_AWB# 9678547836.exeDHL_AWB# 9678547836.exeraserver.exedescription pid process target process PID 2684 set thread context of 2096 2684 DHL_AWB# 9678547836.exe DHL_AWB# 9678547836.exe PID 2096 set thread context of 3068 2096 DHL_AWB# 9678547836.exe Explorer.EXE PID 3320 set thread context of 3068 3320 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
DHL_AWB# 9678547836.exeraserver.exepid process 2096 DHL_AWB# 9678547836.exe 2096 DHL_AWB# 9678547836.exe 2096 DHL_AWB# 9678547836.exe 2096 DHL_AWB# 9678547836.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe 3320 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3068 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
DHL_AWB# 9678547836.exeraserver.exepid process 2096 DHL_AWB# 9678547836.exe 2096 DHL_AWB# 9678547836.exe 2096 DHL_AWB# 9678547836.exe 3320 raserver.exe 3320 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
DHL_AWB# 9678547836.exeraserver.exedescription pid process Token: SeDebugPrivilege 2096 DHL_AWB# 9678547836.exe Token: SeDebugPrivilege 3320 raserver.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
DHL_AWB# 9678547836.exeExplorer.EXEraserver.exedescription pid process target process PID 2684 wrote to memory of 2096 2684 DHL_AWB# 9678547836.exe DHL_AWB# 9678547836.exe PID 2684 wrote to memory of 2096 2684 DHL_AWB# 9678547836.exe DHL_AWB# 9678547836.exe PID 2684 wrote to memory of 2096 2684 DHL_AWB# 9678547836.exe DHL_AWB# 9678547836.exe PID 2684 wrote to memory of 2096 2684 DHL_AWB# 9678547836.exe DHL_AWB# 9678547836.exe PID 2684 wrote to memory of 2096 2684 DHL_AWB# 9678547836.exe DHL_AWB# 9678547836.exe PID 2684 wrote to memory of 2096 2684 DHL_AWB# 9678547836.exe DHL_AWB# 9678547836.exe PID 3068 wrote to memory of 3320 3068 Explorer.EXE raserver.exe PID 3068 wrote to memory of 3320 3068 Explorer.EXE raserver.exe PID 3068 wrote to memory of 3320 3068 Explorer.EXE raserver.exe PID 3320 wrote to memory of 508 3320 raserver.exe cmd.exe PID 3320 wrote to memory of 508 3320 raserver.exe cmd.exe PID 3320 wrote to memory of 508 3320 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL_AWB# 9678547836.exe"C:\Users\Admin\AppData\Local\Temp\DHL_AWB# 9678547836.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DHL_AWB# 9678547836.exe"C:\Users\Admin\AppData\Local\Temp\DHL_AWB# 9678547836.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\DHL_AWB# 9678547836.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsbD341.tmp\vbxaftxp.dllMD5
b352c7e713aa81796cbdc8bf0827b5f0
SHA12e0a7c042322c8beb99ac7a9b66645e6f35b8c2a
SHA256e096ec2151b53c081e3c7a6e712c04632dc6173f5d2f9a9ad3981da8ce718ef7
SHA51222fc7ca17f8459a996823d8c37bf835927a58f564f0998aeeab77d7f1ee64484199f2be16c41c2b0ce021b4c1edda3c499b80ed1a757b957abb29d0cf3ab5e1f
-
memory/2096-119-0x0000000000400000-0x0000000000429000-memory.dmpFilesize
164KB
-
memory/2096-121-0x00000000009B0000-0x0000000000CD0000-memory.dmpFilesize
3.1MB
-
memory/2096-122-0x00000000009B0000-0x0000000000ED0000-memory.dmpFilesize
5.1MB
-
memory/3068-123-0x0000000001100000-0x00000000011EE000-memory.dmpFilesize
952KB
-
memory/3068-128-0x0000000006870000-0x000000000698A000-memory.dmpFilesize
1.1MB
-
memory/3320-124-0x00000000003E0000-0x00000000003FF000-memory.dmpFilesize
124KB
-
memory/3320-125-0x00000000027B0000-0x00000000027D9000-memory.dmpFilesize
164KB
-
memory/3320-126-0x00000000047A0000-0x0000000004AC0000-memory.dmpFilesize
3.1MB
-
memory/3320-127-0x0000000004470000-0x00000000045FE000-memory.dmpFilesize
1.6MB